samba-winbind-libs-4.15.13+git.663.9c654e06cdb-150400.3.28.1 >  A dTp9|D5&;_sjrerCŸ2pĆB)=qm] ?_- ;S+PWnie_vYϼV%aW3 Y{FW9pk"m<Ր_BD`us4䵡 qlIv߹/P ESH}QHF\cvW6yǢ(TRzgSp%LRUeT`HXfg!Mp!:~^K7 5`>p@i|?ild1 ? X 1HNT$$ ,$ t$ $  h$  $ $ $  $L[$[ [(!#8!, 9%\ :74 >N@NFNGN$HOH$IO$XOYP\Px$]Q$^SbScThdTeTfTlTuU$vUwa$xa$yb<zi ii i&ihCsamba-winbind-libs4.15.13+git.663.9c654e06cdb150400.3.28.1Winbind Daemon librariesThis package contains the libraries required by the Winbind daemon.dSs390zp36 SUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/Development/Libraries/C and C++https://www.samba.org/linuxs390xȀ7pȈGW'WW''x'7Ghhh u 6L. LkAAA큤dSanopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedimstar@opensuse.orgscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- secure channel faulty since Windows 10/11 update 07/2023; (bso#15418); (bsc#1213384).- CVE-2022-2127: lm_resp_len not checked properly in winbindd_pam_auth_crap_send; (bso#15072); (bsc#1213174). - CVE-2023-34966: Samba Spotlight mdssvc RPC Request Infinite Loop Denial-of-Service Vulnerability; (bso#15340); (bsc#1213173). - CVE-2023-34967: Samba Spotlight mdssvc RPC Request Type Confusion Denial-of-Service Vulnerability; (bso#15341); (bsc#1213172). - CVE-2023-34968: Spotlight server-side Share Path Disclosure; (bso#15388); (bsc#1213171).- CVE-2023-0922: Samba AD DC admin tool samba-tool sends passwords in cleartext; (bso#15315); (bsc#1209481). - CVE-2023-0225: Samba AD DC "dnsHostname" attribute can be deleted by unprivileged authenticated users; (bso#15276); (bsc#1209483). - CVE-2023-0614: samba: Access controlled AD LDAP attributes can be discovered; (bso#15270); (bsc#1209485).- Prevent use after free of messaging_ctdb_fde_ev structs; (bso#15293); (bsc#1207416).- CVE-2022-38023 Additional patches for the PDC role's netlogon server; (bso#15240); (bsc#1206504);- CVE-2021-20251: samba: Bad password count not incremented atomically; (bso#14611); (bsc#1206546).- Update to 4.15.13 * CVE-2022-37966 rc4-hmac Kerberos session keys issued to modern servers; (bso#15237); (bsc#1205385); * CVE-2022-37967 Kerberos constrained delegation ticket forgery possible against Samba AD DC; (bso#15231); (bsc#1205386); * CVE-2022-38023 RC4/HMAC-MD5 NetLogon Secure Channel is weak and should be avoided; (bso#15240); (bsc#1206504); * filter-subunit is inefficient with large numbers of knownfails; (bso#15258); * The KDC logic arround msDs-supportedEncryptionTypes differs from Windows; (bso#13135); * Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue; (bso#15197); - Adjust the systemd drop-in file for named service; (bsc#1201689); * Paths are additive so do not repeat paths from named.service * Prefix the samba DLZ directory with "-" to ignore this path if it does not exists- Install a systemd drop-in file for named service to allow read/write access to the DLZ directory; (bsc#1201689);- Update to 4.15.12 * CVE-2022-42898: samba: heimdal: Samba buffer overflow vulnerabilities on 32-bit systems; (bso#15203); (bsc#1205126). - Update to 4.15.11 * Allow rebuild of Centos 8 images after move to vault for Samba 4.15; (bso#15193). * CVE-2022-3437: samba: Buffer overflow in Heimdal unwrap_des3(); (bso#15134); (bsc#1204254)- Update to 4.15.10 * Possible use after free of connection_struct when iterating smbd_server_connection->connections; (bso#15128); (bsc#1200102). * smbXsrv_connection_shutdown_send result leaked; (bso#15174). * Spotlight RPC service returns wrong response when Spotlight is disabled on a share; (bso#15086). * acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr; (bso#15126). * Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1; (bso#15153). * assert failed: !is_named_stream(smb_fname)") at ../../lib/util/fault.c:197; (bso#15161). * Missing READ_LEASE break could cause data corruption; (bso#15148). * rpcclient can crash using setuserinfo(2); (bso#15124). * Samba fails to build with glibc 2.36 caused by including in libreplace; (bso#15132). * SMB1 negotiation can fail to handle connection errors; (bso#15152). * samba-tool domain join segfault when joining a samba ad domain; (bso#15078). - Update to 4.15.9 * CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). * CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). * CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); * CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). * CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); * CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- CVE-2022-1615: Do not ignore errors in random number generation; (bso#15103); (bsc#1202976); - CVE-2022-32743: Implement validated dnsHostName write rights; (bso#14833); (bsc#1202803);- Fix Use after free when iterating smbd_server_connection->connections after tree disconnect failure; (bso#15128); (bsc#1200102).- CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). - CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). - CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); - CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). - CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- Update to 4.15.8 * Use pathref fd instead of io fd in vfs_default_durable_cookie; (bso#15042); * Setting fruit:resource = stream in vfs_fruit causes a panic; (bso#15099); * Add support for bind 9.18; (bso#14986); * logging dsdb audit to specific files does not work; (bso#15076); * vfs_gpfs with vfs_shadowcopy2 fail to restore file if original file had been deleted; (bso#15069); * netgroups support removed; (bso#15087); (bsc#1199247); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); (bsc#1199734); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * smbclient commands del & deltree fail with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556); * vfs_gpfs recalls=no option prevents listing files; (bso#15055); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * Compile error in source3/utils/regedit_hexedit.c; (bso#15091); * ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link; (bso#15108); * smbd doesn't handle UPNs for looking up names; (bso#15054); * Out-by-4 error in smbd read reply max_send clamp; (bso#14443); - Move pdb backends from package samba-libs to package samba-client-libs and remove samba-libs requirement from samba-winbind; (bsc#1200964); (bsc#1198255); - Use the canonical realm name to refresh the Kerberos tickets; (bsc#1196224); (bso#14979);- Fix smbclient commands del & deltree failing with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556).- Revert NIS support removal; (bsc#1199247);- Use requires_eq macro to require the libldb2 version available at samba-dsdb-modules build time; (bsc#1199362);- Add missing samba-client requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.7 * Share and server swapped in smbget password prompt; (bso#14831); * Durable handles won't reconnect if the leased file is written to; (bso#15022); * rmdir silently fails if directory contains unreadable files and hide unreadable is yes; (bso#15023); * SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on renamed file handle; (bso#15038); * vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback; (bso#14957); * shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes; (bso#15035); * PAM Kerberos authentication incorrectly fails with a clock skew error; (bso#15046); * username map - samba erroneously applies unix group memberships to user account entries; (bso#15041); * NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES in SMBC_server_internal; (bso#14983); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Crash of winbind on RODC; (bso#14641); * uncached logon on RODC always fails once; (bso#14865); * KVNO off by 100000; (bso#14951); * LDAP