permissions-20201225-150400.5.16.1 >  A cQKp9| \ f,:y ͏zӎֆet"G h*X{f&~X5==4^v#M-SgK8,˙s;S;g> W\e2}' ;aVz HM\3*_`~ޒ.afl&c8e5_\'#״b G"drZ-Pt6NKЎWڛ&p$dp,ɑH鬫(mvz4e67d7222fb48e0b496388154f707c116eb938ef39e18b61f899c633fb1637f7d39119975b2040404a03c4628fabe216f0c10002cQKp9|Ul+dI PE̘B^(m" \}B17[SHf#o"D?buex`ܻg#Ta,T-3]Q( ~IG91::1Ӌù8[&Ma=]7'Sέy20jJ}TOqC &x@4D f^K}Z%Iʼn+H~2 nHzvgGHD.UnoL;p ̣V>p@Bt?Bdd % D )JS iL p           0 ]   , p ( 8 ?9 ?:#?>=-F=5G=H H=l I= X=Y=\= ]> ^>b>c?d@.e@3f@6l@8u@L v@pwA xA yAzBBBBB`Cpermissions20201225150400.5.16.1SUSE Linux Default PermissionsPermission settings of files and directories depending on the local security settings. The local security setting (easy, secure, or paranoid) can be configured in /etc/sysconfig/security.cQ*sheep54SUSE Linux Enterprise 15SUSE LLC GPL-2.0+https://www.suse.com/Productivity/Securityhttp://github.com/openSUSE/permissionslinuxx86_64 PNAME=security SUBPNAME= SYSC_TEMPLATE=/usr/share/fillup-templates/sysconfig.$PNAME$SUBPNAME # If template not in new /usr/share/fillup-templates, fallback to old TEMPLATE_DIR if [ ! -f $SYSC_TEMPLATE ] ; then TEMPLATE_DIR=/var/adm/fillup-templates SYSC_TEMPLATE=$TEMPLATE_DIR/sysconfig.$PNAME$SUBPNAME fi SD_NAME="" if [ -x /bin/fillup ] ; then if [ -f $SYSC_TEMPLATE ] ; then echo "Updating /etc/sysconfig/$SD_NAME$PNAME ..." mkdir -p /etc/sysconfig/$SD_NAME touch /etc/sysconfig/$SD_NAME$PNAME /bin/fillup -q /etc/sysconfig/$SD_NAME$PNAME $SYSC_TEMPLATE fi else echo "ERROR: fillup not found. This should not happen. Please compare" echo "/etc/sysconfig/$PNAME and $TEMPLATE_DIR/sysconfig.$PNAME and" echo "update by hand." fi # apply all potentially changed permissions /usr/bin/chkstat --system-YV1Yaa^k@9;@큤cQ(cQ(cQ(cQ(cQ(cQ(cQ(cQ(cQ(39204a3f4359b2d8f93bbe08f9a7532737ed64e7aecd66391c4a49eefd0331817c692a2856a44b8362c9ae147b60e9ccf721f11b0defa87f54fc73c45b17559c254ecad52808937c3153a81d50810ee7e689d78dfc2cf8aac67cf179a2fdbf3b98674682d88472ea9f036494f6f08168c78423b08ad28403dc59ab26e8a830b5849517a933145414faf8627f1a237ad603f9ee09b67e3affd02c6ae983aefea86f781275de48c094de008c1730a9249d76af576abe2c1df13166c44fa78ada7635eca1eb5762d2b602f4b5114a54eb6e6815d26f10b5dab00cda67f2860ca4a32dcb772c1e9949198bc7695bd25c20cd21aea565905b0975de2edeafb31d8202acbebeb00ef9fccc619e66ad50b5c31ac346b2e06ec7d429ec8d2181bc5bd2f1rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootpermissions-20201225-150400.5.16.1.src.rpmaaa_base:/etc/permissionsconfig(permissions)permissionspermissions(x86-64)@@@@@@    /bin/shconfig(permissions)coreutilsdiffutilsfillupgrepgroup(trusted)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcap.so.2()(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)20201225-150400.5.16.13.0.4-14.6.0-14.0-15.2-14.14.3cOcEZc pbVbby@bgbF@b+9aea@`@` l^?