permissions-20201225-150400.5.8.1 >  A b[p9|h&+xiGk$J@Wo3M>و]u5ij-M@k:M>3@킍'@Uy1<Po|Y~_eY ~WC MI;PūB$2<U |Ǩ]ҶYU[䷎\y &D3!XW<֨҂$Nyh)>p@@?@d $ C )JS iL p           0 ]   ( l ( 8 <9 <:<>;F;G; H; I; X<Y<\d>e>f>l>u> v>w@ x@( y@Lz@d@t@x@~@Cpermissions20201225150400.5.8.1SUSE Linux Default PermissionsPermission settings of files and directories depending on the local security settings. The local security setting (easy, secure, or paranoid) can be configured in /etc/sysconfig/security.b[}goat187SUSE Linux Enterprise 15SUSE LLC GPL-2.0+https://www.suse.com/Productivity/Securityhttp://github.com/openSUSE/permissionslinuxx86_64 PNAME=security SUBPNAME= SYSC_TEMPLATE=/usr/share/fillup-templates/sysconfig.$PNAME$SUBPNAME # If template not in new /usr/share/fillup-templates, fallback to old TEMPLATE_DIR if [ ! -f $SYSC_TEMPLATE ] ; then TEMPLATE_DIR=/var/adm/fillup-templates SYSC_TEMPLATE=$TEMPLATE_DIR/sysconfig.$PNAME$SUBPNAME fi SD_NAME="" if [ -x /bin/fillup ] ; then if [ -f $SYSC_TEMPLATE ] ; then echo "Updating /etc/sysconfig/$SD_NAME$PNAME ..." mkdir -p /etc/sysconfig/$SD_NAME touch /etc/sysconfig/$SD_NAME$PNAME /bin/fillup -q /etc/sysconfig/$SD_NAME$PNAME $SYSC_TEMPLATE fi else echo "ERROR: fillup not found. This should not happen. Please compare" echo "/etc/sysconfig/$PNAME and $TEMPLATE_DIR/sysconfig.$PNAME and" echo "update by hand." fi # apply all potentially changed permissions /usr/bin/chkstat --system-YV1Yak89;@큤b[}b[}b[}b[}b[}b[}b[}b[}b[}39204a3f4359b2d8f93bbe08f9a7532737ed64e7aecd66391c4a49eefd0331810b96e4d3750fa33e3589ef0dcfd4cde672c2f89b916abe31cf5b3cd26b20f8c9254ecad52808937c3153a81d50810ee7e689d78dfc2cf8aac67cf179a2fdbf3b40bc5457f8417a01891da0234cbec07f74eec25256e49a044fb455d5f0fdeb045369a236fa76e8e4c990a83c06c9a617f00b0fb5a0639ffccfdd867945e81c6786379e9c238d2d3ec30cd2a29aecd165f07e9ea04e613ff2091fa0db68807c4835eca1eb5762d2b602f4b5114a54eb6e6815d26f10b5dab00cda67f2860ca4a32dcb772c1e9949198bc7695bd25c20cd21aea565905b0975de2edeafb31d8202acbebeb00ef9fccc619e66ad50b5c31ac346b2e06ec7d429ec8d2181bc5bd2f1rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootpermissions-20201225-150400.5.8.1.src.rpmaaa_base:/etc/permissionsconfig(permissions)permissionspermissions(x86-64)@@@@@@    /bin/shconfig(permissions)coreutilsdiffutilsfillupgrepgroup(trusted)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcap.so.2()(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)20201225-150400.5.8.13.0.4-14.6.0-14.0-15.2-14.14.3bVbby@bgbF@b+9aea@`@` l^?@^ϧ^>@^^y@^\@^Y^;^:@^4]@]@]@]@]:\8\b@[@[z@ZiZ\Z%8ZZ@Z@Z@ZNY|Y@Y˒Y@YY@Y7Y2Y1S@W"W@W@WBWBVV@VV2 @V +V +UuT~@TZ@matthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.comjsegitz@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comjsegitz@suse.commalte.kraus@suse.commalte.kraus@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.comjsegitz@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comopensuse-packaging@opensuse.orgmatthias.gerstner@suse.commeissner@suse.comkrahmer@suse.comkukuk@suse.commpluskal@suse.comastieger@suse.comrbrown@suse.comkrahmer@suse.comeeich@suse.comjsegitz@suse.comastieger@suse.compgajdos@suse.comastieger@suse.comastieger@suse.comopensuse-packaging@opensuse.orgdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.comdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.commeissner@suse.com- Update to version 20201225: * postfix: add postlog setgid for maildrop binary (bsc#1201385)- Update to version 20201225: * apptainer: fix starter-suid