simple binds should honour "old password allowed period"; (bso#15001); * wbinfo -a doesn't work reliable with upn names; (bso#15003); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Uninitialized litemask in variable in vfs_gpfs module; (bso#15027); * Regression: create krb5 conf = yes doesn't work with a single KDC; (bso#15016);- Add provides to samba-client-libs package to fix upgrades from previous versions; (bsc#1197995);- Add missing samba-libs requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.6 * Renaming file on DFS root fails with NT_STATUS_OBJECT_PATH_NOT_FOUND; (bso#14169); * Samba does not response STATUS_INVALID_PARAMETER when opening 2 objects with same lease key; (bso#14737); * NT error code is not set when overwriting a file during rename in libsmbclient; (bso#14938); * Fix ldap simple bind with TLS auditing; (bso#14996); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); * Problem when winbind renews Kerberos; (bso#14979); (bsc#1196224); * pam_winbind will not allow gdm login if password about to expire; (bso#8691); * virusfilter_vfs_openat: Not scanned: Directory or special file; (bso#14971); * DFS fix for AIX broken; (bso#13631); * Solaris and AIX acl modules: wrong function arguments; (bso#14974); * Function aixacl_sys_acl_get_file not declared / coredump; (bso#7239); * Regression: Samba 4.15.2 on macOS segfaults intermittently during strcpy in tdbsam_getsampwnam; (bso#14900); * Fix a use-after-free in SMB1 server; (bso#14989); * smb2_signing_decrypt_pdu() may not decrypt with gnutls_aead_cipher_decrypt() from gnutls before 3.5.2; (bso#14968); * Changing the machine password against an RODC likely destroys the domain join; (bso#14984); * authsam_make_user_info_dc() steals memory from its struct ldb_message *msg argument; (bso#14993); * Use Heimdal 8.0 (pre) rather than an earlier snapshot; (bso#14995); * Samba autorid fails to map AD users if id rangesize fits in the id range only once; (bso#14967);- Fix mismatched version of libldb2; (bsc#1196788). - Drop obsolete SuSEfirewall2 service files.- Drop obsolete Samba fsrvp v0->v1 state upgrade functionality; (bsc#1080338).- Fix ntlm authentications with "winbind use default domain = yes"; (bso#13126); (bsc#1173429); (bsc#1196308).- Fix samba-ad-dc status warning notification message by disabling systemd notifications in bgqd; (bsc#1195896); (bso#14947).- libldb version mismatch in Samba dsdb component; (bsc#1118508);- Update to 4.15.5 * CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target of a symlink exists; (bso#14911); (bsc#1193690). * CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module; (bso#14914); (bsc#1194859). * CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks; bso#14950); (bsc#1195048).- CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share; (bso#14911); (bsc#1193690); - CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution; (bso#14914); (bsc#1194859); - CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services; (bso#14950); (bsc#1195048);- Update to 4.15.4 * Duplicate SMB file_ids leading to Windows client cache poisoning; (bso#14928); * Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error - NT_STATUS_BUFFER_TOO_SMALL; (bso#14932); * kill_tcp_connections does not work; (bso#14934); * Can't connect to Windows shares not requiring authentication using KDE/Gnome; (bso#14935); * smbclient -L doesn't set "client max protocol" to NT1 before calling the "Reconnecting with SMB1 for workgroup listing" path; (bso#14939); * Cross device copy of the crossrename module always fails; (bso#14940); * symlinkat function from VFS cap module always fails with an error; (bso#14941); * Fix possible fsp pointer deference; (bso#14942); * Missing pop_sec_ctx() in error path inside close_directory(); (bso#14944); * "smbd --build-options" no longer works without an smb.conf file; (bso#14945);- Use pkgconfig(krb5) as dependency for the -devel package: allow OBS to pick the right flavor of krb5-devel (full vs mini). - Do not require the 'krb5' symbol by samba-client-libs: this package has an automatic dependency due to linkage on libgssapi_krb5.so.2. Automatic deps are always better. - Do not require the 'krb5' symbol from samba-libs: samba-libs requires samba-client-libs, which in turn requires krb5 libraries. Samba-libs itself has no need for krb5 (but get it indirectly anyway).- Reorganize libs packages. Split samba-libs into samba-client-libs, samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba public libraries depending on internal samba libraries into these packages as there were dependency problems everytime one of these public libraries changed its version (bsc#1192684). The devel packages are merged into samba-devel. - Rename package samba-core-devel to samba-devel - Add python-rpm-macros to build requirements - Update the symlink create by samba-dsdb-modules to private samba ldb modules following libldb2 changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba- Update to 4.15.3 * Recursive directory delete with veto files is broken in 4.15.0; (bso#14878); * A directory containing dangling symlinks cannot be deleted by SMB2 alone when they are the only entry in the directory; (bso#14879); * SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used uninitialized in rmdir_internals(); (bso#14892); * MaxQueryDuration not honoured in Samba AD DC LDAP; (bso#14694); * The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token; (bso#14901); (bsc#1192849); * User with multiple spaces (eg FredNurk) become un-deletable; (bso#14902); * Avoid storing NTTIME_THAW (-2) as value on disk; (bso#14127); * smbXsrv_client_global record validation leads to crash if existing record points at non-existing process; (bso#14882); * Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call; (bso#14890); * Samba process doesn't log to logfile; (bso#14897); * set_ea_dos_attribute() fallback calling get_file_handle_for_metadata() triggers locking.tdb assert; (bso#14907); * Kerberos authentication on standalone server in MIT realm broken; (bso#14922); * Segmentation fault when joining the domain; (bso#14923); * Support for ROLE_IPA_DC is incomplete; (bso#14903); * rpcclient cannot connect to ncacn_ip_tcp services anymore; (bso#14767); * winexe crashes since 4.15.0 after popt parsing; (bso#14893); * net ads status -P broken in a clustered environment; (bso#14908); * Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before smbd_smb2_ioctl_send; (bso#14788); * winbindd doesn't start when "allow trusted domains" is off; (bso#14899); * smbclient login without password using '-N' fails with NT_STATUS_INVALID_PARAMETER on Samba AD DC; (bso#14883); * A schannel client incorrectly detects a downgrade connecting to an AES only server; (bso#14912); * Possible null pointer dereference in winbind; (bso#14921); * Fix -k legacy option for client tools like smbclient, rpcclient, net, etc.; (bso#14846); * Add Debian 11 CI bootstrap support; (bso#14872); * Crash in recycle_unlink_internal(); (bso#14888);- Fix dependency problem upgrading from libndr0 to libndr2 and from libsamba-credentials0 to libsamba-credentials1; (bsc#1192684);- Fix regression introduced by CVE-2020-25717 patches, winbindd does not start when 'allow trusted domains' is off; (bso#14899); - Update to 4.15.2 * CVE-2016-2124: SMB1 client connections can be downgraded to plaintext authentication; (bso#12444); (bsc#1014440); * CVE-2020-25717: A user on the domain can become root on domain members; (bso#14556); (bsc#1192284); * CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued by an RODC; (bso#14558); (bsc#1192246); * CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets; (bso#14561); (bsc#1192247); * CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers (eg objectSid); (bso#14557); (bsc#1192505); * CVE-2020-25722: Samba AD DC did not do suffienct access and conformance checking of data stored; (bso#14564); (bsc#1192283); * CVE-2021-3738: Use after free in Samba AD DC RPC server; (bso#14468); (bsc#1192215); * CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability; (bso#14875); (bsc#1192214); - Update to 4.15.1 * vfs_shadow_copy2: core dump in make_relative_path; (bso#14682); * Log clutter from filename_convert_internal; (bso#14685); * MacOSX compilation fixes; (bso#14862); * rodc_rwdc test flaps; (bso#14868); * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal; (bso#14642); * Python ldb.msg_diff() memory handling failure; (bso#14836); * "in" operator on ldb.Message is case sensitive; (bso#14845); * Release LDB 2.4.1 for Samba 4.15.1; (bso#14848); * samldb_krbtgtnumber_available() looks for incorrect string; (bso#14854); * Fix Samba support for UF_NO_AUTH_DATA_REQUIRED; (bso#14871); * Allow special chars like "@" in samAccountName when generating the salt; (bso#14874); * Correctly ignore comments in CTDB public addresses file; (bso#14826); * Fix transit path validation; (bso#12998); * Fix that child winbindd logs to log.winbindd instead of log.wb-; (bso#14852); * SMB3 cancel requests should only include the MID together with AsyncID when AES-128-GMAC is used; (bso#14855); * Prepare to operate with MIT krb5 >= 1.20; (bso#14870); * Heimdal prefers RC4 over AES for machine accounts; (bso#14864);- Enable samba-tool without ad dc.- Adjust spec to use pam macros; (bsc#1191046).- Adjust spec for size * allow some Recommends instead Requires to be configured for cifs-utils, samba-libs-python3 & samba-gpupdate; (bsc#1182847). * remove fam, undocumented and unneeded.- Add missing build dependency on bison when building with the embedded Heimdal Kerberos- Update to 4.15.0 * Removed SMB development dialects SMB2_22, SMB2_24 and SMB3_10 * VFS layer modernized. * Add the ability to set allow/deny lists for zone transfer clients in Bind DLZ plugin * Server multi-channel support no longer experimental * Improved command line user experience, unifying the options in different commands * Winbindd no longer scans trusted domains on startup and will use enterprise principals by default. * The net utility is now able to support the offline domain join feature * New options for 'samba-tool dns zoneoptions' for aging control and to mark old records as static or dynamic * DNS tombstones are now deleted as appropriate and use a consistent timestamp format * The 'samba-tool dns update' command validates and rejects now malformed IPv4 and IPv6 addresses * The 'samba-tool domain backup' command correctly takes out locks against concurrent modification during backup when using the LMDB backend * TruACL support has been removed * NIS support has been removed- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2./sbin/ldconfig/sbin/ldconfigs390zp36 1689670550  !"#$4.15.13+git.663.9c654e06cdb-150400.3.28.14.15.13+git.663.9c654e06cdb-150400.3.28.1pam_winbind.solibnss_winbind.so.2idmapad.soautorid.sohash.soldap.sorfc2307.sorid.soscript.sotdb2.sokrb5async_dns_krb5_locator.sowinbind_krb5_localauth.sowinbind_krb5_locator.solibidmap-samba4.solibnss-info-samba4.sonss_infohash.sorfc2307.sosfu.sosfu20.sopam_winbind.conf.5.gzidmap_ad.8.gzidmap_autorid.8.gzidmap_hash.8.gzidmap_ldap.8.gzidmap_nss.8.gzidmap_rfc2307.8.gzidmap_rid.8.gzidmap_script.8.gzidmap_tdb.8.gzidmap_tdb2.8.gzpam_winbind.8.gzwinbind_krb5_localauth.8.gzwinbind_krb5_locator.8.gz/lib64/security//usr/lib64//usr/lib64/samba//usr/lib64/samba/idmap//usr/lib64/samba/krb5//usr/lib64/samba/nss_info//usr/share/man/man5//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:29824/SUSE_SLE-15-SP4_Update/a9db2263b02f371b06d10263f4402190-samba.SUSE_SLE-15-SP4_Updatecpioxz5s390x-suse-linux  ELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=744c6881de0deb97e847c088cff70d0876130b14, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=bf946bc91cfe55269f5ccfe9c500154fd2b58ae6, strippeddirectoryELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=db081a3bc08cdccf909056529586a726df6e9f1f, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=408b2277cb2a94250ba96ebd0b83528b52bd0809, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=3943fdc45d6729f06be6bf717956efbaf4577868, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=785f85efbacba8cef047b0bb49e7e0d5fbae0696, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=b2e5b0a2e8aefbf4440f0502b53447aa63ca4de6, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=6d936b7942b923fe6d8303529490bccffc516189, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=fd382d8c49cdf37a57d697547b073dbef9889aec, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=5b6ce119b0f29e7d065f2a4f4ff14e5dd3fe9783, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=b2fb9b0bb5c6689ee42e0c2ee87998b1f41c8e30, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=cbee9f0c0688a612e5bea817acf3121327d6a96e, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=be6384b3a83006b205ff73a509142a184bb53c3e, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=f327c07d74a1593ebfd62638687b6662e3020fb9, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=5d94ce48e22bc5c361721f0b1fd82cc4e70585c3, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=040dd8c0ebba59812e2a1700b33832fcf7021cab, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=dbdf46ed82ee8be499c561e4746de541dc22dfd9, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=556c93f227d54411ada60512ecb990176b5a54d7, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=9e04130390c656edce1a77f01f83a1eea0bd00e0, strippedtroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, max compression, from Unix)troff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)Ll/@Wv 3   !RDR'R#R"RRRSRQR R R R R&RPR!RCRPPR'RUR R RTR&RRHR1R5R3RR+R=R R)R-R'RRRR R R R R%RLRJRMRKRRR7RDRRRRR2RR4RR6R&R*RR:R(RR]ӞXui*Qυ3/ETn>-GN32ij~g2 *IK3 %TtE>ASF`_# /j Q$^R`T#TMe62ъ&.IkK4,%+1XR/זjܗ]Ed v&]c/iqjRI׹-s?+Yu/mkP0Rfc @P- V@>A8λwp;5Eu6)Q\kʉO1blZ|"ӠB't,QHΥΤXuVy?b'ƴNCңDXS$"ڎIg*@gYV,`"Ig?*T==YPHġ[>#D64.-a"v(C^|nOc5]շR&Ow*o܂vOۃWȒ՜!ؓK2⿄cVۛ²iV'U{!i3G8fj< RȿC4HoԳ9Yz0{uY$3;3qfݻ\4FG s'^T8ר Zh+4<\˜D`E "zդ/R԰sHcÝ>qa>!SMI4I_ú˫?Z B&Rqi5mYMY756ԧp@>m g}qZd2)'6cа Ƌ(qt_64[zQ hx8?ϊחoR|)Cڶ\.YC`x澉S|y|?"+0 FQmߠ~ڀ=d"$P[ҡ4eqIYRuf,ʚd9e49!T#6z ˆRf2:J}UsOvs"L/ntuL#\,q+ zʍk`nئc%ia1rD]hfm:&>{:ZPY3Z |DL2&uH;0jݳ342M9G6mm~s%dV!#K 14{~gm*XF D+F$>8+ 88RcGiIW4`Z1rq`hr󨣅HD3y-1ꗇ{uګ$,To ?"f b =RJJfIfk 4*j4Lr>$b=4ۀ'T[{ΈcdCcJ/;wZz(2_QMA+rCƚvAFdYeF2]9TAy$HjT\ADƉ`06$+/OTӔB 8+(u?m}-=:0tAS16ł٫%U"X ``@lXX[B@z]/*wZ-DY F0Kڑ$@,`Vz%Jc9S:n|P\9鎚)y/O%MG9WZ:¹ibE C;W{[}<) <22Xr6X(7b=Kc$ Z>7R`Of",}R5Tn1 _tGzR{|%:r1RfT@\B Ph*+V]evT#0ŽX92'"Su#;(3ͼ/"Mi"kPAR bӘ,w}y.E9ZkѦ=2>U?1Er(7qT-!kKQto?ԛN a٥cXMqwOd!wL_eceK 4% rsvF CѬ3 (,Ǵ6<( @Q9w~yaf%E('v5@|~ NѣCxG+ ĶR}vZ*thNYZéϺ3|Fa̷F,y4{Sb-;kXsMx ˇ&mWlvjDco ]kvii`0#u܆1ۥX}0uBI{-;Ks1 ʻ3xԋ XW(&@ɶu"oip˴ oz^4YC [,QEh&Y Pg _νtf7Yc p+3 9x|tKXMw-^Ol=+'{%8Ze)mtpck/nJwZ@NapsJ%aZdG1҈'3-P:[oKSؚ"HȄVj@F&p&PZ"XdpSHIQ-U "ϏZonJl$=Y e(=yT0sAУ~YC?b^?y Xr ]CdL4dS45:w\zv{ ZMڢNNW: r];QFD"#wݨ9ݱ3klHi v$ LE)18 g݉Qk TݐBA%>!Α\DhtD-ʪȟdu޽TaWiA@`:L%K.IB5EBu0HFO@QeF'i V9pߦ- ̱=JVxcp}xƳdEW`@05;9vCZ' ?fa/ ؈bsNmKw 7LPW'rRee˔Z{dzr,+_ U-ѝHϯsŻ/Evj'*^ &̨+`ܦ!O, 5״ꠋI);6/bQ1,[iMB@,psArrN" T gl`-R9f;>_|:Q l?˘[.B6J4;UCbAZ"?~P%X2ʥʪ<t(8^Ǡ+G%aϤ# `\6U~X_Tə$7b7JRvowvϰ}Ҏr0K@P^ %$$E'^bU v^|UB.1&"U<0Q7PS5 8࠷=@w8wvl)X/5ymjzU\_Ld쾅h4E1 \IX "4#i g+⵴#K ={jJ j΃}S9z_]?Լ:.GQTx>EDgjV x؁= OړT'%J`_ \_RqL;nWe_%߻$%(JʚLQ]"m#Yw7P?O?h1)[GB41r$uy&+C I;EJ U#zkigI#&qPE+"4$lZ!Bu&PBpTA|C`cM~\p6#6vG'3\qv 3s^ls)P|Ԓp=px6Q2[Vyκso]omeF”Dݟ4’B۞k%n=17w}1,eٰ$et y;O޼.rinV>oϩ]T^j6gO H}jn 09hILamI(JϞ4lHw !mv# %/oQkVga.T pqaE"=Z[ mK-"}$Y`{24q>ҌjM9ēN^tI Aa꺍Pw^Pq)Ř}+{=4ҙ@b18];퀢GL%ty1!