@^ϧ^>@^^y@^\@^Y^;^:@^4]@]@]@]@]:\8\b@[@[z@ZiZ\Z%8ZZ@Z@Z@ZNY|Y@Y˒Y@YY@Y7Y2Y1S@W"W@W@WBWBVV@VV2 @V +V +UuT~@TZ@matthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.comjsegitz@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comjsegitz@suse.commalte.kraus@suse.commalte.kraus@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.comjsegitz@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comopensuse-packaging@opensuse.orgmatthias.gerstner@suse.commeissner@suse.comkrahmer@suse.comkukuk@suse.commpluskal@suse.comastieger@suse.comrbrown@suse.comkrahmer@suse.comeeich@suse.comjsegitz@suse.comastieger@suse.compgajdos@suse.comastieger@suse.comastieger@suse.comopensuse-packaging@opensuse.orgdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.comdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.commeissner@suse.com- Update to version 20201225: * permissions for enlightenment helper on 32bit arches (bsc#1194047)- Update to version 20201225: * fix regression introduced by backport of security fix (bsc#1203911)- Update to version 20201225: * chkstat: also consider group controlled paths (bsc#1203018, CVE-2022-31252)- Update to version 20201225: * postfix: add postlog setgid for maildrop binary (bsc#1201385)- Update to version 20201225: * apptainer: fix starter-suid location (bsc#1198720)- Update to version 20201225: * static permissions: remove deprecated bind / named chroot entries (bsc#1200747)- Update to version 20201225: * backport of apptainer whitelisting (bsc#1196145, bsc#1198720)- Update to version 20201225: * squid: adjust pinger path, drop basic_pam_auth (bsc#1197649)- Update to version 20201225: * whitelist ksysguard network helper (bsc#1151190)- Update to version 20181225: * setuid bit for cockpit session binary (bsc#1169614)- Update to version 20181225: * drop ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504)- Update to version 20181225: * etc/permissions: remove unnecessary entries (bsc#1182899)- Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025)- Update to version 20181224: * profiles: add entries for enlightenment (bsc#1171686)- whitelist texlive public binary (bsc#1171686)- Remove setuid bit for newgidmap and newuidmap in paranoid profile (bsc#1171173)- correct spelling of icinga group (icingagmd -> icingacmd, bsc#1168364)- whitelist s390-tools setgid bit on log directory (bsc#1167163)- run testsuite during package build - Update to version 20181224: * testsuite: adapt expected behavior to legacy branches * adjust testsuite to post CVE-2020-8013 link handling * testsuite: add option to not mount /proc * do not