location (bsc#1198720)- Update to version 20201225: * static permissions: remove deprecated bind / named chroot entries (bsc#1200747)- Update to version 20201225: * backport of apptainer whitelisting (bsc#1196145, bsc#1198720)- Update to version 20201225: * squid: adjust pinger path, drop basic_pam_auth (bsc#1197649)- Update to version 20201225: * whitelist ksysguard network helper (bsc#1151190)- Update to version 20181225: * setuid bit for cockpit session binary (bsc#1169614)- Update to version 20181225: * drop ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504)- Update to version 20181225: * etc/permissions: remove unnecessary entries (bsc#1182899)- Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025)- Update to version 20181224: * profiles: add entries for enlightenment (bsc#1171686)- whitelist texlive public binary (bsc#1171686)- Remove setuid bit for newgidmap and newuidmap in paranoid profile (bsc#1171173)- correct spelling of icinga group (icingagmd -> icingacmd, bsc#1168364)- whitelist s390-tools setgid bit on log directory (bsc#1167163)- run testsuite during package build - Update to version 20181224: * testsuite: adapt expected behavior to legacy branches * adjust testsuite to post CVE-2020-8013 link handling * testsuite: add option to not mount /proc * do not follow symlinks that are the final path element: CVE-2020-8013, bsc#1163922 * add a test for symlinked directories * fix relative symlink handling * regtest: fix the static PATH list which was missing /usr/bin * regtest: also unshare the PID namespace to support /proc mounting * Makefile: force remove upon clean target to prevent bogus errors * regtest: by default automatically (re)build chkstat before testing * regtest: add test for symlink targets * regtest: make capability setting tests optional * regtest: fix capability assertion helper logic * regtests: add another test case that catches set*id or caps in world-writable sub-trees * regtest: add another test that catches when privilege bits are set for special files * regtest: add test case for user owned symlinks * regtest: employ subuid and subgid feature in user namespace * regtest: add another test case that covers unknown user/group config * regtest: add another test that checks rejection of insecure mixed-owner paths * regtest: add test that checks for rejection of world-writable paths * regtest: add test for detection of unexpected parent directory ownership * regtest: add further helper functions, allow access to main instance * regtest: introduce some basic coloring support to improve readability * regtest: sort imports, another piece of rationale * regtest: add capability test case * regtest: improve error flagging of test cases and introduce warnings * regtest: support caps * regtest: add a couple of command line parameter test cases * regtest: add another test that checks whether the default profile works * regtests: add tests for correct application of local profiles * regtest: add further test cases that test correct profile application * regtest: simplify test implementation and readability * regtest: add helpers for permissions.d per package profiles * regtest: support read-only bind mounts, also bind-mount permissions repo * tests: introduce a regression test suite for chkstat- Update to version 20181224: * whitelist WMP (bsc#1161335) * Makefile: allow to build test version programmatically * chkstat: handle symlinks in final path elements correctly * add .gitignore