\n95DIưG2L45hg /J&l}|F ]t^q-!k[dtB~Q8 u613mih'xXX #꥽M eNKL_osb"lõ[hPYb3'@ a]a\q'P< !.Q4{|IXM5wA΢,CJmjHUZ {`FznZ+xvª7&SN/@ T'o*Wb+õ]ӅD0#PCƘ;@KЪn$u]48[ V,&觫vT*PͤI֢>`8JI}`>k4z;a9E(2l XICxO`zt%qeps 8@a|ȴ K,&IQaO^M6l LB$ Z<@q+ӷArG)K5`6rD1rJSk\A_c9:,NEۿCP+=ÚbNgso7iwRk iÇ8'j89IXu%p v`yi[_5O'1ɖy=+t.1~xNZu]d(+FՑ\o!88($y$U^.>`\J(*O4J"ͺ/g}.`m&qݭN`Fp(niZGk9djٙL,ŦXO 160^Wrߧ4Bmsi"PY՟~( qQz5&Zc/ LAFOW gTwk Eɀ*`z&t--̫O–6ːټ\.m/۪E>]y T jw$I3pZmgzkP>̲aFRwh}"ra#x)Y SPfBg [,Sz(羸DF3 !8i q̬Ջ>ɡ.<7d]]?Ij(B2-bOa4p$R,& о߀j{Ft2ҥdž 6hV<9R t)X۠2$nbFEݼ9/agUXw%* Ykݴd'j733ӡ -g,j1}I׳>ÏWI{S^g >8S~3ET SըߑX7 ^8ƕF_Li2ՒtMS۶w+V k%k0&V/:4G)kȞ"G?~V#S}s1e"ojC+nݝ:Q8imcd2mu{۪GywmBa=wяfE=İJ9!Ad@顚ozR?B֝dxdHÆr[~DJK'8Nт0иz?w}1m(Eؤ-@$nA`'@+ZRS-8$UbrP|^s겷eSl 㛪u(H@O;>1h7NBk =CiJZVIϥ:SFǮa9,!8Xݳ68%oCcI gN/BV1q5Sä|o@~~qEE=Q+L_PфRR/&Aӓb -.^/i\߱t5AYmbdhB:4s?Ih]GO.˻h)DہyGWǝ?@F e5!2{PVY3t]~ެ׹[M*dt Ϋ jgw^z{y}\GE+A޺=/ٕ/k;{t)SH1;>{{Zֻ0| k5a8ciL~'ܓp NVS3.?mx|+aj 톋Fj#@u'΁‘> &C$it#n(א a-+؄&[Q;pi*ՔʄۭR>2D0Y m=G8P4[(,yx0~nT0 -?Ya d-~]0S`䜥J~>i 5ε hXΞ%I9可lH̘ 1BR[(2Tz\$D _k-J*Lm ˬ}J7М?xQ`?;q@k&toV))̒6Mg JiogJ-q0sٸD6ȞTYsr5IJCGvKCkCk+컢!+v~<>n}?:<s Xo^[@-{ GFhBUF1!Tt˗o/տ Nz@LmYGAү9/m8kGsJV0:"0_5zqPC2֯G缵b4O5ҩBtxpVҀ&cv s`D޾X1]|ę1{2Y#cƺ'ź gxs̬&US Ea!~qY[j<+NbNR1KPLJ)p0k\=oJzo_}#RmhT#G-Ʉ:$fÈ-#37'~9;ԃ߄s; ; cCR㰉__,Eɜd.о6Bc.gl4oY=Pc`E/S PgJ䳭̑T-'pT H@brt [b+6r%|1sw1` jA(|ƓV): 4.>`CKۋRc םV^1bw0nxy Q%j\RUǑtMJR_>W<% /5ސOPt^Xfw$CӅ{2Re19j9g9Lij*`ЪQjL*q2s6?wиc_DL@wf;!e詀V-,1!rBdA+SB @v'~o;ƕn t8!/&(F80V&;BNU `ȣD&*9sl6=*nu?9hm|4xx[*&}2>zMY.0 bx*NSi?zNs]>Cl)#?݁I\:rW}6%tiLֻ(?׳4&yw^S<>9j a@w$~Z﷮k9|FfD.)UJ0@:0ǣ|~PCmOrnQˈ~#y 6\Ҕ6:i0B19 2 ,4ۦ&=W{e~#8 jȳ\T\ގjQ{2Bkߙt ă]5Ы#LQoZd&'`R`u dRE)5A4,>#:T8!m':G⽗^"x0A[pY(o55Gd{_jkKiEH90'eVo%dH QI*@"k,*䙶^ofxN! FBg#DoE/ȃ)#kcFEh FB.'7_ ^` _j{xl9<2g;.07wWWvKm7-`7b2JLA$,}~tcE~6:>3/ mf4Y, /%˿rO4P6HCSɥ.R\b}ϧ7fa魮j}~Y3W9]P[ŋm|R7-b~ 9~yFHL4礬hbeu m 'T_{83OYp: mHܩܧ;V6av(CjRP|";4jIPH8Ș}Z,4U&}i3Tݸ(]9ڝ:m*Mi] sO0O%++ ӊگ-"|d$]|+z] 5[;12wW3QcuhZP!P bBxu86^|i0.k,4|'ʮ֔\{Ygml%8ݥi2GEV{[섄$I[_ۯ [^f 2M=15}j73[?6{ [j4eiSu sy!TdNgnv W G c`ov< ;kbztzCgˁľ4դ,;/nK6oqm\SNCZz}1b`|`тv榋Ьo'uAc.^s7=yi9 ۞>A`prFME)K9 x' yqf`ܼբx`?u w1Pxy,^BbRA9}Cԯ9p^{@W[`K{h AvD0eXR*SnJzc%0 5@\t*9[WI<>d[66̏p<ز/y39d tp]ētrKl*6^phoWC#zХ{bv ܦW^16(V.o|3SuU5H\w(*wZӿ_4z͐ ɗ;S:c/WFTs7;j]1G6Ʀ`slsۇ9P]UC9Va`Y_hBYKL/,-Lru_K,>N {&iά- VBqZt=h;.(HZL\Z(SoՓ6PcAk*.w{eB|rpz{eC5)V~M ;ä>2RZ\Q  C`~vU1G83D Ьv Xo3D!SP֍bS i5jC/*Αփ=^\ #_ nk3aAcK&PK^#St| W<(hc kî)\oQ/ e;/UbĪ #_PwqYәqh-*pw|mĽ7eLDj})«yI״zSPM[::ZA );wm0[0VxfDQ/Q-"Z,9x$!1z9LAI8茴4WiL_&+h~lmy&S] ֯ʔ:b3iN#gbɴCwRO:RET)\^`چ/AqP,k-|DVDLQ!@pTBMn>Ѕ2K%$2%`m}Ub{reYevs4 YB|]-pO-P,_ 0ǯr'BX͎Ƽ'TNTZ a,@L9IhXu{Rg3fV-v65bԔql [čZiwQd<D % GRf&COv1SzSXn\\ϮUo(Ueʮ,hQ=;oE=a>ֻP`ܛv]tFN a>J-F`ԄuPA@wh`Y!ΖY'LUŗH{|HoqH|6Ujl"zMndZ$sK]/fW(s)zsʮM}Z-.d`Nd벚Wsm͖" b*oz6,7QLMR;ْщL-`rbD8pL+-%'>'E mq'Hi8z6ٿJ᡾Y*w %Bm zz]GMHjS#fD䂆4C]}cۂ`79:-.,9M-t>Ǡ BAj3^/go:L276`Lh:lPzQ}bz+̴1V,ny-O 1ïz1SENːiCI1k"CJVh+Shg䋾#??K8/ѱ}sPn(]V䔹袑di􅠩|3g\='@s㤚 ^ke<`pщ'G z򊋧 ^Ɣ 3gnȚ~̙`.MjR_ ^B%I ; &眓`4{6fMhvYqWT,l,H^j_@2Wi0"8eiah }Kd;Tq!sFꡕ%xL_,4AA6a}:4s6DĀ6$.M܋1Tjk᠃Lj,ɪ4]Qm"H⭂ݾl؋՝b==|QǢxA(Ov ]KR~DK-s*0Nԉ ь_cv(,O`_0 fw cڝ])KE3\M Zoh' \bZ[0R}֤ڑW1kj`': }uW zD-\еz]*;ipntGLXiמt/9I% G[ncFNLvW^r-L8y aщH^@_nRpɰ -\]>i/'hȐDԬ$?G.\r*́e䷴@s(:O\_:b TƺN}/FG:>w]5p%?%sBRhE708ީa†QJE7V+0.:Y-Q/&qNzuHe7LBkSe9;H;0r$`CؾnU~t葙mRؾqxK-jr^+J3N $Zܣn0%l&ûlt6W$m<7m.8~dCi-Ps%i{a!=*XQ ZF׷8< 5s#LU8G)N fE?R\4SFV4=>Nі Kuj)=1~$JG$+@H7H?rfǦ`tצqz>X$2uaC5I8$DxTs e/^MYF+ǘ|I- 'tlrdvkƥw*M86ncGLsZ@f'({[iB'~ ShIz]AR\DeL:';wa }tGJ7e&W2фu|Rhsfk0.&1LI?5`ՙzaEE u޶l3?\.T Cq;Ȭ 6\G+О9cu%A\mY˯ͨ1Iz1ïqY n( F$-ٚt#CnZ.-tHH񙿼҆""mu;a(}(BGNj=.k 8 J{jbU'O~qVE]c lj<`[VSU R}byo>4g2;ÏÞhN)P?߲7-6}-߼oYQ!!{g= m%=% {]LxIшMf{$~V3$%p-Z+`$`\E5GkIzoA?AukDp%YpܷRY֨`4ZD.rGwooXXN%ϫ ;/bN9yE,_򩔩:-6ƼHKx5 d*K6fCAg>zr_=mħ47IBߩ6'C;%t\D-hQqC`J~KɺD/+++EX~m:0AZZrZKl,>4Z hbkJ)u%Pr6["ڷ Ө"c%rBldȪGŜ uOs8ޯ&-cH+{< j,+[vQ'Ɠ}OC|֛#EO3!yfXq0P9ǐ,?Je6iQY4(^lF, 0`S@dpor[׽' n֗41O`(е1x[jH08 TQ;Bg}i\ b\?[y/e.:tZςL0w.40! z77.kfځlRo4 5 1$fc,k4yO‹w#z@5ROYL@];^/m7T܍7,_['*;B^kSyK TwxSUCǚ=sJq^=$g >ih*JnVR~ֽ0Kq1^|I AӇ$9V*WjoC`tf|q[|h\"LĚ"=GT0!%j1feR=QPЪXrTv!M'Sl v 2&yn2ߑbXi(;Üb&5@نf[NT0rbZ}wpZ2ʅt캂Bv1 ;ҧ:aQYy3ƯI񝲭r3Co0ZaQ5"Ħxҕ,./ۍ&gHxOFN]P_%$BE ^LS+ xAGQP\|r-8gŃOC8m 8KUO[.M*j@4E5wMag#: qڲ0gRgUZ#O1OW넁f5s6rL3 !',(c&@eg\dK#k_\b&}Wulgze#У[*l3J_xSȵL]HdsW~OI$l, TdyU_qNB*-Weh0B/,Q2@-Ӗ(Nv<ed/7bih[a$% r9B-m6j/TWjuehCY@3%=\!QƼ EDB ~O$W;KazbIc=(y<Ŗ)sgӿMPY ,asI#1IM/X8MUuS DGtZPg3Tb r\ 1]:O*>M@|)%=c<|U+_8b-V!s2zZb\\kÑ>X7g VY9dl3ܧ FЌrkd+Ӵv~QE;Hu=1W"!.UV] PKgm qi%-URAojfK3np{xwnZ*B6>eٷVQ.x4…Rb(>/hIZ RZT*eHw fe'.uG U A۝ƕ GA@X!(#ON\ #פCEU>zEfzN·V{*&͏ђ `&$u~WSVecP?pZ9sXX 0D-cF=WJYq+(j #Wv *T0 Spk2#!Eo;sksK!w֊$HԧrW LMKD R.r"o[Co4#p^\6.>/*$Cxs"@<J c: D:.(jʹ10O[~Rp=UxFbryn .KeՑ|6sM߂ozyf}G.#x#wvcd^2d?݉^d`A|8|Wws '; 2ṽGo/|f>NyJKN%yrJE`U%KlC#j]gĨM6Y[hXs)\mf?b|IhrV$ oVTdT^;Zݚ.ݯ pj߫H~Q뫜l{Q֒dԩ⥜E!# z1#"QwXM[E~%w^c vk\ei;,lȝIXy 05GhBV(ǫYR/6IF?nwO!`* SpXdgSlۗEɒ?_vas'24M)IdY /4&ּ{䩥si- VFenkn焾P#'K+eUkNgjo̥=)I~`%gچvl-z>߈RAu-coM\QHvadAk J[Cn= \& Eˡ6.UdoR e?P@mUħWr\ o?DqPw刀ux@H&#ψr\X}тi$y&y7vp-rck]-ُM煥+:Q|wSkSfkOc>W3b#ܷ҇ 8969+ֻb9XG\!ۂ!s}vUO9rQx6+ދ1\ _Paen>3+*EJ@łoإfrbFHH0}Pgf\U "o| "\hcf  d, 1ϼ'v؄ ac kjR$jʼn FAۓM(廓(rg8CrOHOJtR"LlJw-?o>I'M/-ƍbr4-jg9KJh_!,OPXNR]':>`'5`^XT?w )#j͵w*r#Inm\YǴHD0|:J[a&>Ypq ˌ'vgh1T_ Er侃_*"',L# >Vҍ2q5=} N;*ob3K_>* E)32@O_aK/8ok^Fྗ#-p=oGuܤ.+K[Yvm*H0;}]|az40ܧr$-kJgUaCa8MqS2xb{XtfB3=̂(Bл=R%pnxQw&ʂl6h]#]n>l#-f~"^"XgNSOW/H̔UmۀCzv"S+ Fg1xY>)ᗮP,Gb_OcG?~i~IdL0BEa/vf2[Xt 2qK_TP =_2Ȼ%ZU72(&-b1д|rJnjFa&+rGsohA,1"ZSg͆;bɂI"B'\l!zg!e#7q0kb":"䊗-"ﰃn_Qoqռ θeqg^Xq-.<2&nnQ];UWHL~c(d#83< M°4 D~`2p4aeul  IPqb<Ӡq Fflq1":ZJnRtd*FUeb'?RU #A^\x̓ݔ꿌ZE-I&hR2gZWFܨ0^1{" -LjL4u`G} Q_oűB{sIf 70Յ!`B!T k1kCެ,O͏'86_s%!KǓp¥ȧ3fAõf{Sa3x^`0Ӱ* 9lj FHiG:!?raӀ:S`L>&X 'nR`nŸ!W唐r%i';@0vqPV ҮXzؐ("{3<_!0>>7*I*P}K'Ʊt }? OLA`n"yv:Bh^t_CCσ45ܭަ$C*IgǕrތL+=(ǥRMP`ek,~)':W:Yn0ȞDszlk;5ԶӰT2/Wr "2 vxKQ  i#[| ~Kj AJ>Kfab%}an3g8E|f.-Jk=+Ik˵Xґ>V$*`g{JvɆuegtmEKwB9O> S f)ТKcuKGp5_SA;v-?f0 y`~#4Ym;);oGɂuΰ[{h8[8=tqh=yxK,5/K q'_qXdYEDm~e5U9pQt?=W w][fmokW1/% ; 6ˏ5+Թp iRI&_%(LOO@)j{TALiO)SfD%S`9s[Ž".?A\"t],iQ(4?o&h^l!hTo R ښw5E;'Z%tMĝ;_PC]y*(\Ր4S95-fbA:+Uf :3r< e66]. 7s*)6J?{kH['tq0+r"abDg.O2)pw9@cl/kX.]<.ui{~ MA!wxϪGl=/Cj+5g__/SXU-#S%Z]_z79fe 2HM ?*'boN}>_xs@ 5Xu)Oږ7ƪaM’<- 8GjH;IjNh\4 y,d%qw,#P[G0yo;eIί竲`ӝx  U H&Ӈ~.g&i <·rd>XfwwL[ouAV#)~Jgi$‹TaNx)APܡ3xGU'0!=a[_.W %r\_+^.8),h$ҹ}DCLۙ-wF Wq-IIҭ'%WB'Gkp9쏃HgF^"4:_)h.Epo.sj8Ztˮ ؇G.TEKkWBt8 ko(ZQmqD(O̻$4iv֬e9ɺ^^|>Rz_tIba:'^Of 19ӾI .T8a2m|@VD+yq51qқk)$=ot\.KžC@*8:m2أ7Zc;Zs.mϿ 9)}3SSf$Q;GD.- b .-AKDw;q@hcWANGͪj3hĔ;\tpn:-. ]+߽t= U'I-zk0ΩaQt.iicUBYlLF*8ɪh"X %D>b ćR ]aQ n#0u&Y#8SZJ 3wg'37O;/@%]s\a<pޅn vHT .YK^ BG^=Bedg4q[vAMPʺ ZYWٚ*u5cHveGhuFdJ*0=27u3?o$I_9˝xPyaF{=)I 27a-1`Rp^SCOzvU\mGMCW<)Mb hajs<9;]|qOc9pלPgX=Nvk4\2Qtj^?fnRJ2cYjտLQ0!^ka)|3Ւ8.*;v d'tPԻ5T!xr;^RKH$ss-T=.hR *!9i,DA=q̩vK /);V@tM31Ϸ1t~e|/7u`h"} Sx,tY5&S88yQa\*1iP/KSsQ$e AF`%xIqUpc)5t|sck;udEotC̤2{ sxIZiQd$vH8.a _l0]gZ1ǩ# 7VM4#r֌DmC@vs Abn72m̓{J\ђ&j^3O~pShJ6X%դqw<) ,rH6SDp!{)Q>ؿs2ww[|ZPIMgQDNGM,frdt qƼEA@;~N( rY)YkA 6"H kg._ ěB\˶9{9+rXE" +j OtX\H=΋Zl["ȶj/Scfo@FS6l||ru!c8HK;s9 vSҜIψ$k?zN/)5~vuX*U7D1A?$oUR.a(֫~(ߘی~Da|q_Lw5E{7 -%IhS{ߓ ´[+dz+Wrts׬ߟm`nM |y]}nzs+,x.C=^'V|FK9<޺ J( /=E^=E&?Wt15:On?|UTpꩰXY|5K㶊}=U<ҝEHpbɦ 4WcԕNtqN N+gDHC:w8<7Xv f(T^7<aa1LA:S8bj{8 VCZ*;)W "4VN"wؚcwā U{V\|PWe ijq򭳕"<^(WOs) `$x4\sX|;}}`V}*[GƠH!uMŶ x"QO_%0 0^RQw{/W"4!@ l{H}l7\mvrQ"zy+ˀ\mf UjA-AjFr-F V⌦;-T)Q0 /f{1n@YB`H6&W&7CL#ZO+YA!3Z!Gqbyk- WMԴ'8oCC>ZyhWA ?CU~bX?8dYJgz%8F}4gL *RB^_'G?ҶM^[Jit\ʳl=<ƭyO{u̯i8F_8QT3&ֽQc1}p_*'EQĮe#d8^J=zddCk=d(}]R<^ E3`{ N[ݩ^3J9S_Ux~3HŻ ̐nd|)`EyʂD%`Fx\Ah$Cv~eB%j0(z?5J;c?#(񙬆 ]gq?Ț`MF$DS F\?!&^49`17@9Leך !y /"3 [;1pWϯq Ui\c,ZK)|JeXߩByVp\osz$ +!T$#bH|DgWAUCRb\T|ߤ= /x7y\ز8V1{)dK֪`z$rN{ߤu? V([7z ixdSP<0ŰHk[ x)Уyk/^Zv T௸"M';3%,'.M|b_ & S>]b򱙩d!