follow symlinks that are the final path element: CVE-2020-8013, bsc#1163922 * add a test for symlinked directories * fix relative symlink handling * regtest: fix the static PATH list which was missing /usr/bin * regtest: also unshare the PID namespace to support /proc mounting * Makefile: force remove upon clean target to prevent bogus errors * regtest: by default automatically (re)build chkstat before testing * regtest: add test for symlink targets * regtest: make capability setting tests optional * regtest: fix capability assertion helper logic * regtests: add another test case that catches set*id or caps in world-writable sub-trees * regtest: add another test that catches when privilege bits are set for special files * regtest: add test case for user owned symlinks * regtest: employ subuid and subgid feature in user namespace * regtest: add another test case that covers unknown user/group config * regtest: add another test that checks rejection of insecure mixed-owner paths * regtest: add test that checks for rejection of world-writable paths * regtest: add test for detection of unexpected parent directory ownership * regtest: add further helper functions, allow access to main instance * regtest: introduce some basic coloring support to improve readability * regtest: sort imports, another piece of rationale * regtest: add capability test case * regtest: improve error flagging of test cases and introduce warnings * regtest: support caps * regtest: add a couple of command line parameter test cases * regtest: add another test that checks whether the default profile works * regtests: add tests for correct application of local profiles * regtest: add further test cases that test correct profile application * regtest: simplify test implementation and readability * regtest: add helpers for permissions.d per package profiles * regtest: support read-only bind mounts, also bind-mount permissions repo * tests: introduce a regression test suite for chkstat- Update to version 20181224: * whitelist WMP (bsc#1161335) * Makefile: allow to build test version programmatically * chkstat: handle symlinks in final path elements correctly * add .gitignore for chkstat binary * faxq-helper: correct "secure" permission for trusted group (bsc#1157498) * fix syntax of paranoid profile- Update to version 20181224: * mariadb: settings for new auth_pam_tool (bsc#1160285) * chkstat: capability handling fixes (bsc#1161779) * chkstat: fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594) * dumpcap: remove 'other' executable bit because of capabilities (boo#1148788, CVE-2019-3687)Sync upstream SLE-15-SP1 branch with our SLE-15-SP1:Update package. Therefore