for chkstat binary * faxq-helper: correct "secure" permission for trusted group (bsc#1157498) * fix syntax of paranoid profile- Update to version 20181224: * mariadb: settings for new auth_pam_tool (bsc#1160285) * chkstat: capability handling fixes (bsc#1161779) * chkstat: fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594) * dumpcap: remove 'other' executable bit because of capabilities (boo#1148788, CVE-2019-3687)Sync upstream SLE-15-SP1 branch with our SLE-15-SP1:Update package. Therefore remove all of the following patches which are now included in the tarball: - 0001-whitelisting-update-virtualbox.patch - 0002-consistency-between-profiles.patch 0003-var-run-postgresql.patch - 0004-var-cache-man.patch - 0005-singularity-starter-suid.patch - 0006-bsc1110797_amanda.patch - 0007-chkstat-fix-privesc-CVE-2019-3690.patch - 0008-squid-pinger-owner-fix-CVE-2019-3688.patch - 0009-chkstat-handle-missing-proc.patch - 0010-chkstat-capabilities-implicit-changes.patch Because of inconsistencies between the upstream branch and the package state the following previously missing changes are introduced by this update: - Update to version 20181117: * removed old entry for rmtab * Fixed typo in icinga2 whitelist entry- fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594, 0009-chkstat-handle-missing-proc.patch) - fix capability handling when doing multiple permission changes at once (bsc#1161779, 0010-chkstat-capabilities-implicit-changes.patch)- fix invalid free() when permfiles points to argv (bsc#1157198, changed 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- fix /usr/sbin/pinger ownership to root:squid (bsc#1093414, CVE-2019-3688, 0008-squid-pinger-owner-fix-CVE-2019-3688.patch)- fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690, 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- Updated permissons for amanda, added 0006-bsc1110797_amanda.patch (bsc#1110797)- Added ./0005-singularity-starter-suid.patch (bsc#1128598) New whitelisting for /usr/lib/singularity/bin/starter-suid- Added 0004-var-cache-man.patch. Removed entry for /var/cache/man. Conflicts with packaging and man:man is the better setting anyway (bsc#1133678)- Added 0001-whitelisting-update-virtualbox.patch (bsc#1120650) New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed stale entries for VirtualBox - Added 0002-consistency-between-profiles.patch Ensure consistency of entries, otherwise switching between settings becomes problematic - Added 0003-var-run-postgresql.patch (bsc#1123886) Whitelist for postgresql. Currently the checker doesn't complain because the directories aren't packaged, but that might change and/or our checkers might improve- Update to version 20181116: * zypper-plugin: new plugin to fix bsc#1114383 * singularity: remove dropped -suid binaries (bsc#1028304) * capability whitelisting: allow cap_net_bind_service for ns-slapd from 389-ds * setuid whitelisting: add fusermount3 (bsc#1111230) * setuid whitelisting: add authbind binary (bsc#1111251) * setuid whitelisting: add firejail binary (bsc#1059013) * setuid whitelisting: add lxc-user-nic (bsc#988348) * whitelisting: add smc-tools LD_PRELOAD library (bsc#1102956) * whitelisting: add spice-gtk usb helper setuid binary (bnc#1101420) * Fix wrong file path in help string * Capabilities for usage of Wireshark for non-root - remove 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: is now contained in tarball.