{b<͆ҦB>ڤrWԨIQSv畠khJHiZ%֝j2ǙSMQ$w j8XjG^3,Ӿ]~"F:z-o385sgAgҲq2XH@y~08!Ke?Hv/%G&8a/+ ?x1 gzJ !>eX XJ>sB :;yy\?W3[|14qPҮv m&R4TYQĥk8.e 4Y ([/Qk$rUZ x|"]//-N ZtmcW}D{&KFǿv&+C U=f%vS0f;sPCKI%Yg,wѩes:Q)b"o2@O"?m7ɀfU+ !Ē%·ch"WXnBfļ$+iTD2;2\oݑmDn։콴k8A=MTwKMa؎e S7+A;=6880K1|9P|f0xwBiz<)a",@JmrEEgNRvqyi$ %_Stt1m^hCC~Bb_reco@2k:?xN>ZU*Čb՝'RLc>k$! RhRv2J1 |ssYm.-cq`UiM/DIoJV;I^\:N$s(1;Om7qXE?6%%ߺ(惢EieY.{N殲0@[yasU#ꉊڬu>i9e=䇛ϑӹRSڭo횆TMݣvRZ]~:hҔҡhx&r Ss-7P!wNks[1/Sp.ڗE.av|0+]1iuӫ*DRzkF]H^SNL{И&(<ޘvGHh폛+\:Eqˆ5;[B Ǖ(Մxf~7+xmZ-ϝIbhCc]CܗPdnl'`QzsԞ6[BdL*,[c 4P jkAФUNB q45Y G^U lz]Sgjԉż,Y7g}n |Z~%_x l}2?J NW$LltH% AWu(KP*ş՛&tQ?Oz[[űN`8?|q.`y2|i1М0Z:*P?QA)V9!8^1GsRH"ŵr_}^ݶ~(S;g2Z)˲tplhf{n4ε8~i vEL/w;6m/m4ǒ :%h+ T}P0)%4}4 4 3(&#z(n>T砓o$70 roҭ)ŒylhmT%x+300 ԁ@ 51LE]z gQ{!ղ,{3u88' o,1GmŢH+M`LޢtYOE%yۍm+#<7"1p5#%_kMq(H#B.g*9t%e U0JWl;usAj> 1b&0$wXio\g|DYb5Et""-|\_\sFs mԎL,?h1g P7&8e;8X;0M YwZTKYX3@MPJځ^5(E༝-}Yv~Hoj$wi*9i̡_]zߜ- IYH+ʡď(L?YO(j=eͮl*"L{wߌt HuPc|[P;l.׷xrZ_D-7ʥ:^8AAudB#Qeőbhg{=s+2/tsĄ zmJNyW]Qi.٨X?0 b+\*eCC'\[OQL&ub#Bn=)5obOdЋ!tʕ mF(i ʋ F T%*:&O$)&$T&XEDɺd[c)3I;jq =>AQ]]+|Z_i}n)E#0sӔM[īWklI@t{W5a$ph4(#HzvN Q%U ds3"<5nR'ִx. uB:Pd,*2Sv:i:p( ΤtQI ȱdw n7?n*3}j)OkF҄͢DhX–o(pWGZS] Q>V.u',=L` Ҵ!Η(t-#qϹ :!LUMN@A\,ŲT-$``>`uCeء8B )9C1T\~hߏ]Ʊ<Ґ|j|EH S.CwDHTÛ>BS0(O=h&$D+ϱ2_=BZqp.DUdow>[rZw5j [mzI+\F)l#@i  &{c] _>x,[yJ|Nv愓>6\j_c~ցAB`8tJŭzXJ[+$VLۏQlkM0qq^hQ.$b1Hgyۊ*M|bn~ro݉hK`)A[ƯF w-ʢ-o~^_¦do@,e;| r7,&s< VSZTGfүu\2xq+Aq:3&j.vt Kzu@ TC8Jr ,C}b(b;99!`+77/pQKFl%}{UĂ{:6R/ =ٜvzokSpA(g|}( Ug<x/J}N\3eCànTSU85(G2~?]Q^9ԋi 5 ۫Ak S}r<‰+0( 3/e'yrgL7ۓ4{g6>yC -5& JD/Lw9pG_lIR:׳u*zAndh&;zK^Sl)# X_xw0;It}w%[j_2Z^L< Q@͂t A~ԙМgD5Ԅd IsfO L=/_@VdqxIV?]Uv _L5vQ9UКFahk7~I)SOK)X pQ5n*A7ѽY׌m4ry6 lq!{1.]<{tB;%*+/G`%?Row0Ud}d(b@/X_)8*,]ʻՆ!҂R\]uABqp|O`.Nɉ<5>(V.ܯE3yޣIeI?z-r˃\넣ai!c9ݺDz0.`nEXfCWN(rfon Pߡ#Yqo6Z l_"\h3\'u}М>7_NM,CHC>6L!F P{.r4V?ar=AzĜzaZD Pj^$Z1-<͙fjJj;_(B;WM"E<CTȏ} rv!i~kҬ`C϶aRœO1)?Z$S|xk3ҌE.SBޢu^V ]۫b%i=h *wpLK"GSA'y \m^B:/pg<.!c,V=ޞŝ4EH*ZIF{njFD0 C,WЪO5)N{$m3U(5Y%HOpDm(/lAO%_vPRѪY }AFl@ǴG_K`27A+5w׆3hwg4 #wm YZ 4뢩z/"t&0W SrGn?,{|F2eӯԤNņqnQ&Icim9(p.ӀH~096T faWtTZ{CuͿfu~VֱٓR8'ζPtxObكkhAS@ʟDPy9iB"$ń͐DxDϥth[@ ?@ej`:GL~O!a09zn3k&I>qKTD!ʺGblwN.qsf<^sB'<-̌3`Eoѿߌ`d]'"1ь,,tOqPQ`ati+v6,@tO4F.gjIsj!; M Z3oӾaЎӏ 6+u!1HfV9gj\`eD/b#( 05~Y<]2FsI(@Kb3xxI%z{Ns8)ʞR\izK.IrCy㗖Y_ʆԑM9xI1M٧Δ,/8D;ˬPŶO%v+z(çS0HN $^ȣ}֝zCXA`eMyr8oJ#߰T`G,ݬSH <J^ bL,+yRfeP~YTgn EG b\LbG Uf,7TwUuHJ9EOD.Z`ӍiWJ3sL5;W cBT)=sNnvyG=c*iЩ~p  v@m"JM\ێ&)0"漗i-}Cꄃ*^2l*wRX7zwFr=a]Zc$Eꄩtgcd2X`(1輎cNlųMNEF s~P!LG# ̏9͟nk{x];" '-/٧dwDΚ: Mͮ۴+hѩ %C1n$hk|@e?D(ڎ5wM73Ԅ"\:v)M_}'9T4 xQN-GV O8JFԶa}L6 Dj 7MTm봿g1!8T*8]\h/xAEv;g#aב^mdT2 jeL>q']`&>"I[ wdjJZ%b-l_a&@0>ie,5$N9>슑!"0ERO~A[|2 MYs(PJP˿c[q 8F5Kw/sQ^?*`p[l~m( $V䜥$jw[> ^$5czB癡^TscKIž:VʙL%?=%Hϵ2R?4VPP ^f""ӜFH:QB7"aHb:Q 'plvRz(6Իt\<98g&?L|bj=E:FzUnz"8-)jK X<-yxiI(B,7)s FgWyw2{ lT LrʺW4AcRqzFw !|nov}": [{#/P,$4L= ʍjcL/J4[U :xv8'Cs?2Ƞ #X6)КyFPϴTp6>aИ5H >c6'2d@诡Exep8 dTklas^;VY rf Z_)w(.|Gk/Ka z[ͦk܏1OtD+8}8.m;L piĶMD{?p/j!f.Z[$fyAIN2ǩş|'WƼ)W_͔%.I!w8Hn}TYUi \ij)}\˴NsfW Ua4YxY^ct{M¥%/ܗ6 V y4"l4 Ƈ?%XAlyHp '|L- &_Ai\`*o# 8k'yQmky-y) i]y_Ukt,a3$;)B[[JJtH $F"Fi*T?H&<`wۧ;Z+XW2Q5T` 8}}8egi#R4{kaBtrݴw%Y>` hlUHub'Ufސp(C=aY%7-]uFXL(:y5tx{yLoMICu ,#K>R A83k) <ǔn֯ p  *IN&&?4'NYH"՝oRf-h 0!oܠ4)+:e<90ܑ0}'C PD 8SX`f;H-Aq f XD2j,.p\sJZ'(0t֖]7yZ̮ RlC^qjS]΍x@4ED\1.x!cjk_.*EXWH?[\wc,`Ku~/X]켠z|v߳mG5&/"xT Wat_'oO(gxiLY˸y_eie^c/vp`-P,iL). up8)`(6F n$ CvQ!a<~[8%Eu2$z ѓvujj 6{198 U[ǢdO;&V n5qDy0&୆hk!B|S },B O_;}[*v\w#R^)Ŝb0ypޞ.Reeʼn_ϛ+0u*+7075. <93ܷnWk5ޓe& 2^4BAFIشEG eOԛތrՖG b| *I{K>rJCrX8$Q'$4r:N4|ا)D[byȂ aKc4;oV~F 僧Gʨ{pF4ݬHj,l;kI&D8X(p>=_㔮S:DS WcԭmX>䰖,ҜH+@Zy0У$WqI$\z>r Fm6:HYpUm]JWBcX雡?֑4YzT0襑靶 Lzߏ{똃7_FK 0FP{߃{/nY{>.3p`ΞZ_Pځ/,AZYD*Z gUtjWkOud-BْaxAP_ͺmF*]Z ymqّy2c˿ȲQ:~8ks&J?G]`M@$C#y@xzyƺwyds:oV&'i "gFZUh+ށLp܎g3`\:Q[Т[ՒC_^}Gnumb5j!D똄L a|~ gDV ;)J34](?IjT `0V2/m+sc9+ϋ$gH,M.U8f"YƶA` Vfj`9W'\ł'F$@ &] J [؟IBң#ĸJ0BʌGNлǕFxo{IꖵaN.w?E0U2QQM%õ{m!Ӧ.бtX \߇|4lP:EaM8v~M_R?hz ,ģwzH m1` YawlLhy$'p %m vǎjsOGij7]f7'J8S|0#R3λM F(o~-;Q|WXN2 yщ-W3tnORfAՂ2 OM,i'_Za?sún[MEO1zg" ٻ k!A9׸fܣ6uBH2EAcS`"Js2 .JCyͧEKsK$m# 钑_G_'٠:i]$^ք*["`*/YR/2b~Z>ҫ+T5b >&Si挹iH5ILN+o~ٛ]8wn]J\T{2C|,ոb uĐʹ4$n/kJUFb%hu9VzKы,My1:WEˎhXDx[?\PN71j([˼K>;}:PRc1249nv!1DIZv`n `s (1T?f @G#ˆM(\nOաO;m// *s( ~jIe.*|ҕ'߻J?X&mHJ(*m w0-}otߌϼ!*c:Aw}@%F,X88`U(ļ9F3Kch .q{r폇_UO~L5;ZB_-*' 2+zՏHk2/30(l =noSG8m6"hmDL-Olˏ*ӎURsX10//~xKi7b'c֊tmDtZ ~`:q<XH7 |w؁\aJJw D  @Zމ^u.*mK~;c%?eE/t8ٶ)0LIkZ_xy@|0#˜1]5Lt z`1* 8V/08kt2L^;++D4Ǒ){ٛ׆qVy!Z_ܖL"z?b$8a۾5m2Øk~9o0lJ+w{~仹f=TRD)-w'EVt>45dv<٬#HqM Tkz,mfdftg'CcxTɞXWq'I c Pk_ ̣WC)TtH};+J$p yRRER AtшM%w6s]AMUN.dkGr[c؂/fצtEnX"* o/LzJ uCZRÄwwU$3OaE@ ) -܎zr[EfC"+2ŧ>DNVC j*V$[XCp-()me/B+JD~җg,Չx (*Y%D*K+;1c붍[*ЅU}li;'vϑtϠRָ\K]1Eih+lb ~Um hÄM){Pa(z<hm0gM,(}_ڝLhFU-zX=)AQmqCSYHU$LX͞r /e0!n3ze[,(=@&\F3=߈@MƗ$.Vsa$4̓h[;FvILMi><-uu8}2YΙ9q"]ɓcEn%ݖfg8xUj6{/(s5 ߜ>:G?ӷ{Qf>t;`43ʃ+O=7pgN276)rduq[ЪZӅw)q{,Vv T(UvH^Ɗ?-N\ .`+)_Ie*c؃ ̙"Am19z!M&uNP<ǣV&;J Q˴3t֘z| 0B 5S=)g yq?]Gr`Pi6̇@/b+:sLtXUef<5p{u]1,9w QG?Wa6ZLTu+>Jqn TmztXнQcjwk;KyϠ%AftFl^r9bwvgN]-L~TROcI -$v7Rl BDS5<ՉeM'ȑКT^BQ>@jTdMP;w<N;TڦM;xdޖe^UI¤S\"d E9{C uf&E1|/>کg Yv50'_gH5|ݶ0%Y!ɴ6\i mȧMX+o.0v}M6j+?2#q'uwݭTppe⛏-{.aN,N62 =qL9j5fRmM7+:|Eθir8=}tG=klxK Q=~>yByݼЫw&ߑoc88HJ^'XJ%cgJGO~ O0[wΛM=>7iGR0\k-EBj ܜCEj侕6mzɽ1$IHsx iUk{V_7?R/VX&gK jИ:߆U<@j-{]ƽYPD "[f7EM Ë? # x>4aWsBd:30]bjNUI5b/h-ѕӾ?4rD`R&Y)yx].{kl-$``Fه4bx=riprfa1ծC#@ H9guyVS=;Y?ʙ`ѝV0ZQRRD7ưu/.8: !܌4՜M} ~BGQ|+ʷ P3T0{\r:X5r<2pXNt -eB*ŭnO0\؏gwnF₸7Ni.:q0r~;׫sGؗ(^_fԝ`O/xMg^!RͲ*W-BA$Y5hY7g0>M<j}q"EUy.}Es2 2b; 3JJa-2Fw%3;:AxRG OeONwȪi+eWHdo?:RxY-Bf&\-DIoǡHzu9.K-G@=jMU/w(!xC.?ڏ~K"@1V 4.Lgw B*Rq!V>9cYKl1B̨IF`p=ZzՂ<PJB֙,4Ra3} #LY|=7ؕq]!︉R3&r= g7flVۆOOU8{;I[p6BpzdSep q TwR5X:ż M1܁w!U fyMsJ_Ӥ!1t5$0~{ph_g>vЉo Pk8XDKL%SpWˇb͟ԤѣS[^s**KEx>z"Oi~F"y?O43ٮe qZ(iGEKU{4Vd CFJ* dJ(<Q6+9^q.L yC3BۺVI2Ӫ=s/~Y Hևhe7*VERBfB|X0d^٩z4ܥ6A"OƄNZI56Pq;Hѽ]Z+믩I`XhxO0\&VЂ;,^&pE*$mLP 9BĚ& z~@Y<):i$FR mq)" /2sCro:VlY}OPUJߤ*r`?xud~H,3eMN^v.YtADb`^fvOw8'i2 l B Z8mFC?:tK \[H> oYwxkԬ}6LұH$LO8VS(Y ò/L_XNAL.Tp0ӶF  ?Q/auE 0Rcîs[@rc$9KҙHam Iol55oݒ=SOse@4yݿ1Z>Eje"̌G236Z@{<c!?vXdVˣ L< IǼTIg" ZX~aJxF!jګ9^υ=$?Gt_05zt؀[̨5.u*-vml!7iJ15N+"q^ŮmDec -pa>uv"=8>eK@)m5/5Qc,(wN[FIz̔%Vyub%&Nhw0Q9Z F^SvE]mzyK.\&*YLoąXA4 c2mO}b~qk3tռ8Kxt8^뙟qH<2zɴHT%K)qmUGR}uA)THudkN wP %쿇vwZћiS #B&E̿;0)o50g=)GȻ0aEʅN (X; юUL?9;E5Y6d󔪦|秲 ZIg?ėHp@)xG fAɞK&7]")"Q^gT_xNEZ 8F.nR/ fهev 5gCo5NFK?Y[35*Wf~.#^V<[OGh[pl-/!5J0 ġW*8}6ې-LLSo$Ϥ[F&I.p7/QR#}]4.KeqR$^Ec̀B㐐mפM+F~79'|TqBT5fkA>ӵכ V_zY^D͑c=Y_}X'20=;wOF8,ĚBhEp* _uNN1HG,XϹzkR~piwNk^+9 cHi1VXʕ C[SUT'Ǩ>g';&_v[::|V_rR}kW8һGL,g\Z&/4qۮMM1V1r1l'a %L~WC_%$u}ۦ=JGݳ3 l3ghi57:FJ3IЙɯJKD )v$Qo8T)&M'dOC6 wW1(Ǟvdy*\IIEnmSFTuCdoƂ&G@WU{ 3I/o #+#ƨř'wyVoD]^,K5/!ɵ8UE{~ "\SY|DKW[ ֒xJQmWŊB6%#G']JYCNΠEمG%5T!Аg"Y5}=G[:gO?M` `[\GЌ<|Py,.I$ L3zB$\p3.V!6G,}`5xe4S*")uO](A$Ep B+;*& 7vbW* U -*# g6s-V~j)-(| $xףW~9b0(:jdK]m[He.5Rz q&,!y-3v%dB;̏~G @OXY~½xU24l׉ }BJgT>3ؤfWg`gMrBQfv/OZ/!802L S-,2j\Nwތ'_TY~V3t//XT9di+;X;Pl!WXqɵSWb*Zh&Is}.м0tB ֟0IԔ8'۽VYg^3 7%oC7|xKz)'Sij} RC v*Y3k>\WnZyJXpԗ ?Li=fxDS4MW(7I/t볼 + ;xn[&T+˶IEo*^ڄDu%F1. w OV.k<-g5rHGBn}e|sڷP;7i,H.NT#vvu_ /Ը>HH:zce@Fŋ#x$6^vܔңc݊9bE-u1VAۀZ-A yR44rOKn(]קJNq9xM?GJ.'!|EυDW*QIPU)aURPRNc3"V:1/3"8 mdGn@H.«;Yv c0gx6r< W1c<;EcE.xrb<1B< W>1 d 'K.[?wi3ǪMc6C?yȃHq#drC=d VoTvinI9 n?Ze'~_8[yšaS1ZOO3Y=@pEaD7oM⥬p\!gz ]krdU$~h.0P2PqL/,)K/u,MzӰ|G'q2L2ghH3ܗV:)&WhK5P"V_wd%uv7zUfͨtQkiQG7~MJ9g m XRu@ޱ- M@>B'.DGƿrY"յ=^M<04oب1N礞X/׊Saӧ5XeUT`T C]]CJmO~lcEHـ8n)^ Jɛ9e%_rǚyܸS)j:eI8:}׌4\sM;60[){sVOcA,ҬWB#=rtΌ:eJRL1&啭L \/&xՆ7 M=:}ro°5~kcOA B ݸoi{Űj^+XgOW1{݄knNFFT[ eur\WKP?] M@3 I6xb촑@w\g @<)idxw,?+q7$B(%47sJQHZG .6y~ڟ#aclG)ް .aB˱=Đ(GlptTA* a ûfc$. 6] أƼ9{Apm/On&% 'O^VKpLjRMxB&{'yr|Z $nl P+8ݒ3m4laV?QZ>]vn^nF܋b\5d'V3*xiaQA2ʚFj:ADYޝ^pMКȟӮ 1#[ 9U"ScniY6 ^{2"U!f&H4+E3fEo[~ "Uk 2|׀N~f%}4{ Qy^A5.Dz8OrԠ`BjdF׌y a v qis˱[A#qng1IrfsqV =V8N\dSny#+ϙ!w7zV-6Gd7Gm,I3i|Q:#>$}iidFOϼipXl>@zNTK|at1L>v$ >آjxc큉RVJt/fb\ "!<;5|+6"CRŖ(4ʮ)yn?