remove all of the following patches which are now included in the tarball: - 0001-whitelisting-update-virtualbox.patch - 0002-consistency-between-profiles.patch 0003-var-run-postgresql.patch - 0004-var-cache-man.patch - 0005-singularity-starter-suid.patch - 0006-bsc1110797_amanda.patch - 0007-chkstat-fix-privesc-CVE-2019-3690.patch - 0008-squid-pinger-owner-fix-CVE-2019-3688.patch - 0009-chkstat-handle-missing-proc.patch - 0010-chkstat-capabilities-implicit-changes.patch Because of inconsistencies between the upstream branch and the package state the following previously missing changes are introduced by this update: - Update to version 20181117: * removed old entry for rmtab * Fixed typo in icinga2 whitelist entry- fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594, 0009-chkstat-handle-missing-proc.patch) - fix capability handling when doing multiple permission changes at once (bsc#1161779, 0010-chkstat-capabilities-implicit-changes.patch)- fix invalid free() when permfiles points to argv (bsc#1157198, changed 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- fix /usr/sbin/pinger ownership to root:squid (bsc#1093414, CVE-2019-3688, 0008-squid-pinger-owner-fix-CVE-2019-3688.patch)- fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690, 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- Updated permissons for amanda, added 0006-bsc1110797_amanda.patch (bsc#1110797)- Added ./0005-singularity-starter-suid.patch (bsc#1128598) New whitelisting for /usr/lib/singularity/bin/starter-suid- Added 0004-var-cache-man.patch. Removed entry for /var/cache/man. Conflicts with packaging and man:man is the better setting anyway (bsc#1133678)- Added 0001-whitelisting-update-virtualbox.patch (bsc#1120650) New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed stale entries for VirtualBox - Added 0002-consistency-between-profiles.patch Ensure consistency of entries, otherwise switching between settings becomes problematic - Added 0003-var-run-postgresql.patch (bsc#1123886) Whitelist for postgresql. Currently the checker doesn't complain because the directories aren't packaged, but that might change and/or our checkers might improve- Update to version 20181116: * zypper-plugin: new plugin to fix bsc#1114383 * singularity: remove dropped -suid binaries (bsc#1028304) * capability whitelisting: allow cap_net_bind_service for ns-slapd from 389-ds * setuid whitelisting: add fusermount3 (bsc#1111230) * setuid whitelisting: add authbind binary (bsc#1111251) * setuid whitelisting: add firejail binary (bsc#1059013) * setuid whitelisting: add lxc-user-nic (bsc#988348) * whitelisting: add smc-tools LD_PRELOAD library (bsc#1102956) * whitelisting: add spice-gtk usb helper setuid binary (bnc#1101420) * Fix wrong file path in help string * Capabilities for usage of Wireshark for non-root - remove 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: is now contained in tarball.