- 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: add whitelisting for the spice-gtk setuid binary (bsc#1101420) for improved usability.- Update to version 20180125: * the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247) * make btmp root:utmp (bsc#1050467)- Update to version 20180115: * - polkit-default-privs: usbauth (bsc#1066877)- fillup is required for post, not pre installation- Cleanup spec file with spec-cleaner - Drop conditions/definitions related to old distros- Update to version 20171129: * permissions: adding gvfs (bsc#1065864) * Allow setgid incingacmd on directory /run/icinga2/cmd bsc#1069410 * Allow fping cap_net_raw (bsc#1047921)- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- Update to version 20171121: * - permissions: adding kwayland (bsc#1062182)- Update to version 20171106: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20171025: * Stricter permissions on cron directories (paranoid) and stricter permissions on sshd_config (secure/paranoid)- Update to version 20170928: * Fix invalid syntax bsc#1048645 bsc#1060738- Update to version 20170927: * fix typos in manpages- Update to version 20170922: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20170913: * Allow setuid for shadow newuidmap, newgidmap bsc#979282, bsc#1048645)- Update to version 20170906: * permissions - copy dbus-daemon-launch-helper from / to /usr - bsc#1056764 * permissions: Adding suid bit for VBoxNetNAT (bsc#1033425)- BuildIgnore group(trusted): we don't really care for this group in the buildroot and do not want to get system-users into the bootstrap cycle as we can avoid it.- Require: group(trusted), as we are handing it out to some unsuspecting binaries and it is no longer default. (bsc#1041159 for fuse, also cronie, etc)- Update to version 20170602: * make /etc/ppp owned by root:root. The group dialout usage is no longer used- Update to version 20160807: * suexec2 is a symlink, no need for permissions handling- Update to version 20160802: * list the newuidmap and newgidmap, currently 0755 until review is done (bsc#979282) * root:shadow 0755 for newuidmap/newgidmap- adding qemu-bridge-helper mode 04750 (bsc#988279)- Introduce _service to easier update the package. For simplicity, change the version from yyyy.mm.dd to yyyymmdd (which is eactly %cd in the _service defintion). Upgrading is no problem.- chage only needs read rights to /etc/shadow, so setgid shadow is sufficient (bsc#975352)- permissions: adding gstreamer ptp file caps (bsc#960173)- the apache folks renamed suexec2 to suexec with symlink. adjust both (bsc#962060)- pinger needs to be squid:root, not root:squid (there is no squid group) bsc#961363- add suexec with 0755 to all standard profiles. this can and should be overridden in permissions.local if you need it setuid root. bsc#951765 bsc#263789 - added missing / to the squid specific directories (bsc#950557)- adjusted radosgw to root:www mode 0750 (bsc#943471)- radosgw can get capability cap_bind_net_service (bsc#943471)- remove /usr/bin/get_printing_ticket; (bnc#906336)- Added iouyap capabilities (bnc#904060)- %{_bindir}/get_printing_ticket turned to mode 700, setuid root no longer needed (bnc#685093) - permissions: incorporating squid changes from bnc#891268 - hint that chkstat --system --set needs to be run after editing bnc#895647/bin/shgoat18 1657887613 20201225-150400.5.8.120201225-150400.5.8.120201225-150400.5.8.1permissionspermissions.easypermissions.localpermissions.paranoidpermissions.securechkstatsysconfig.securitypermissions.5.gzchkstat.8.gz/etc//usr/bin//usr/share/fillup-templates//usr/share/man/man5//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:24972/SUSE_SLE-15-SP4_Update/627e0f8c39fb6567e02c6c02445010cb-permissions.SUSE_SLE-15-SP4_Updatecpioxz5x86_64-suse-linuxASCII textELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=cf0160e0218cdcf5a6c3abef022a86206db93170, for GNU/Linux 3.2.