{=ݦpV:qa)=MS5qHrfE"E7!BdBʶ+W2DL8{oVvޝibZ`wz͖Ztg-QlVv8JY) [NOۿ sqCnraqQ @^X5 I;5nK vox[ 7!;6=5!PG`.Kmr!F& z(n~L4]D׫! gY݃RoiXn#h#LC1o"rA):U܉ ȓK (ש&=;^IU+~50'WUyK*@'= *Ta)SBX`}ÆJrԼq& Obnn8uD4y4Z܅C'e3f =ЬClk{cãC*Hvϰ#1%W ~ hlp5ArVЖFJz;Ws_-s5$Xi-aj͉"Zjb'Kiw5N :ii~qEF}ڤ4^oi0v8'ۏڈ^ID );k!QGr}d2ӶίWZR=;ͨZa\sVx |9hzFA=NqS~Pwrr^$TZd qUE߼\@n}bY5W 5㳀~eYVLȠl/4.o$ٮV⁃%S'}A z|=I7&)k\x c.m@)<ĚP)K{@h,7Ou{b֕cξv#l &,; {x֤u\(I|Q? nTNTs!l;awWyX ;Xc˴-j5T;oj'ߺ,-h '#bPC*ˬ!k bF{Q#r1lÇj䳹C~۰YQsaz;HL<7!wݫ#+?RyWEZF׭ Y?1PB-'Q?Ͱ ``;TXǀ9ro|#>mNO z95m<33d@YAGyKE $@@ r_I_oxjnjjE%SjWຒұ^v: U2Bq=0 nv"macC5`i)TQ8[X Ldzk/nRxfϓ=O#enyID_m"Vq9gJwե|6CWڞ lgl>אBʳ.m7; \L?=pǷMQ4T17OVX|FֳP)4+e_w@DWQ;l}Y;8]f{Xʾ¯,v S~E[ꨆ9CgRaѨFw8Nk]T;h`RbĆv(V2ˎ]aYJ1p@W<|Ѐ{uI Uӏ)Ξk;TĘ(Œf(9-1!逳QF縘nؚ0Z$ : e0$n]~ L\Z b$նy*.䘣[7F{h(yN~X6geijWlefw_NRQ9bd+';H(7C&ZG?}0uOlEǡ/*K ̠D(s3wtBze59z@4v yrmx8'D/e劥_CnQS žٻxvQ6|^R"TVa0k1&c%UxtS*7)WnRUee̅x^p_-';>`QxK)/gD`p1Qs:1,!=EB@A[HR#EOQJw >r%yj`27 kPՁu +oϓۧ%TAHOR2l leU-GpAQnÓJUlk-h`!O P1?K|gŁgЧ˖(}جljX^xZ\6cbFrLK%m\ȅ=MfwCZhyl4"#A&DdQPkםʑ>@^շ߰0OniY| g1 Tf;8T߆Ob:zH>J}FDMtH*INXgN&>]C振ĸmrgnؖ׶1.Y1z4LrK@7N;{ICSZХ8H-ZPl,ş0pgb:HV莪1NGi}8#NƎ%2u,=F\ʤndmr>_Ѥ]!f.vn0_FY(JAfX-E6M͔7Q@ LBRZ!a8A˿yϡMp06mF <I'sGCRRK CI s&Dڌ5u^p"Y ^ABM)LFZIX_ڦQE%ܫO#rFBl$s ۛ}:w)IM,mv_Bqj|9>BiNK`sa]fsc4x7% f '<@2I HK^iPk% !@Ά9:'E@k/X PMΜ\F{d\-7 pw 6o럻Ӯ!f=Ko1+O'}C(KPa^{Nܻ9=U 1`o,5B8Evw6Z*,n%OIpT֛0[/AS챆B/ 5ҕ+d(LK\J2&5Y QP4%Iwk2)7ף㵻.f*C}O{T]\Β.y bGd)L׷ۼdϮ%b􀻊ܭ;쓊b$ N(f;}<t##xXt#bRqkeeQcS iZZ;A[.0ҧ(5uys'l2>Y҆>Y3ݑ` %0rڑf5\4mΠWqa$A !iBY]J=)ʭ#imү;Q 5l%ʻC#|SR/ՏMI $=zjo܉OAq*0HZXBZz"@ceu P ̅TrPIG9uU*@((2P{H;B7IdWhE}n:mok^R(X*Qj0u$wb0v~jsA9cڑ!5E&0aenm(I!Xxx$OA{5hs =0F hdB*1PpA.=} Іv~]+SadQǏ &#+ HPPz[Z:@9[P89mff xgM-CGVTp}K]Vz'I~Ji5j#hOjta ηI]6]lFz2DGc09̘t4Z)DŽ)|Ƥj]/1IĖ1xF;OU.e.a Z3mlh ۾jޤG^3H{P+~tVSҷ~U&V5Z3\}.(U^w'ŕ~z΍$r5N?JྲϏ/ aKDxD`S[auKP){$*1;z(2(xU1'<=Re ݼڶwI(?sPpC|,`iVF~莪xk 9W;y~ 0*ыkxb|hC/F?ɛ  ʲcǫ+ҼmSsP_z>_qvPrrB.2l wX+&];CM5g! c)p[*W[ E{VӪ:mx#G3pT%٨i$a,:etN oHd.v3n3o!ջL+ݶ{YC@ͫs*EatOODP^5Q8LϪG6m ,*!-x"| }  fxX\Wa`.9x{4ecY\#6Hk1X3Бg9&E=Khx_M OWE𠙧ͦ@2{F"Dg*HP )ٵeb3 !"A%ݯ╅|^4kp8=Zk"HֻO_UN5^]*N.{5)~#6]vіk0c!hBH̸ :nb5)ht 5(oYjr3 }sAfsɗڞ18-1gakIdw.ūTk.=FU$a @`տ iBC,?|BK@N9Laa4I&/ ng46\/U)%<;~#Ev=T7wkЦ;o֜R`+)rn!zGy j[OF~sE-͢ ﭻ"~GD])|9m~3~C\c9H 7ʂ {uAljAN=o+ו$s:@?b6\D T.CuZgz8z KFw_ qruTw w/$'Kzh^FGr [Ŏs (;]L HC &$]t7D#\irqށk`9ua0{$( Dڹhq=(/‰ȴRz_GET~V24}EL^q: x6~œeʳc}ѡ7B+#υy O)y$XazSm^ 3 %y:5VM(e:`׏X6N8 mԣ:9n\}+~HV,;3KU͌!gС7w (!SQw*I½NCa/WgoYz̋l90eeīoh uHHX[(s6C+)wjv i[ټ0n".-Ӫjw9%b2z3u%;S$!W;:h+cPFbyB]cvLj,{225Q"u1BE}GrKT?tC@UF* ^d<_|ewree!vYKVMu3$_V'i6 .& 1 B92J#&买ۄ]R͈H0 "!ͤp ^i-8iE_i~0=>DB!jisuPw3@Eo 2uGJgxOjY v>Ɯǐ:TVmjC̠U.Ӂflr7bZ}lH홳 .+;.n;SSЉABA] jw5oXU™M0YySjS)yz=Wb4gq\dej(=[ җ!`c\ nD!'ki(O>5,Y@5)^j9p7Z81dq=#5#A)|2?*չO6.;7(l۱VGIz|C'RYEDoPqCte,%;( "; ?f;ضh" nԞ Cв]S;.΁7.&GRO)fQI@HUHT <8S d Sy[2M)< JC̊_h2|Qaq#ñnYez-Kvo, ]jӣe*dw&5`\ެ=+yW'k 2?]Dq(56)IV)l_oH)Ig2lqTc8k d'Un:|ՠ }Q8ڀJ)~1Fhx±_Mk1W`˜@O裆8U'oAEs M"}Fy_r{\ʸv$0c#)#[ޯ*[~1gM)★V'#/S<;WhA\h#7<,XHѿ@IŶ0쵯H ^_َ2fy3v@Hs y,dp>ڈמq}#BOIKTQ1N+ucεTÒdm9vNL?B?pd1,N`iK֝Sg Pr{8t"n5%o'vJX*q1ͺ}rAP`<g8hgmrK421Tn,2Gs%W)`@k:ȣN{fp.R Q- چpӷo_G${t ^ s܈kf]}v]vL&ꇝ5[`Р]Mz[ ^^'|*{œVh U0 @{Q =bTһ7]iEa!0q3΋.^cVU Qp8z[y39eRޘU'*O[8:!r : F.jXpLJ O՗c\vh⃫ Mg<=O fr+/Մq4xgkԸkDqcdqI](5<(N) uLD p?5֑@2162JN|r3tՏ :Dt"^ǂ @""gt$a ̣~4LYF]T6{ [Ӓcԙv@,}eDnPV)N%;?5Dl iЬ @AQ"FZTto( CR륜%g܏taE/=C?$m :æ}f^YT\P+Zd'.ARZ P+_ueܰ/ƅ߄4TlϡDU-\'в]aΡw}̬wnb܆ Vr8=hD0; ДBˉj:OcqWךۗ% hQGj6c[+AĐn*d+ũQ5ʇ?0LCߙHX;>I Ebnj!/;HYzv颻f)ca~{ .S3nn!^ΧLwVӰ+üzcN#DY}cWSrB䘧[ٱYu$.!|4Q;|8U戝Vd][4dy`R咇F5}[#!Џ3|TՔ])S<3)|QuHK.gpq +nln'hQY ]n<=t6 h14iC'6ռ7MA.K1 FŸ$BS/>f'uJ̎ +(Xo4S" աdR5%92QӇ!_UΟ=H/ Dߵ.gx?T_<Ч?S n= F-p%&ø+HkȊ=RsoHlTKX6MA9WQuj_0{F(5DOSEhk07NyaqžRyxR cKK7j4ෘ"0] i!~W8ĿB*;a?k_3_Tm/z;(sTCT|M.3#Ꜽ񊞓wCTĩ'ccMdߨrƂI9oj2^ -HA7Q'j7h+ץ6kBIhXـ;gm]Ye1Ztq'[թHG6Bʶ GUJu"ü>o1 /h2c+ HĻ3!j(w{HKƱkv w`:Y6e} zG]˝c2<&IVQ[u!>;ℽF 'ժg-%!%ǔ[2D&W_,7s\'XWy+_/ϧq{1cwq>5=l= IPy&] ?vm S :;4(lR1|bS_܁|&R #JD$pA%YJY%̍Vts$]moo[f 0q4Ncܔ ]d"z.nBr;.iO`Swi!xs1דb kJOX.y~Gn|`?:n|LPUދWHbW48퇽rqa["!GǂvWt UJ+2dQ,!QVZPrK_y9|(m VÆj+(^ީd kf3,]KQ|v Xu&_:HKCcV V1O@Y6@ERhG J]a6JТ.  І/b񝘹)˽%J/};|c?-mX97p59mI_6\_ovaX[KfvI4# LГ]Hǹd|B*^n"JqFa9=B  Qc7>*oE}dϺJo4AĔJ菻g;?J[m;~X?gT<آ83+o3M?߭c%t i(WD8 6\YVozd+ &>9L/z?QVnmqU%٨ 9Mԩ ʇ[dm1|N_p=7fj h]ZpYz>/$DzjD(TƮ`}zZ'-+)Pc8fݮ|U`mnX\3#fSIhT ҮGI(HvbKqw\[9Ep-::);~]ĔO.8jfwɢ)JfYKsWIBf˶8,pu.Ȥtl W]vg8Ɣ*ͅk)?qS%I ϙ].8Iߗc! eZ]TLϫf#]'?"k]})۩dY;fⁿP2$LHBd@.s>46qOV6xySg- ]'Ae-)o{U\<%:H{nK~슔pbEf,dCubU4BZ> 7f5, X%`$t4G (DiΘjj~h9W*e eEXbq$d_cUUE2-lK@&EW~*A۪1W=4<8 R%Ɩ&>#dQ+#BM?Ea(Y[򲶣ߥ1=!ˌy<_BF`V[`.%,̟_\հ:ؾRL똽hO5l}@>WRo;MϺ^z lECVn+j4CǕȁ0ov$Ud- &=qGiBRXd' BQ6&ej\zLNU/z]kcyYBybnq$Qaanu]#=Bx}k +8i9YJ3~k(}ųԥNCG)X$}>Ŗ!HE餚-?`;:Joe VIxVi'-H$dK.&X)y 7Vhfܵ~pwܕt#us^4ʎ |¥Yb䦗d+H5-/g5uJ̓3oʽwjUG=vYik?ct 3C ϖ bM4x!ZA}޶WM)I9?<65SsvcH҆M."/>;Je c+eTOM5HD<xYPQMRSW%I/ +ف&b<-8q`wC4dekgIJN*G|[ZA$SuڶGcQÑVB䭦Tb#i3q-8C͠L:("0v[V_2L ̉Du6j=m~3Be#)4#ys(aB5̌)+JćkW [eYYz`f]jPCnXu[]ϐWEZ WΑdP} 2A )C(ӧ^|:w fhy4/.4ٹH}?V'd>CU8 hH媒 (|;_F)$KktCFKz\F ژI|L b?  dOb`V [:)jZ+Gro+F0HHUփ!#{E%MOO˚[`J ٔ9$ΝeV<>Lyc'Ǽꛈ8wG &M<>z8A޸juyz_7A YLF6 OY^cnӞ&S%SD &j*}ۧ_\q؛?B#T-JR  ;{-,7 ,fA1x؁%BGֵr ]o!t>=nttmL}lv{ƺ0A'v.!Ɯ]0@L%yu ^X5u|ZҀ,r;Ή XZ(!83Gd5}ѠȝY_b4u([ 'h kĐ'a.YBN7a*uT[fWx@\+V#06P= ^=Ww Lŏm_VOmEO @Ght&z ^XS~>GI{=crq9]r @-e2!v`R/ ~>jZ7K#"̈́qLF؅y[fc׫)]5͞ǎgՍ}R2ȕuI[W{{zCOGqLbwfo~+0hh836ԣ&&ۦ-؜AIEE#t1З-_kμ7%!_Mekqzl8fX-VZFu.sҊ%k.V P z 诠t;fGHϠ|CY{5k6>i,@9q }5 gj?&khFQV\,;gd S3]$I6v )%}|mW?>&sŸ +Y5Sw{m7J.T^/UepGۖ"J`Ybðm6upf5Yi-8EH@7(a3OjPNػ@5Uo6# 0Q?cssO U[)(,OaCG70x MՅŚ^I}KaQ>Ғ N0 <<2/bc향F 98o> :bybԷ=e?gc Mn6Q5VN+5m>0 K?́f |`y#Y'Ex`sWdU6A6kN⿷C; T(Qn{yc$ɖ~3\$ K $yg^Fhm)|8@նHV\fh4l*K.4EY 9#m-M1^ȓh?籽Ŀ[aT4 +AF,ʨ_C'W@DҾUW=r*MnlM5*yLs1sd=DiXm3ڀ"tͣcfSߝϠ^ EgeXڶzҠӧޠ}S @xVe,]uou"H7hzuT*TVTh\& ~1}~iQ+10vdo]/'ĥ]4ru:dQJ9W&YW}| g ,ښi%YphmXژ Iunx@⧣KSJXg4[uȐH+vوefbν{-$ ٢Y_8 uMY.)I  nؘMRcEeDc>BxX3r"Ѐ@1LF2Qq\3-yC&f<x ]&1YLYfAAqAř!%Drb ݕHUE|R$.Ҋ.IIPGӱqG&Fʇ󂘌ԚJ 鷃FMawKة?`6NEy0 ;m g[}c^EPgSuN^-0N{[z̉b4@=5=W%>Y6mERU${(C׻$F|C|>S8=ZC1CEF=zFT#x(/OB{DO1|i3SLU-|sR`r4cLe/]dy}uKatňQaPϊ޾FO7*!("~5 dG u k6iՏKgnR ?d UOy V&FNЛ$0ua(w*z$ hCZȱ H_ #;atk:"{ji4q@]{#@z5nZ lSv~8ÀF;MQ۪j◱94f#MytY( zHr+o2P/A [ԑJ4΃9+2; %* ; AMf>E]sI1aBm߽hVl:4ghgygX<܍BfK* &`Q17t]2r\97٘nIָbj CAmh|Nץ[x4B>|ۈi߼voh5zS8fRV d1T]OlT'LF Uo"eU30LM2. C9v~M%RZ lI-mBXrd/z({G,uW9oT|.7H5Mxu!KsUY[ Z$`8t"cX``ԧj^`N .Z$;47rP/^Z)vVY$$E1,6gȏA0+.`'V/2VD,L#SY&7Pn$^ ^&-ydi%*+\E֣uU }Lx9}XG}a&=CXGFVN'*t/2vfnebFrnHraaYN񓧛n` 5$rnDq-g[uRϛ`g687seU9kXkW) hfh&:'ϧfA0fg_ >,!3H,!Hl9O~^KI,3[+.-M VW6rHEl.U֜(ʤ0jӼb?"ڙe}YB޼Wa9MxiRe^aZ6En+JӑE@^IGq0?VR/qWL}ߢO9VwMȲt7V_] eo?h~WZ 5(p} 54 `!n*X>vV̝hZ| ZUmu| `Rbh(As-VݪlLZ@Bc{ ȫ,7qBy6)+[f9V xV/t~M/eW Tk:MWTݒx T,j (˷p$Ѳ<(8+B6eÑKo )8=#~JD"d+dG/e]GFOOLe7i@(,@ee^X' _g WަꝐ%)$c5Q|FP&C4딞&\w]JĀ -b̑qã853,"oL.{{.#4+w-tMA>2ߋA"t#ص/5&(V%XB0xMes6p!+"l$X&7Ӊf=Oe ?L,wmaY`<'Iƌw$a|⇄QۘW$Eg{v*;gB g@txj۶CVR0@Uy.Hٛ7XVd _%Wvᅯփ!KIܡمPV{˪'lWw(*.I=2TE"IxjTo#/e_ sL-7@G{-}PSPcqz42t\E2sABX+%μ Q1!G#&AƬh$H /Vl϶G 0q,PUσ.._@ ԩQ-X4MZJRh30ּλ!YhI; X$Ԗ?sqIb*{ B,5XPsGOp =hTRص6Cb;.{rG; 3Mt;1`_?S؂%jF%"cYXPӏp'!4 @:J"`;uO ;;}^]1$f[T6LC!$o6CT| ) snl~1ЅZ{lQ}?{e* Qg T~wC8rM0BR[X <˗]KSru{AtI#X!`bٍaX=:0 fbvGMUڿBg?2 iyږgY,1o4 aƎnAͽb"N8'GfLqһ`sRݙ#h%5 X`3H83qd TOjx7'{Ś0QLN.JY#Gw% Sp0<%J&eL&`ݞbL}% |}b>u\hDFafθI(^sD:wyu죋3~wHg׶4nͅGʺʉ0 GΎY\7ڌ\b,N^ hElECJ.Z p{\>6TgP%NQ:m,i͕SBTy ^8gsGKصw8iRȣg]Z+!gr=X#Mߨ/λڿL&yFi!xf :"?Grhs|9M'u2imP̐ 诣P,Ϝӆ~qR32m r:6ޖhMT:¸^.c7⿚l~cxH<} -шw^sƍg9|+̯(7;.OjmٯKh~셧6ay+  ;{SO C1 l{06Jo||V6ҢSw\tn#| R@)!@:O'CͮuoAYy)/d&(ˢ]зFN'+|iaHɓ3-Tȍ6R\LUzoSCVn9<~)GF-aq.yI!2#8ͧᾥZ/M56ݯ ˜]D-ur;JV6/ LIN/uFπ8M ќg Dq7dԏ? H.RV~/:=TJvWW1R% /!.1wM?vG.NCc.5OlPpy&Rr 4d \%ˆe[XGO MhP\a0L;x*zvm|vUόfG˗P_YA4DGMi(_z@6A%nu:Fz%D%I$f*gqio]~^:@5OԾS9w.Ѱ~uw"VfiN!eWW84mz`UuyAs+5CoZv XP Uw1RR?M Z2#:V+fz@0نO <^N yON_W6N.?MϦke=#;t/|0hp(z{E3Teݶg8êrifCٌեB +WA(B`|,9haKٲ{{n ye l@R􏋴߂}Mሥ2!KJ,rumh/U1kAtS ˬv"dg Δ-bU`rwWRGA2rj)a6DWQͿZM#/5٨<"j|/݄M'߱2P%pfqCBCaO%d|x pRAr0J̸:?th'Ei\ +>/8˞ ^V=-YyU j-@ }[W[#.Bbf@ ~ '"h,덎z/ ۑ3~h8>WBͩM@OXY^]^R6i\ [PއA-D~%  8b ^ms$WcI^Z[GF[TvrvJ5R?9G@<C $ּ9#S JFgl^ %K>u]X̝5;ƲM3Ya Mhtkw7e_:Bӂ;'O=~a' N̔ LAdΐMtt/5ch@16O=ptE&a Fl^xM޿}f(Ѐ8H cCs(SlƷy ɮxoz TYc8Iʧa|) %qidtNAs4rt/\ I1^xX6%Kdm/s[k%Hj#vۭ9Ao 7'@KS}Xu1T9'+YӝعBoDl"$%|"d kZ*u7i_xӱ*@3\Pm"I ٳ~EԬ?