- 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: add whitelisting for the spice-gtk setuid binary (bsc#1101420) for improved usability.- Update to version 20180125: * the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247) * make btmp root:utmp (bsc#1050467)- Update to version 20180115: * - polkit-default-privs: usbauth (bsc#1066877)- fillup is required for post, not pre installation- Cleanup spec file with spec-cleaner - Drop conditions/definitions related to old distros- Update to version 20171129: * permissions: adding gvfs (bsc#1065864) * Allow setgid incingacmd on directory /run/icinga2/cmd bsc#1069410 * Allow fping cap_net_raw (bsc#1047921)- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- Update to version 20171121: * - permissions: adding kwayland (bsc#1062182)- Update to version 20171106: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20171025: * Stricter permissions on cron directories (paranoid) and stricter permissions on sshd_config (secure/paranoid)- Update to version 20170928: * Fix invalid syntax bsc#1048645 bsc#1060738- Update to version 20170927: * fix typos in manpages- Update to version 20170922: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20170913: * Allow setuid for shadow newuidmap, newgidmap bsc#979282, bsc#1048645)- Update to version 20170906: * permissions - copy dbus-daemon-launch-helper from / to /usr - bsc#1056764 * permissions: Adding suid bit for VBoxNetNAT (bsc#1033425)- BuildIgnore group(trusted): we don't really care for this group in the buildroot and do not want to get system-users into the bootstrap cycle as we can avoid it.- Require: group(trusted), as we are handing it out to some unsuspecting binaries and it is no longer default. (bsc#1041159 for fuse, also cronie, etc)- Update to version 20170602: * make /etc/ppp owned by root:root. The group dialout usage is no longer used- Update to version 20160807: * suexec2 is a symlink, no need for permissions handling- Update to version 20160802: * list the newuidmap and newgidmap, currently 0755 until review is done (bsc#979282) * root:shadow 0755 for newuidmap/newgidmap- adding qemu-bridge-helper mode 04750 (bsc#988279)- Introduce _service to easier update the package. For simplicity, change the version from yyyy.mm.dd to yyyymmdd (which is eactly %cd in the _service defintion). Upgrading is no problem.