|9p> ^}9%zI4g!v_`F-h .5i{0}1 D.3cty) [<d^ӕ#Aȝ-r"/I KC?tOp6hmJ̢+u S:!{}Wix*Ohآ1%Hr &Ӫq{TIM|UPByo(u&dX[Dj@Xaި4\[2 B:(&%HcpaʛށKY"DfCeќs< AV|>T;0Ui`P^G6sPԊ֮ߝacfh X(VN'7[(EYspURim+%)MLuN!J5`$= Uԃ4BSwxKz_૷D~4C<.NzRm~iLHeHpLx}TE=5SRmgJYxↂǣ0Yu酮,$ tT)ޚ$n|7Z8OJ1d?g:P8ǴL3:2Ә^y _ XxSO*k)m&|Jˬ} fvE/B0PY,m=.9@W(C$USEEfإ#R[zl{ @^(JnӞxIwAt7iN;Ex!rO]f($ :{ʚ1JEh͐ߚalV8Ÿ0[Agؤ跑s6"d*m'AINtMpoy/(pey>^-F@]/ohy9xW0YxF"v[RJ%l$2ӊ&G)Dӳܑ&Q۶>q1j u4Bl]m(Vةm.o:"4RĈO:('Uf:Ҟ<".M+%MMNU$|69zU,ZZ96}gÒLmlcʭӛ:E2 1MP\Lw1(-Ⱝ =]J6È ۬ŕsE$OGW= ^f `͸aZ6nU!3I27aNﯟJ%%ס-K#3R[B-]h.uwSkpQ9~ *懃#`6wE}[ݖK!Ԩj3 g]7dM9W =O=i讇A=3EVpOYaBX,IR^l;Gas?xLs|[R+K;\)~|QM=4iU%0>eC't͕Ě=fc|d)$( fo]ebniTQٍMx69׺& ^f0pQIk8 2[ d%XZ uoɸ `?Caa6ÄqvYTf]Gl]|mt]3]dKHMOH8O|r\Z]1B EW֍,L9`uG ?rDGg4Y[|ك/hIi?{ 0m6y]%Bм,psEm@2%Lc-) ib/{_Ǽ5,hXy4MqNrӺ.,VtPJՈU3I6.aTkvr`?vMZz?]lf.[ ǐQIG.:;ICز5$&^6R5YvZj1QB^}5qMk4'Wp׭!7Kgߗ KF`lĉhsvޗ2ǯ5܊h] OsK?*ZH'KM޽gbcwIT?ux}SLVs&uG7Ix&$DJt &[o=P,t,Gp,}I|gY24|6vTOUn\K/b4DkGḻ?ǚqϚrV+¯E4\7#vUU?_w `BXQ#F1*MX5E<(z~`]&|kumS!+p'?PrCSB9ݨ'Tm @'AߣrI~`c 7]? b{@SgLo>zKσi &: y2ZJjaE43Wbg,Zv=kНiWh=v;/J&&uN]ό"mVXyA3iRtbc!nXv}^uJ}Ԝ[D}~JAOJ\V}բU\^!"*Sj'G7lR wH\o/C_ IaweDPGr}gtv!c%GRl M|01nakfه^-LVz0tQ&a<`J*iq~h.&;D;t4y,i¼w9u!ԹsgJsuO!P2 ̇{;v꒥>#`fB-)\b~3N\ϣ/Sѓf,ٙ嬈C)[%bșx$\Rߛy{la49L &A OZzS˯Cwu@Qxuܼ,ӱċ,o5u>>N ܿyW-DfZ2XnldLffm@41bGu+7W1[?LF;Z>2"#jD 9$;rZ~#I%J[u"9]Gfj믽Á ǷuR1~?;+kĕ%Ep="\;F[IN*! W?~tZELvv?ri:[WͰLXך>a91QhLGfq#JƓ@Uix~T(oD^8 tUPξĕÆ*K[ V)i̝]f+8,+o? o luFj3Guy g9֠j-4kt]|Z rΕG['0DSLvIl@3˚"]=wsǠ;lUۮ捑ۍ. 3ۼgʷ^ч6{ Lͬ]V3dn1utA/Kau@˙H=#/!Ja8\bF1Q#wӣ^mhN*KH\["@WRn8VFX7ʥČ_oxp4!CKvD*EΒAt@ (Y\QG$W?7[b`W~L\J{ẠQh6x-I@ӯm<Go!bU`^5+d'  Rի/btBr*-!SJ |^8w&MI zo<~) +f<+`񆤋̹,Hɸ7'8շ04dCosTXEe~ɛDB(!&nnô+Y 5j\0 ^%O?/C5nR(IuH.o p* h@PP,9^ JyLP]\y}i1$ǟ`.!s 3xt\۵Sp])g52c~WQXry )K q?뵑s`NB´ƂYt7i!o:~$ng!|ɃW&i#Ih@Zdi.գ̂1n#Zzz5bjx8!2?*. F2h{ bm1)G0Hޗj? N[]Itp8\ I^D&V#WԵw}3(x^o)dP_Ll)a^-g ]47,#;y/ny4c@Y](4M{m ZlFZk:v+TD zݐϕ\g8vSSG%͏YԒFj-֮%guھnm!4R燃Q\8,$P-`}xb/wsw`o0GH(% F̆az3K?^Ҿ {02x.;l!eH F{"vi{!Cq!Q'nPŷ4`l$w :hdYߨ,>صg@OB&>+c9Aye%Z֐>xٗnRgnK:Kd )ݐӧD T AWE;X{ K0$m)"}h` dX~Ł?B pl6u%]iEG:zT*合4x㞯ޒ @ iMMA48ҜLC뮁-d ٍfua /8/=ǣ%P5餵(GgDy&9-z|6!1VEvA!FNPaQR]CLGIͣjeQ:qct.: EpGj}8U7~ VjR/ͅ 蕾_/XH3֍4zz* *,3mԝeq H64\↏^-?{"I!:o!&3'G(z2'c䃃}y < .@FQ 1 L{]@IRG~8w6%^?Wnqgyד(;J`к!¦>Lxb#܅U)U3R4*'&Ҝx0놪3h SE|&ܮ=!N:UXX]o,"KX ' Wcu>?W?&p#S7 P!^ӨpݽyzcS#;mnG駠Kmͳ=*4Q# Fѯ)  蹉+=X8$cdQwJw`u #NsbWJa0eh>>S;13eף!y7x,fhC!KaMC6OLŎ՜ $)YPpp$=1 KGh绅Tb3a!螮x5j02>C;Q—! v+ m54dB=j _s1֦-Xd+ʀ1،5Sh2:k}9=}v^-fjW魍#޵G'f/.ËR]|ZBX P HvïRa)wU*IdOdG`ujGADCLtSkq\2kMdNr7[1m & >V\9d)tXh1@_na0,qc Ϗ~u?-T'<GƁnQ|Пx`䏢p(keN@#[8H6~^„ /}sM-nJwMIݳ1=^.4y< sSQldrTS4E͋S/h ^WR7; ~ g|c̀;5OޫE:8ɨQHڠ5e6/8)VTSϰ};OGK._ɗHpq(R_;Cj(fr3Cf.~,UY92Avw"%qXxmT!C$]H Ѕ?]NK Gˉ13/U.r2/ ]b^e\[^xJmJΌ%zت.S(Y?] [yq❾ԡcp3iϒJՆ/ v.5.V3iYflcbˤlȖE Gş$.hj4PW k}A-TOW`?n ΀^Қrdb*8t%_"x zkM>;>&R-`dnM)ܘ<.ÿvQȺF\mZɥsXbVemSNaoAz +1}ڰWSIT Iٳa>LU<+FЦdXȜDA'Mc;!$V`2|@K}CMXIt8xD.I驥3J 7ea["]|^gƸ5yYK J&? ]7t\Rb{u8~? .fAgMg㰈!P9$Ck؋`¾Zk\aE װ.Gm>; T֑^(Ir(=P.kiZhӊ Ә}8y~,̄Ow&>STA6/V)U~Ũ%Ǻ^,SY+e/^ؐbHGyӠ,V)NfCN1AJugev~ I?bNjE5m>՗Sp`Ӫh+}DФ :?û<79ƴfц |G<Ģi)0ǴUK)PH7ܿ4h  p&C"#Z}f(Aƪ~\=kTY ,^CH=Mz/POkz̽ V /,}>l'0_Ks!C \Fx'n9-lj.;NiZS:>#PP_7Gϵ[< iCNDV"YrwTS3D]#wg:NVo<u7,M3Z0vF oTGҭmW"~5%I5r͟?U @?uX h)cSv^ XBQF36@n{x2 ~r[5FnW Rj,AYGjE& |/XX.A7l}X禰3<0qt XǬi%%q;w~ypޑh͉} s`%ḽo% /LJ=aak![v_!YQaA0?ݖ"-5:fdЙmGFH~e/"U쥄 ]̸R)dyo.vgI";DhPF:w=àבֿ_Zޓ V$Mz g(-}57D %/EF9p fZDE)kQZ :y4{T;6ZSuZ%EzE~g 1Wt.&y7/oErAV8SZPV=+d]ӷۻcK\M;2G rx?xa-{Knj̙'t3ΝsZ+ɉWU#1 oBkg襈zI@ZOv2ֺn<}XVHRp,fٌ6oKŹ L./$SV ܄Rg9=$݄z_I V'Xn9ĹQ^:_h }0CJdYpy6 f^ea +FN=j>)@6k"q| _MG 'kKo&EƣcE՗VNz8y/ 2l/i'Vbp :w'*rVGv1RTd@*cZM` "4ޗ{[@!k*4J he1{n pV[c|Ґ߸|bxR .8(PZ$xIrC?j<ޥc'D5s܅!My@5 K @ef>Jȵ 7i׭Mlhɦ.4ld ܈w8g%J*2 L=U4 83j: qe 3E}f;հ2k_W#g[d1pђf˞ %P}IfJ2fdN*ZD??><3n;nmFG -@_˥Z]FL/H~:29gJW x4pVwgu>*t/!~%G-$[AJ8i탮"?]u~Js:2s 옰$ً2p+7Sr20̰{ ՊV>x![ DXDWP!% {j+d5?甈g shA29SxvL };ua=}Qݏ{yn_fAsQҮ&.֮0u9*eljDzQbpEJԆ>0:/g޿'d8phfwsV$woȰ+jZ{f޷NB1arIP>z$omLw~i+KEN LJ;Ѯ2 ӎCgbwa+`yаz'WW]q"# $sԅ1{Nlco 3Eֽ1x9NC_)P+gOo7pܝ^QCZst ~aWFf)sN*gG>>w_WTl\Y}GXx 6ׁpDa>r%+ld۩$v4-|R0[z+whx5-5i|/kФ^-BUDŽ?XEG^~ptUrSb}BSLf(>&QtX V1ްNoH>AZ̺'9*9.gKWMz8h`a)=d^e1b"5&Ӛ l~84&BSo[c1c+ SmƉz\F4(f:,2gV'\h;5oPHTjmaC0&\N%FwNdWȝ!~^Jl#}$/D7 }t\U\kSVSA?!q=WCbB u5@ūy#L+Ճcj仜 >xv@8 bЭ*]_ZWԶ..at|"rjh*DhlY;vm m-n[h- % 6]Twc` A,{]gcA_;û 1zT5TqΚNd/"X7R[m<(6jwsds\`] hP7nPm&~)] 2kT?]4bKBaNv0#ǜҩ"W&HÐ(>?EŹKk !OA:'.f/G9 草J: JU@?ǕyU G-VcOVy )ryO,JY,N7VU)^0;Wf>4qnYQCl0)7TU\{gk('Wczً=}ORa+<M7jK10OyYNk@\JZA͝Om\٭E-?/DΧwϸm,\ټ0ڧ2"?t?73],}6McZ?8/) (/aWcUө\>"' q-5ȅvDxO| w=Syj<]-nW !ȷstM rTTmK*t,*`7vdj+]I$zv롃cZA7APm Rv|eOMN>#[Н8g7!.2`SSl̼] 3]ҒͲ&f`")1(` < 0O g:cR#a^`rFKNg2j[LxvQć/dKGwt{z|p}5f5VbRXfaެZ)Ze峬uxkz6(!4LOe=("}:Y\6 gD^E?'B%pIhؒm.Y"(azwZTLoѣJ#X?HM{"l FZRImV/S3&B93)o\^TfGPQS^J!ۈ&CɝL6C:S[>ЅxECn𔭙&atfso]?b1P Gg*Suк!MzF8Iᄒ )tQ}ǢrƣRY0BWa*:-1KJtQؒRVMG1/QEZkiЪ8] ){0Swwjh A(/=B8]nپ zr͟VQ$Od$[=;ьg\"Xod3W4*G JsU =v`VDʋWF[+N˚6VȳkO ?:+ۙý:+[Miad ʼnKޑ2g fR^љ8TjoM+4:gQV(.JaA6%B6 דXGCRygj>CϿW*zme~>K>& $mP|kc s 1k| !^>Ʒ6e6 IscQ[{GLqS ^=W<5Cٟkix7C} o l(Q-8IcS/I+%qqe8ףɰS!y2ow o?G (jF5E'Ҥw2"wPv8vGPE勞? ;װ#+]#mcδę (\>nVaX}+(O[&u~+Q¹eww#Ro>y[t,켜M|9[+]LٖEm 1rF-s?=Ԯ DX ażdlRW, V>oyҟgQ!͸ tA/í=Cv(tZ듓+.ad44ΞhELNw 'ڤ)53^U´j$ڪeez%?shUzM)H>n:fnN.CT2z B!1 lK?! ް[RUUB96Z^uR 8X7{3 *^n-m]]+"Jr,.|㡖 @?X5~H>sl3逬F08t, 9cgwHI+8b-N XR *Qt jҀp=) 1.2OG{3& yc+1/f%bC-͖Qխ_; ?b^ c9 ק<5I )|2V,wfJ}1Sd]QY)¢8N+>3u h09ԯL)$Yn7d )1_%]@`f/3Z9HѬrMEop_rD\zqΖus4:wۺ:%; %2ybdsֻ 'zLHQ&L;p7%ukM#LfZEV7E9,%BltJũ!*(ďJ<ň_ߺDfȑsOsĸְʮRl</%K%Y3 Sjt^p/hiP#ϳaF^Eni?esrsh??,@n P=D5| ĵm⍴wސiIȊS^k 8m9 n7 ռ0or6:cնBՋFHAm[N碴Am]CyKh}8cm] ^xYb(<[ j'KxEDwnj_4G#SZ-Q5w%}oyDq6x@͈A"Ȝgz܉^sS (Ue)^Ѷ'*`26+<*W蒲/D B8`Ԛq_mqv+#xHR菐+.r$:mg(k^[c5~>_Ҧ3{ȝ\(m,Q!amZOs7*<w e7a u& oq|:5r5ӦS\)6xpuɇ@IhN,= h3-drVF6BaFAFsw;PB?O+뜄`T1S^ KKRM,z{{i`qrݣ= Tky'R_o`\Et+9+J&߳FIz$aCCa%X7 3ވe(vc%YMױbQ.]5$w>KCQ7G>#Y0mQ*|C&ou{@Qy Kۑ6. eq2;CWDGMg"Sr5wfNk֢Ί!y;rNAe.X L {윑=hE4/O^ᚹƌ{V| %rvF8P}frܪ3.ȫT`5ЪyJ[[裄!@]o i916(^>aSpjMn=\?֞ GBZt(br N++۫r4ފQj$kKEӍ..qZVH8Ziem?o5ٷp`1Z9 kΔ|F |u{0z *JSj \4Wʂ|̚bʚ#^Ұ0(c1CYT5,*BYO1QTb'旋\9 zиDkTϕ@lA (ap ]*0Bk Q1O/fxov. >Y`o4,_9S-VnI\vgQָI"a*I1LSȱXZw44xKsv s칣bڑSkZ~ne1*5]yZ@.B~f$7a  -EN)*Q Qޞ#u8w,/NiKr8rX.T[ocuO+5XEM/(nuKx+μ[ۃ^aw`3|ΊWER'${Yp(8uRCm#iPC-c}lc}s\|, >=2[71UýwN Dl'x 61ʕICJtuK_ /zdF5}Ix:P~qV $ ej &4a}iGK Lm[,m691{vXD4[$nɰ߂(d}꿝aI1|D/;4|쬷(;y\25Ùn*>ǭ$;քivA [ɥ _{`C qU)[\! q qCL1Τ}5'5JC *b\V8 eV[CDl2~}q4ϸe,9 Z4W6e`So k|_${*o->ԢYM-4C@`/&-K#he8>|eJ'$'^!9Fc/ lTcGz?ͰV/dar6ґ,}ꃗ\Y.46B2fme'9"dFѼ>?Jԫw7ihAZ9bOr$ +Xo`7QR߻|5fK26},F_>9;&GY̲ ġx'[)4Uɧ`@CJs dWrpҩ8͓Q}i8L8o9і6oI"`P!xz8ۮa&ͅy:VDr4͐38ָәͬzmz\*P/6g. g_Ed!]x\?KKOK{2dS^l3pr(wwݴ\S'lF|L[X]ݯ^/t4j%3ߨei@9k{ "XdQPWuoRYgײ<%_LK}=2 3XV4x̲%^6dk}}I'J{47{?pnl̎Dz&6.xkհFY /j]V|wJmJP(j;%bD$dc7Vk蕟Ts, C;" V%_5;5O,GԏHMVJP.] )dL zA`$^S&\LJ 6%pb0"pYh@{:_t5~ISz~[7RkK\c`dx=;ᖏ:I<(U eq EIbZtMv6wB#r})`#Q6Az#1piE<&NYԿ.ItXw5a[f1PFАeika4 k(C(j-X^2|ʹlYI@B@cwyn ()|} #>ƖtZVT NrKRlWLTw"`E*v)<L@PlJ.į.8*hCX22K|5ur%f}{qƀ'f:2 <扚h3x/?J=sfmO85 =4mV7aIzP2IKmi%jؒbG3;Gs5WTޮ*о)W1!"Y{1a]ThħHrqn4H2:Mfwb|1H^~@h4F%9y,ZU6͡`}QK 댕齺h9O.ǡD{  ;lIW?v>{ =PG-d`?(^;yA%Y@~>M,xY緀'q{1ƅ$a*殦@oM휐S_-ws1.*wdk8<_{&"fia3pzq b]u+.c:Bz~j.!* | \č޹U/̐9ڲ55J ctȧ OyT9JKw5m't+kٴw#.3OΔCyVpN,+֕]w*H%7!سLc x)?m4Mo[ϐ2S=羨,R Gn#-J=cQ Ak00ޣ*bhHπκ 䤌.-7|m`;w@Cz ̺BLG?QA?!jt)ئ72xK}@p<[*X8Ʉ0U%^K`HdIg5 e9x{-+qsAHH)ZP]rw /˯[BUzH nRsIAE,]ႡA=DcJuN̯?QNԐQX$c=ʮ m-JiyasՏ3mΟ |x|EL2CGn0 UQK_ev:}p͟:&7)T,?;KCi4^"n㫁wM,CÖeR~ 8Q:X[y$&}cU" W(k0@Cbpc,x}qKH!ޢ_03]V?,/f9WuYB>7d@ ȠJ&IWozǼ Jy$RWT܆[!0J[e|n 3i?_sQ(.g އPFCG|&Sj! PvݹS+]% ڈObCy?0Pkƭjp/yJ\v2V^^mM*)dBUNI8SWm2B#gRw7׾p@zv|n*@$)N>x#.gL,6'-IvK!2t(^ȟ 6@K}MBQ)Nn>e O2j6X#}`^C cXS. `ƭJ0VjME;bռ,W]im2[~TYsYfpcdUcuޟqJJ&uPbgE'V (Kȓ!