- chage only needs read rights to /etc/shadow, so setgid shadow is sufficient (bsc#975352)- permissions: adding gstreamer ptp file caps (bsc#960173)- the apache folks renamed suexec2 to suexec with symlink. adjust both (bsc#962060)- pinger needs to be squid:root, not root:squid (there is no squid group) bsc#961363- add suexec with 0755 to all standard profiles. this can and should be overridden in permissions.local if you need it setuid root. bsc#951765 bsc#263789 - added missing / to the squid specific directories (bsc#950557)- adjusted radosgw to root:www mode 0750 (bsc#943471)- radosgw can get capability cap_bind_net_service (bsc#943471)- remove /usr/bin/get_printing_ticket; (bnc#906336)- Added iouyap capabilities (bnc#904060)- %{_bindir}/get_printing_ticket turned to mode 700, setuid root no longer needed (bnc#685093) - permissions: incorporating squid changes from bnc#891268 - hint that chkstat --system --set needs to be run after editing bnc#895647/bin/shsheep54 1666258986 20201225-150400.5.16.120201225-150400.5.16.120201225-150400.5.16.1permissionspermissions.easypermissions.localpermissions.paranoidpermissions.securechkstatsysconfig.securitypermissions.5.gzchkstat.8.gz/etc//usr/bin//usr/share/fillup-templates//usr/share/man/man5//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:26482/SUSE_SLE-15-SP4_Update/cc249308f61e00752d1b1c0114b2fc64-permissions.SUSE_SLE-15-SP4_Updatecpioxz5x86_64-suse-linuxASCII textELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=ce424b8032a031dd8004c789396ba5cc42412fef, for GNU/Linux 3.2.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)R RR R R RT0ZޖWw*utf-8f572a9b56f6cc43e840155e488a404d8d70877306a7a1561cb859dd163146199?7zXZ !t/ΉX] crv(vX0R:~:6ykG>U3:-Fv1rL_fA$͌?*3|&s)arWSy^<*+,_10SA[/1xD6<Û=1;>]\2$o& m9sU0?LٺΉ_2P]2H#t V?hܒĘTݮY۹KB{ojH%G Q7>^,XVyRKЎYsc'%u!lxJчƖhG~|,dUL?zX< ?LKqw^C0/sC0^[už'9f/8PΞ6+?XhP(l֪nUJ k12e3!2V郋S9Sz{|n.84iI$hhٜh=`ã^@*0BԷURW }Ut'=4}ߧ%z\?@Q}~Œ#Al}@6S3lq4Bd e~2\ 3o&7[-sYtXSc7{-%}wX}D! O/ )&ugŃXӡY(\(A!OJ*+' >q LН,$Ú^ sW=O\1_QN6vT Ԁs?yX05&bSJ^ , iWz-9FRWZZy XTn8;N@8Cqm$>+MMLFG(m)-^f~~<]Ź/s]qen^U0$6nwF䅚_U ~+96 eJ3SIJ&]:P׳|=3)ҞQ>yeBOw9j yYQSWy.еuag7~n7Q;Gsc6T T#Gzrx?׎ULZ>ʈ3eJvoi܍+au@]P!ڸ} Շ`eq+XgJITWx(%8E믐"t10-b+k[;&"?*žwCC8wMi$/n,[4g-F;l)%HWqޡ_;d.rR>7GƳƥ߭4Ug)և6Bx(64-"qZdp)D!Bju&H*I{P{7kK#= dsK}k]EabdP/X~D=)O 6vh&Z aM A_ OL;݌ʳ([< V]Qxik%쪳6F(EVk̃1öCbʝbTr#W~bMȺK`p0˵O_KUzx%o*/E5BRTU2:Bas 832+:oAO@=X/{E12..Uzŏ N W^\ A5+#lܜ- YK"sK>wy8$b'J-BJ^Hq0?Ιv `Sv@i>$5bh[vWe2Dek$6c2*H'ۄ8p ")Ll;#{tPBsi^UfX20pܥU vpx&iƇa}R/+m~F"ۈ(?B|#=ſqWe!a.qr h"?ϲ 2Fsi! loľSq=ycb `idZS%5\ miɬXR웨{l&ܬSF lMϳX㞌i[%g*Z*,bԗw^} }1,k-< sS5'#k|ׅi޴}ߠ~= Ӝ\,Z6$~6kB e~0!Ӆb[_^ϖ_Ԙ):7`e[lK4 _Yɂ}s+:ͷ.5šWbRW{&BkA Fּ7XP/cfiǁ5>lq_]ٰlLņv e(.? ,aRj0!ROzqV:gfɍP"H1T2MNwsq.2wtpTU8j4߫-EV\%zN0l؃g f~FkW^QjMT{Y:SiW0O,vED:^c !o6tX, 2d,V{8%m ',֓aR~e>lvI 1jeQ(7P&lҒ€c"ifYI߹p$B5\2h:Y,lV /iBjS3uuO=oRL@ pSDdc$#=3Q>T'(~IJ,S%f*ϫǴtyǮQ~n:u(Mc Ko1c-aSq-{*ʻ$allW"j ߀3Ws W]j: D#m%ʏp8p.(}{jm7_:V=08'G($JAˣmj,\= w[=K׿30Fr-4>a빖4Wt`q盢>k}=?.[L"+듏wnQ[DZ4&{ 鹨AWx=rjEAI۲)ee/롻?F|jg)N8fT+Xݒsp,`&y!j(I q)^i Z͎EeՍ,nonyffj%hZ`^ͤ(\m-yPc!U@&psP ט3cϟKkNpxxz0Nq^JsjI˥Ws:A{# kzbאbݟzMGZB!OfxhAh< wpm8ݞV"< suj豼BtS&OX$7h]u93 {KgܜX3#se$gjT7"PC i"w!.J6۫Ie@̴IF+.~K' ++v*m@rbJ`dj$)MlH Zgq ]FD bXk.#Z FOM0@lu5 j !G :ƗzdvE6)6R ҳOs4QoER~TVcĘfq,ѶM=)#!~gn)S$@8?)̭KfVNωvwRV#M \'=k/؋yDXNؾEuxN^rA`K M}as$6`++oJp88/=Oh7K1j0yi y*Ĥy̿"-\]Q-,c̊\t,ݟՈ9}&r=Tڐ(KzdD]^Wjbd~L흋r.>T]2X1 عXt1Gldij ~.F{k1)}32~8>.n T )_鲵b%z9g&u^uڼa=eUuȋ19yx.S a:b5q^9ij_;6wdr s7'EƦh؟9A˽Av]/UbZ-y>To3&ibK$'oP@B^<5zKo2GcꎨQ*}؊8~كq9]-?1lkY7揗o{FdJ\zM4Au~*5q)T8Yx n[L4>--"LJ m5Q-Ǔgޅ5 Mt=t=PfrVG^!T8xs@VI w {9Lp k~z+;|;oE|B$).6Y:{1TrYV1Jk]]=,b/%HF@b&GB4 guH5HU(Gw8a!\sJ +efn8tLk+TzXgt^"Ɲ2Cɬno+Gd){; !1U1JMA,aŋܩdmgIuG/69)EѦH BD}urG&S7pR:<~FoS^KĨAmBe7{ 7oeob]sX -\U醁#ۡq#}P kX h*h~YF$2O}>1VULA:l!$^ (^Yd tb}5xtpv ˺QDym+tOD_2ɒAފOP!cA/p`c QU6e.P~Z8w4~)TR.qR#ѹ̸M??g5B뾐6uk[{5{ uLhu=h^?㮠PJdQX0JϗA~6C*3Ťn7b#8䙝ߣ2Wd$}K9Lc!|epuy#^Ӂ8^(b]&|gpE:c <ҊrHMՕD`ڌ+{vwC& w<u]"vw-ܛicȞEoQ.ُ߇r2,) O|d: fjk@lL(rji+W: V. S `ȓmi_Hyj($6 iu+sɦQ1Zfձ.Ë@zt06r^α iyhyڲB}?xܔ 6C̜r 8Lu3ߐCWq8bgT9 ECccv9J{rrDdOf-*HlNuheؕ:uA{ꛌ/6mk]&DZUce'3oiIPF+&8!>b%;+OD /+x0=+[*Gj мOg z"A;FI>gm|q}Xڭ4]&%jn8&#%ڿiNU7)H̪97+ş ^n\\Z \/ Dhų +^̫v =M٫[NӬf;'KdM wG>Ǐ=o%1C Y[Ш%:G-G\Į_F; ̇3urdmiWI}ȣ{5\rn ɡƾП:Ӹ a82|$Y Ğ[(z iND+cNWme]rV坟~dzLO*IO`Z`*iBF25ĵqo][k)]{Wӕ*P]oEn f"l[UTg;T$l\9St8B+٫܌OKt>-U՟'SiX|53[[, ^Zu3>9[\'uǶ[]Q5#(a_QPo(iRЗóSI"u?& YOV9_;j92Q->L?]`OG}Ҹ2SEV")kqOu)=n2@g, լS;1}kS;3ݮ$DyQNjܫ6} * *(-ǖE@AI[X1p-YKwLFh5B3H`$|kꐜqKbx ]೙Gi/~i>hFn ~!} *{̡1+mjxЩ۱O n߽h̗ڥNAvBLނ cFrVne`uVZvib B}g} PP^ZDŽ8!s9N>ѓ3QJO6Yu4[5t0ߕT͊E=D'#j|X<%`YOò+{tzUfb?-*ir?TlNZHRsHnEbˋ!D3f֕Lw7 evpՂu/ NՉu]4*Xlވ=ǁ61+_.^ y2 +UD&P5&m?!j?ֆBfZqk+WѧuW (hr,3^E^ڃHx1̏2fJ6:0PmLkoRW4#IVxgcєj=h>k jiI,x~*q~`Ly`I=j]j }i, \Reu?zՄdr_ӘjB841zfhnڧ<;~q2i4YM0[%C>F%MV<̄ صtJUv'%\AYql8w=iI0L\Vmځ=2?1&dB!+̕(ZCϬiIc߱B5׵ H>Xǫ=R|i*d,ݤgfNto~+.nJ=F7q?MVCLe&ƌ n ߶${a͝ jJm @Yr+ЄE̿6usnefE`ي>eߴc Z+}g=8 `e-G"{/S %+"u}O4|^f 1jI芆*t F8LI2j{ʒC/EB@p#'XNfaiWXTVظ`oGVe%"ysUy} 0"|P Xh)9QS#v:™ǞWKZXzҫDVzNuza\̟a"oQ@M%aat!  j ׃Ϫu3}JLWiۂ)zr ;/Af#CRDi%/'lіtϧc ZZt!JM#BuP\յp7U0;H`̊> qPL[\ʿԚWi"MԕvEf]oJ<DzP6xeo˝zzzm9Ixw{H7%X 7!OGoeu쳵U 2z鬨/A\w_s=*H |_Zmȩ꘡\GPm6{, 23uH"91(OѸ{4r͔B 7\b{˯K[l׻')8⧦ n:\^9'WZsUwD0k*OtK OX_֌ߜTY=OH6eٔ5,n:"Iud!ʟs7*$(q xުP-g$}1IactR+s4DL4{#tw' E^} .UPW?#vvx_;r䦫"~zGL>X3+rPi!;|"eL 1*J }42 qchU*r~Et!Y\ei!b4g`S ?,ʓgWPzz,ʜVOjeqZ/,Jָ<:_\(wotq]ǥ8tSLdMz$D Wi||``pßZM|>AOHmiZf~s1_4=aQ;[[z|!޻edZdX$ nl>M͞&n!R9Lz䄹6n 4eNԸ [{؊v\g^7?Exg(_?@1,.26/wY ) In%P~ gv`}- &a*(XkT;F5s[0jkzk2hq&NL TH;%\Bzv 9@}e.d<>+ jL-a_8HH8!a8.