*@G_3׀f}gەeлһtMx&zBs +Va5QWU(o(_5E0]_yRe!IMt+M ZqYgkG͑7#!f˷jUʳm}iLCM|TWYpM36fG4ݒ~umb0Dhf| {[hX/şgay6+[YpL495~  ^ޒ /4t&&YKp+S6)![R⟲tFbVpm-ɸ4Odbp!$ꂶS!ʲ78Y㾢=&q ۙE5pJm^IQԵks%sxq cv;|,kLt"8hݳHǔpB LXe*Q wxn OeqHҗe%t.V5 ]#; D [,2ٸR5$n7Ϛr?rG7ʮNO7)Ѡ3dyĩζrfטPʯsH=Z=L L3͸jc-3pNƺvṠ=[=b_4K`/֬*dzFDEzwk=y5b|ǍLfD/8\lNd}c ~&"Vj\d|熋 %*?~gN)"\UVܰћ?O\Ȏ}_p+eW3_euE' X& zEBH?*|vL$62S}Ѧ] c_>eK"40Kօy@j.A\h)OL]kyO, +,[$,H{<] t(W13E ѮXCR(b?;%ss`"xyƎ7`>v۩rיwBt(L,{L ƪa+{ck ooSȝE~wƅa-L(L ˪,[=f'?"^ϨjJheɪXT3Eؽ֜o :FSCB,ժ'1lZg@&q&UHltxVTH.ϩ7٫%149VetudY'@U(^;ka3ޅSz8]f|A5~N$PjwTBc[מl`<)Nz$~1 ̩7r'ypA,fjPeo؂[!r.`N)(Rśdջ:·%R*Rg0y>d-8Èe]~If鲕\hȵZZ+Ό q)Ă43Z gS5[3Á5X ?q16w9A͏ym3WN$>; nbppq\2LZKn#h=TB iMzgd܉˧aϟ*OS'p"FvC>e Ĝs^ 7Mus(1yhRQB %IR9}K{}zr3j˘AqOcOG;F7.#ЊJ!u S+[NESHu/$DRk?[ pGdt.ϵdW8 .c22jXB6P<^qGī(4HQ^G};G+E|ubzfٷnhҔͲXh1ݤ``̮ڏfA@}wY@% #TF]hxu@m(8WLZnE?EEF J̺pQQgD@ } $7ye9K;؎gg`dK#<\3~ܪw^W=vlyl3(DžP!y>IWq`&/j`lÕ%ކcp ^đ%N$njW4w:oY0(c)9j[ S)_xPZlMF .N孁nw3پ:,M$4{5}8n=s_ k<=&tFO5\PeF* GHA'|mFp堦d{VL7=DX@_@-AXl߇!RC`܇i!%=*1/Nf |*3nPg:sl87'6j(*@vz|qLpTriNg@GY xk1ʇ0'i1)%wYX`$rV\vʇT&b誔'0_SI|f4g3 䞤S̄^C5 VI1l rLΰ5ǒ8 H Fڏ'kۣruM\^U׉群y$5 S.?aw6O4 $m x\T8Gy{8٠sSHb97|uW9ټ)W8Z)5Y($(UZkn˺D~T&>nJ7 /('PKng"vm_xwS{qG`yeei]剖zAq͓tXP(ml ɖ$՞B V5UGE?7_o HEJg[zszZ|#_ӞYAƑ!9/b ?l V) Vlic(:&TH85_Lm=hkteDlˢiJOs45p.Wi6˰qwM4FmHɯ]A1f8t=Jv ,w yhRf+`9(L1vQ5ahH"ވ O&bӵN_gl:ߊ 5[ѝHyEJ* )垌VFO9ï$k$ǰ u_| 12ʦڐ˄muٜ2bO 1Ӝ~Qc´!8oca&:אo3ORt7$%@ktqF;/C_z|wP7!(I4bpfIwdMФw >T>2`TjT}qGXhЋ1$2|Ѵ \EFV %(U6jۈ}e ;X12CDd|WŹ}ZHhXG,s^<@7"wKXhHb~C:qꙆ_hn v#Zf`o;Zx&r.sb@-I2 ~#&4m7oo [^DEGp'%n \o#.sKDL8"vU7;j;"@a) |~D‘qJ]tUT6ǀ;CN0TÐ&n6{[A贯\U.̈!Pp)a沵'nyKZxo.z[<3ԕ$*{6⎖ ^^w/d@"$zh uBa 7 1c1kp`s]b]!tM0;ycWG X m/:SͿ'uw(hR4\r:eMfut, " ƀ#s-DT\*S*blsY,~w%;Q$܌_H늜h>~סF_;Kd ꟷ?+ M$-beoW{K J ^CS#w 9MdX7^^ xl ТD.$+jzX@~^zA*n C-<\=hoy*k|~ڟVv# ~B-g` jOjd88 E^B?`pβVo>A%+}+iȫi QqTOӮ.HF@BI\CKdEMۣeOPYV !IO#,⿵2'4݄)f«cѕFAHb+> &<җw^x~ b+T"Y)y08|ݱ:DX{5$F@5! ꜰ /5y$h:_gJOU;-"@"gDń30zy?^HgQ2U8ʱhٿO'7$|gI`²@e& +<6 gu"5>OyN!|f1wVp6*XAajQތ e~S,1VJGkx-HZmt8>uΧGAYIm@N":$30~#)ϛi.\)g=&@"/h 9 1 HSSHۮӍos z-IfmrP\d:i䡖 n ^βS9NO{hDŽgJwT^k%aMBT&FVFE/XY04b(PhEQLEuZ k{  Tڅ-q]ާٴ&A*xI)&:AV&AQ: akE=HT% 1ʣ,(Tnػˎzjp=u+tCZ!b'Čr{X*c{ڪy^2guMokǂѕ A3΄e-V $0pVq4ci%0iSTo0hAGj _57IBcq*_D,%L2DJ|DySSDo|_ X4֎E poxh8o"蚍Cz_ tiE-sj e:mk#_qa6.kT1s2#?A9 }9cD McEuLJ0 QT`Pɒ6j@$ {SӎM`A2pp'^!J^RwjWɸ_CRd9TDHgJQYYQ\QÒFPquDw$a{'Mɷ_C4.]=k-Tv: ,-P0&7&1W`ͩi`}S8y&ZWVV=TMǘX0kwq$;'a˖ƺa(=4o|^id6M?`ID-B&{,G|2`xTMڥ\DžU0dd?^N=NȏaV˫.^V7ޡ8BWO/(LQ,P=nAxF<. $V u-K嗫y}a0^Sn5C@9l(5,*f" ?Vr od* (V0A3ЪYύ+ HX 5F]2{/wd׹Tȷ; jD q0Vi&VED"ڦg-..HdPjOG_akª<0TbpX7Ɂ w;wx‡ߍeCF=`B p̎rcHC|LILf07RKK; H~?ڒSc)E{|5(*L$CqhuTS+2Ƭ^Pe]jξ^Zn;{[zF{l踲iBoňU"0Oc qs,njȼqT5#},tZHikeZ;liŮO/ݥ io8&a_df Eź9s_=YvT#/%O(XFLff=۬dhZ+! u ik MZ1 z*T]cd'~ј3z%$ f[ݨ uL`Z;$5X14"@iE--i{ +l"Sܻ3(윏q?KP.갌1x#s*OJx(GwPsӱ9Trio=iw!zeo:$#8KE09*9/iCd]#|hTKKe]&]Ӻlр k_ <%.5~4Oz+(9 3АȿU-Q"eҎ}uٺ*7 D|l'|Σ'ŲZ-SF{qSjP6dӮAWwnwG?5*Djr^=bVDG0QhKZ)/'6 daOHdݒg/0CCR*[R6R\%^9L7Q<3bm(,^oKLDcILxiP!@vB%>{J#el+{s2[{OɆ$QZ|ε-1zNqIdm5#ЛÃ%|p,hfFX,@Z\'?}`oI"ޯGch߃ʸsGAϳklJ#?Tx'E6sa\ |hH-cmVѫ !_RTkg$zG;Lr ~c2cJ2ӧ^k&ondZDL`%~CKzpY8;`嬬m*cr'o(+a^I('`P.(MɉW4;:u+I6Le<{7ŝCMxPuĎ :^Me~7lЮ,#lg&.-"gRb3-e3Hz&H!Ubc?p1!-ܜ4oq& -s>mENA\*%ޔ+ Qr@z PvX-4w E+V1:N$qހ YG&1 'mdvVK' OXЇr=.p.tEfiX:7Ѳp^E<';Ŕ(BFKܯJ4(1{=ZY{Y&~( 5s\>Xj9{_a\v!YcSZDWh>4*MPmOo1 1hm%|B` oM{O0m'Y:.7m=/GqfP𷒓V6ro.D-{Ć :C/ ˠ`h{`ME N3HP()Nl/MAG E3Lj-s+3 v̬b'y9Κf;/z!?E`2љ(Yq0$b=H(cro[ݡr_n ILyjV4LSDfxPSpY#NtS(E*\.o(A1LV;"ڊcNW]^nhb",#3d!H6{>g}juAgh]dUVA (~Vz miʡB5n#5sH=gXVm/eT\m)W?,&`6ع|?!VZg9(@ؓjs6{AzaU8}V o;ĐdtXh +`Tf0*Σ#&a}(cbHnx[N ԭfp|-N/:ǠB_X{A>h!mOKY~9JRlW^rT|o567ۊo%z5ACoE6s=LA8nэ$R#\TUw C-[6ʣ?4su4?BmoJktnT(QqTysRoNyI>*g!Sv[00{QJCRc?n4&֭ahA[9sP/ n:ӜjvR阍6BRf*Twxطa1Qm9yX'BD3X=3 hoϏv tBAHcE /k*2*_Ɂ#_d4O\.#.ƒ dEGY1FBTI{x@ OXb*1*5B@L>ngUAQ0.w\N:):Pc_u.dymku11,K]jטŧ||0 "4@" Ex;ةUFp#&aPI͹U]oyJ4S Z KVJ^$^R ejobN seq+&$()դvb4PbNzPW@7,0#.ߴU8pfAUKk:bNQ שϲ5]Xm]ץG䒴r݇l]!ܙY[6p͵+-dxU:pDm $7Ӧ|y.T1RGzBX(OJ+aܟuN]%}52ph ܚeئ(sJDvU{&*nbTc.),ZmABQ\IRW,{gy?I/Yez@S͵&3|k|`[*@Β!fi w6&4SLr~=NV;AT|olt ƣΜNZ{oZR(cP J V>}΅4!U$oW&E@@!ާY/z BF֝/Aȱ,^ЮYKan躚< 穪7 (.9Neyݬ.rˌ۪+.tc:fˏL)7TNtl7ԫ9-HuaVsgި)+?Wj"4渴mixՉQ-< *C%&a{W?[9QNB}UhNMrUt$.yw7S;k)Y;Ί39)\#3)lDҍ)"ֺ $}CHT aߔf25){Ï"m4c.FZ\C`R BI{T_N3ŴwnF2Gj) gZ"/#kf׮N6e\mu(_0>w0{O%]h9y|ݡJYUY8q<4 rHDTKWE>uHZE {-]Z5`q-J}B_W1_KНūTT3-ix|iju.3^^Zlz$) h)6gF]^Iz6tITYXMK("K%*+(J9|'d1k.+'Ȇz{ U>({)-(+x?A]& JaIW:i^T& H-@](]J/SZAS>bIy R6@êV}'찜FCKp5F3r$"{(V9Z{db(46:.vtU,V)~:ƕ-~=(w^JL7h,B"Z'WsyHhhKeAJNI .=з5,[^CXIKS`P6LB[Εb^0h'faUEu9I4]託Jg[ZNjk8{E.e]糙q<Ү.#S7Cb弣"u&MGCgKaMed֑_GS{;U];88)77 8 6WOAUezE6 "nMl8 k^Z^'0jqboK3Ie# ܛ\e?Dc~)ۈtlUaB'mGx8>JƚðIX$]=m)@lv@"@0otZlxL':,YTAi )!u);nzםpZYS *`f gkS َd6FG1L?1.ٍ5p0P~sª"Jc)ZX.F #`6߼Ƽ(C|nCmR& c(h+s g*& %\_0X\>_H,P}H혆t{awx+(½v)_̰kqgr)l;l;g<|,+{w촪6f+tjML3M= $z@BI?eXT\ڌ \LZⵖza&8aX6sdť:"HNކߡqQ(ֱdn'ʏ"%/{s] EsX@ 'jnϲ˔|L,q:~[MFIHQ-O'P0iÿW O*a +7:8Vcܸ,wfC/?q`ܷ6 Yd&_],OV'pձ1@)Hn>x1//S ^&zE5OmϗOCq0* O!_ծ6˙ҋ-FU+\Ľ"oΣ> Lb@MY S}&E㿽, 2׹I>JY{\T̢y]ni ->ClXk\Ee M[xez1ڞvcPUq`wgfr>]39#}T]Y}m##GDK&vU.x0**i(BGN?IX,Ӵa'v-B:OL_zN}~EB۫!BsاY=O\;/2Y F`=l5H$vT d]Xj|>f#%- ;,griRs p}" .x1R l@zșEBrt*hG<Q/sg #7D x*ޡd 8;H,2&i)X Zz0UQoHv1 t #|")GfR(T;X7~F ]Vz +'ZI\ "rsic?![#yjV"IAF)9"_ck""}ԥUi GGoFU[#Kɰ#Aj`фfRIUl4S?Ua]ZESjk/D\&Z0R+/f[FQUudēq:bѾr*JDzn8˰_b^e_o`(ٟ\h@> uؕ -x%?lcjڴE\t2 ilg7U / BnpkvݺkD=:y;؜Foמia1k={(Pc<`@I s?b)\aH-xr~y?<)/ "pP@bU=Ia3˦>Hmjaup^~w^cq(cM g70ϧJy(}÷Bu+skk\ۧ[o:>֨OG{^/_GG΋~Ȭq3(l߽?^6+3(;)]>F0}iZ}9 v=O-~5q_ &]Ԧog]dQy;*ٷy1B)ıQ8-yJk='mh8E+c]O|PR$-&K[iB砇GЎr]" x?y͋vh @>U4GX!*Id[_F}UJ5bZ9[ ?O`VcMa?̠ |Mo%}jN1"Vcvy`+a!T!aGv]ƂUl|ˀc.-,J}hyliT/"!0rV;3n۞63\Db.jdaumY=}JdpU/} @!uZΔ~bF){ǚoCH 0/S G8e*O 7B7Ϥzs_Q%%%JYԇcU`r؀GxY43|2I-Kn@xyPCo;!xe-B?R+Ek0V\G0' &;eQ~jߚ̫sg [[{L_0_jݾ2>xuT|PrЧ`h0G3b7ŧ +?0`~`sSd:vf-$k/;opKb^ݬI6<' x#g##1WޓȩDJ2Y[/Uq%KqWHЖ a5XC2@cYSb>D%ccd Jc74Œ(\ :,D@NWslnQ~;КA+ðh$Vc +{1qP+VOdpb3wl Gf<>|?}ga{ C!w+cYe 8>qx4SZ$K3E& j5 "Sx):|y^\Mk!hWϳRx1LE&f 2B6y1)^kclJokky1~7[J_~S0`"oM9hɣ_ǙM،+|] Jm2dsʚբ"eU8lvM_N^#9Bo[4Z&Ey@l6fDHw_MÍ)y-k顕|U:3uL5"ꋦb-`t !Ia K!/N{9S_D ȳG8|Ҝh1Dq 7 3Š. Q^Z(j#&ޑVx3ZYF±9XrbU@W޵5@P{z%b nċ6ڬZu>Yȍ,vU'zK=P˹I̜i@hi*6<}iev]q>8;yU7D-4]}Ŀw@^;st .ʠd{: >l}T1G>R0|RU<{x"`;łPєN)ig"*TTAUR?Ep,ܮ4<~wq6M]Çp. 02cv<5޴޼Ah4^h+"%z[1xu(fotϘә]\F`(I HXV;.\aN'7'9$jz'+!\X(eɭ} :Bf*jJ yne8t&J(5⚹ߎj&S:?Anyhzu}{b:=>4Pa6*/]bku (̬&Ͷax1{|Q-1L-oFooNwi' 4{Ln'^L|4'*+qak0o+kIK.5a lI|d/tm?uS]XЫE.~_T)Er9`N"*)(DhG[yЉq:3p(oOwƎS$ΌXq{34wW#Y>vī+C.ۜ$&Z$wWj\l—|m&U!Y 4|e*dJo ?/;qZe0A[A.kQXNWyX "|H]n3o *^ h¼+8>Kghs}KVr fIÂ2eCdG 12Wt>]6jG]Z%WQz i\+vM#wϭ%6olþals+aХAml&g$2P [Jg|KW]=\g؜S1LnCK38\wᔲcϾNŝהJ-tyQwJK-!FqMCdq;{PD<` ]B9$08K N=F44v3yQG[; aEoT*0hv{jALҡMZ6cH }WL`HrjC8:G1~rM3% Gzrr厵'v}@z.-U1\!𽟒 {ZCx^o6Ϧq뛮H-ZOe.=z.)1nf[[ܚ *;z`bU\mNɜ8Ak~(傔 # xyvˊ7;==@3f)k%qw]B,>i+S:gvoŹZ j7B;eaӛ=65ZC!P$G AMte^,ՈR_c :sՓknpA7("iA˾ߵtBQ/Fj߹P:D1Ŀ;l&`R90nlXew)ȣ.e7q; v͐fxݰCWr}Ick#ŨT.^F+TװUi y0Mf zi䲺~n!_/%|weY9  шiT<ywRQM{ ]i, Mh1eaH|j>`4CcBZ*j]adyHMQj-= @ŸT !q݃[2 Жﲔ͓['T|G H(=s*=0CA\@,;̧'08_ %`ֺz:|$JT}jLsdDEb3oLd%}l; s׈P[S =H*Ai=%Mv_bCE4%f#TgtӎE^.pQӄZi*CDߴ9UJyZS3f>ձ2y*{9bL 9];hkiNɪ ;2]UMajM23W70ۤ8.,PI]N\Rvl#W>[{V$yna؁Z+y$fQr"UHdfH=[gu-}χ+%غ 4{"/ԉ`թXIw"|aގeW]v2m\c3L( D"J:qZN͔kL#'5+g\v$I1ܑj]r)ov~+Na"2kf+/ٜ-O̗Pڗ!"IJ{|'Zdl#3˥D-=KA}Ytذ'~_ *ޒ\cg{s#D2 'SLYoo~Y_K uHZ}2o6`ן,̔'Rsdhkאsh6dйGGsDXo .fk 5N2M~ek&Q: )xh%= zĭ_Èr 7rYOE9l$idaaUAETz`|=e.̟Eg-,3'҅&t= ژʢ(y jk/!PU6TKjOwQ#P9- # Q0|2TF=BR/;$x_B"%}H 8w<9xt ݬO?&`p@|,%Zi:|E zs|  b0:Bco{op~ *RMܸ`0w !!R׍"9B4m\Nsܒ߸FO9L/|ү%cVsY\g?)lvrRJ, ^9_'^C/' QmjȰXIݤ\1{b(͑%"-[ǠT]OvaL?X|l"O³0JZD#wOYRPI7]NvȰΜ4?yU^vw u M&4LL$1Z&S= zTsATܴۼ,9p?]/l?#W5;^!'rX ) E<~҄bB17+0/M|ڶ*YM ROV@_T%S'jP,ZKb ŤyVri&Gf!]F&Cvd^gHU~K,Umu\RrUbޢoq |[P%p橿˜rY=W5'Q'VȎ۩dGA4\wO@`t60>EVU*?܃%&XuȷL ) &V1}'j n=qR|C2Ge?i'zR:=aЁ@MnàR3jkX'ZR%:_4:rmE[i),xtT?R̀Y jY\T4.#*Q /uNzmBUУ8;E0fokp&VNH)M1tT&|leծۦ%5wC"\Vs.uwi6=ԋjb~4MVR3EZ1foN+3>ߏE;llala^XfaD=<"Ȁfe&8}ޖͶs't{I'թ,/NO(}DHlk~̶"wcX:/C6fӶ0,vEZzavpzxI>i`4pʴTuJK p%Q/*AƠC9,G :Dvto ;™60R?K?Cցh/]xa(L3ABOfaпJBO-l;MGyiҰװHr ݾ$].[@mڑI 3\7L{tw6n~٘~UNgQ#%(tތŪF;chl$PWg YZ