%}3);"<|w,'1Et.-`c"fIr!`F{6(t$#7=c.ON*|I rw9?e1^(\j/e<4)˵L6:QLzBFjEk5\3O`3[}0B3z)΢bś,jI[a?VA,tқ^'ӤW4)k&Z6d)Pk5W}%z=(rB}~NxQr[:x3,#,DяFd1& U#Bv" ܉R/ ƨ! ×J7q2\ 4ET45W؏m['3YFXeWq,؊H~#)8v8U1*Y 'AiWsA!x;r8f3ؐO^ZĮcO%+IT`e9=%qۛax1 ^Y+q2e}۲M䴐mӥlip[?whe[>-6--[ M 7M3w5\I}^t2@濊 oL˭͉270"Z ;G:9i]2lW ^od} p?H;E|Vךkm%;˞vP{w%󸲻U3|gz&|xDUC<{b>煤Kt[x" 4c6ځ.SɅ~)50PΤ:?Xg#8DQ3Ey 褢P@cVǤtRvZ =}DDg:g뽶UmgMȎ,UwlpzcM+J 'z8{/zPa_9l{}=&qd&C8GL'䗺00d4IL7۶uM@Y"I5RW#w< &%Ԗ^0ސ[;01ܛyJň#k/7e \ G%$96!]}ZB=⩝j<zv ):⯨0# ^ !EȪ,V/aHP sOFVF-҈d0qZ7;?ZR,lސ/#1p־vctX_5@NSCDd 0dW{)̀_(rU!ƫ *2a'VAjmAÈJTY$ DjH-?e|xUO[@F#:ζ@cmhzCx#&w0wa# I}e <2o0,ܬ'tǶ̸_"Pc"$Qlkz].g8aU⪥1 \ov߳!V5.ۉ juԠACF=NgԄ R*FpWKQ!3SOKJ/;VSn*ͳ{򑛤=S{<;JY&s;4#^-w[~157@#ZVa7lJ`s 51PU$:zʁ%o]6 T# (9HgAK nDW!‚&{d)"S5dv 3OF!@p[kTJK:͙7vLs9Gb&b\ o~>Pn!)NŹhDQ;>TSHs)ɳ%0 m/!ٴ^[Kshן}ٳ-})IᲕ=`d+z(' Y'nWQ>>0c3V5gxoxN}$ X~!8tK5I9?7~0 = jC_pAL" R>_W*tF&qgssbGiֲ,Hh.8Mų |(W4 B*N~)=Ƴ߁#/Ϗ59SXL4=x.0%PƼn_!|8!R6WT3\L_ Y^]qF Ŷ/!?fư &}"5߇q9 CD7fZOP\nib.(!sNjx󩟓MͳAh8q~rН u΀Sn0->o)tA`q PY.^96i{t?/_؜_nHjsB$l~0WQuk`a8vV36ZTveF';Yi͈xTxTʗ *b 0NQowjA%d(I N|1k85c{FțpI Ml&?BM9x_LK.f Qľ|:McLHT8)|>T33op<,)';y$*rBf"n4md1a& Y2\moKHp \kqO/>C{ek/Ą21$pxk!LMCo h*![wckIJ r%=︃[ .~p}W|HmA1I0Bxe T cJߜǮv~`_$JRTUWN/JӐo֎F_Y!qq+ Ӹoxn9Z,}1#6 Z=   qKPه᭝L&ZbȽrÂ~'D46t %%Q(Gҗп.r\Ouܟ׈y3\Hc/x巡V"  n_OY lXp4#-g_3MMzXivTdp2|+`TzJ5T1}=Yz-5 }Ճ߬x;v'0\k5ͤ_J. 93R'<$+}2 ^Uӑ yDQDOm=ZZ ;fSΠI"ة0)Y}їgt~yȹ(&?CPLc6z`jaCۘ@SDL'N;P738z~skWi-)9Ƽwi b(Nzf֑KtlyIȻo,Rj QFF=͐֌| rdxGy庅8+)WiœjA\l7oJ~aD7 mMh=PJ"`d_@#9YC=%LENݍi7FH~7_<0r'L7El[䕙;\\N/E^YgTB}~bĜ_ʙurII26nI?k@ϔk(ӯ*1s\ -U42N+l0A- m vxsBksǸE饨`V(I<"(ߌ4]hN3ǪaޱeP9/$yM=`=O?lrНPN:* J>(SEpJwGwe̫ lPt9t66W7iOYȹS4#B3R9566+L_z@ ڒ ?%qs6$y;"Dl0hu0ՙ!ME @f(sZ+> #:TCxhEddufk¢7%V4)^[`DyjQ"_6f[U_4uk \g.hy-8 1XaT!⧧NhTMHDf3eZL`,\<s+ѡ2]5]epI7Z;Vʞ]`sEYu'?UBq~yй5ϊ9kf %iB-տa2Y.~p]ʭu/bD~nqmg$H.D%O-T'Y_a+}$W8Ms{!Dmr7a'_Lk9ŽV ɚGۧsAwkz>wF FlWJyyqj*TOksZJ<'V6Z|8 kK:Lɥwē[b:,(BB{1s2 }1R-k4a&j)6+_v]kj\ʞh_ UM6 h"ͽ=@k¿8j+ǘ%zqT-&ږHB6a5n0f |5rev+.g +3|J%%q`CNozS:c'U]C 5 ?5KeFl6ӮmY@ w%킇y)@rIgA65ᙱ dbǓjLMNy;{9[|l/HkZB* LT}r]@\G7n~%W|GҪ=n,U0Dօ"O\ZNuTݶT)XBbت5cx5 18/IM+J`eEOi^ lpRAZIy .֪+i.i)x_j5z#'%603u˞VE-zNL=Y ~ ac֧6tȅ 3cm}T"ڍɬlp?X^޹ds6ʾuX9;4].=\YB;3[PSsْub*x:TgnCzc(1TLؤekAʊ4-ޝ=jy]DǬS3#gިy{ֽ [?ǢYѠ9aT,2.;Qfko}^^Ս7ZjP|=HҢ.B+ NXuIb^qApU$ J񮲱N=Nį#qZރ|^Le[V |3.9.tJE~c>&g@aQҬӠخOˊ{e>*\0..5Z=D}q5M|Cz~ڸm+TK Jhr~ˉߓFFs_ wZfX=yn /+,e™<5 +ۛ (V D8yofqۜ] K[д7F45\; n p=u<}eV{f{_6?G"|KVS&tnCYm lJV|w6ߐiRޠ(i$xq<(p@{}@re)y^@Vm~XsS]6<<=Ahi(jyǩ|t/2P)v)cƧwivuI=pLۑMT1$3]O?vdb%?5,*.T: uﳻ?/@HE4g^GFC~ ؔ:C267ujT5\DK_ jfQĴ\DegF  {ʇ\r mQ~$Nm`Z+7s]Xۍ50R*PӬ/_s'iarKfs;]IȖe9yU*Ua Ł2ſE cpށ4mtoɈb%i]x#& *S'4$]>Q ݪ2״#8)3{q'LuZc'PoeڠS C"!M @@].ttǝT}-S;IX ZnN2ڍ;L @p  %ZA4G?m@/م cYȷUG1p͆QL~X  (I2?ì^ݝ)T*,N"30Ӱom YZ