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)R RR R R R4P(Mutf-8c774541c283dc3a988a0caa4fe61f253414ed892d57aec82dc7f241151304a47?7zXZ !t/ᾫW] crv(vX05Kx|Gq#N\ Tw-;SDuM#ufj+SKj5<ILy *PZ%}. WoIGٔ8C7I2eŶؤOyDʼB?(@u!؆<=L({z mSa_&EoPYFUl9BE?I7Μ8ZK UT5rff-aq"+ܹ7 -bMetNM{}ul$%/(u /=Tf+\Cgu5CT$ i:H>z2AS+ ٞ1uyG`V+,VwDɰ"]W ӻ*-yoFjd|n^fqv.OClokGzEH{B+'$߈_ޔ:]YVBؖ(N=mΉ#7htxLz|J쓡Q c+5i~#Iyk$~$RK߃j팲dkDzEz%ǵ)Ǵ]FB?I72Smߴ+]*APE.ŌOj&CIu6cE YuA vETȅlI,NG \v$8W t>6:,xVIED O@)"#+xLn.ѻ4;i:Lt.> p VƗwUY8zQpPĈ(-ϛ:Z` m|T,l} f̙J)q ʋ~^W22;WLF14 ޼BcNc˝F~RX8߇7W:I{oԎL.=( \S,&J2Oҧrd!-~q:Qtp\hR̋h_W꼕Vt}4Swe^\A杆b#l$spgq)o l;&ܠ0Bջ]9R^(dO5/3EbL@SefM)p!ښ meonМ.+_v# 1z:s8—, qU4mU2ހmmpych~tS\(ƪPNuxDKY)ʲxoz #yp?~#v󙪤sy7v }Pd-SfԑT)Fz!*[!~]&SxLJ`nzŶ"e7S4FL?Q)흲Spi CmЂv\d`B#Q48z; _:}_$oyXZ(t875TmrIWn, g?f:f7+>Y|ؒYIVu,-yW}N*x0/c7]' K-&g;z6&u4ek4Iݩ !x iٙDι؅%b0$Aj?I;l,aL3K7Go.(}Ofx,.x ;?!ö@g&4\(},慎6]jqo'vE 7u ߈ Gqhػ' ߽M\&Ԛ0B,%-M^& 'W?6i^MbOøQ?zRe$tմMHn|f3+}lYSفz5&+ÍErӾ~FS'ؽOYe"6ǵթ Egx|-"zW \ y+O}Fkl{K'ebmqM *5vrSi7LI(%eI߉ e~zT(2"^rèt,r {Qܸĩ: T: 8 < Wfܔ(V5j\7มt/P]EM~ $3~- oPBϑZ|a~yZ+?>H{͝ыEJ>c'aB^DYXn;'. iّG 3ݿFG]>-ӐLŷoɠ j'E]@دLVdjOU@|J3ByNkƮGΉm_41 LK*ab GG&EnyxM) <!(Az}SE-ē.~Tq`9萼Kq}݇bƗ%QY(?Ɗ1I(]wϐcWw0v}>'1eyE3=+J ˀ]zi~5z`HjvXHE1">,԰9Nv/Q<ּ@g\$G !*E w#ϙi>vQWm9UjXϹ67k(Z <}Y  aLjp712;2Ϡ&k搊Ƭ-=|+\ +R ѯebLm5U9VE݀83w9M4#!9]t&akGSa`iG:y()RfG*lzXÕK ~K'IܸZC DUz`/<7O8 ^;.OL8L)MBV\_#+{,7m%P){r2J ? ٬ս[@xG$FxOgX2TkǴٯEn@PHa'7 Jv]Mn͋1 |XmӹN`k7}34 s|^2{pШGYQWNo Iݥ=NFPRd]b'vi ~b($]_--lFZoo9ǭu1JtOxL܉,1,JQ0RRF`]ٙvv8q&v ЄZK,6_jM ҝFI6Hٝ I+=f^$Eymf=K3є}BEË)iwc=Ŧos7b깤erɿ?)/0UfT l° g_((P9Ө 66,p8U\Ͱ]P<#AM hzƶ4ZPN#4Ѫ;'测'(ڿj(2'AsDrVv|H^sg äG !!f&YU$Jհc`]2>737 _h^vSh# oTöPOpSC KΛ(hĕ6FqUm~9PCsWZr0ORGWz7b|4tuR4c*Dm# fIH>/)Yųw:& rGs2FM0% CTihRWtXک >"nh50a;иHj7%@`L*kQQfZRN aċ(޶~dmB7_*hqc,MRn~;z=vSA}1 [1xaoMV'U?C=^*ڬܫ6!~_|6H<!ȆD$pԦGMC z!?j+NDѧi~hZITg o|sLp`NRE.-> u bxۜ&ZgBSb8>w3WS> ;GC_INFu.3*%W(E$rӦ=6W[%:Lh]-xFy*9” CUbS1?uPN!43'Z{r)h뤸,fS9lg a1$y1Y‰ջy:ˬwDo0( U$^ZqЋ{ɏzPj΄ԯx w҆{.MR#ȆoM !CV?C=$ JM6FS 2kkQ34"O,B%iYF߯4UbS~ ykrB˥]{/TyG( s=otuKFJܺeI+J,}vL#IϙV4EL,D 8yHѯi^(CFS9 tAìHַɿ 7 jo6S }5S8&}#jlXpCzQCRƹQ~&n¬̩6'm1.D뮔Q')WNdRMcIV5lZ@>b0C&~`>PW^hͷDL6o25RyNl6+. Ųڣ_&J)堷!C ,*z KL9A|ZjڟJ`hɳC]YͰpљg}s$Ph;?LۿkoăbviV\idk\=T ^d*TN%,CsΎӝ Fbjqp4%0\'@9|"ZnBn Fq_?̉뽂|cwʋ5 $s,kOJ^$U+C^AYlTt:0^=:Is"#RcF ZϹ+R%(lvT:$kWI@z_LՆ?[o x,\FYwԶHa0KpF=o)VoHjVU؀YstjeNJ9(҂t0—FZ°ʌ(')CJ["Tyi!vOf. I-8>b]*H/ OF`?`;L'A}Bxg*KX 8/dd.O!ot7:0`R^9kfl\u n5Kʒ'r9{Ztm@zMb&,"ߧ<;5͏:S'`~3G3 iyPEB;M=(+~n +QT6apwx]v @SU;`9bK":T/[1`B):D<}R1Ȗ'eIrdwCy,9 M/լ~`E~ƿW 2e=QϔXC"L:z|=9vSe&^UrŎHb-w|q5V,)vsGÂs;XPfi&``ƺ*,Y<?Qwc5:9/7`A4dQN~Fwù5 s(}qD%}& =^RD: wM 1?ztFM{dQC|& կ }A9by".!uԓPDʇqֽT*Is!lC|d-J6%m#Q/%*` NMA|Vq lj+\qbZ /knnckExʆoPr' q~ b>&asJfM 4q.$nK=1WÛpѬ)kwYCk;ӱ.^)/f\LQ[.kq;sS(a|XU(-o~47ߍL ٛWr ! \My@>h?)0GD1GJ09x끽p5z6gTIDϩhCxη6 4S.m~>H aEQhI,9ΧL:۩xnND 2Aڢ(moH οUJs=rV1Bw,f} ֺyI!,fƋg;?$FSQ`TbT>T,.q@j{`WDM&z[Qm珻F+OJ>p& r؅бP+b&ۍz1yAX5 1U[Q6'9O*jX12'Bf+g]j@v:7l~?a!+#j.jPgBR;4. /0\VѢX60[H“֮~eV(n:GrEfL:$Bp_N1^Xfp2=_0vG7ٴs`G8uoU<  ~\B ݟEH^L% Q\9I#mK?Sv ~핿z[ǡ 2mM"Xț9l^4G =7H/DP9g29wΞ5l >|$LuJZɋ*2)/2 [g Vv!Y ih|*螾r/X`ƒ;YS09LK{ũyeA. Yzt[! _#ӸLu L@H,n:+l`$.d*  )gFiƅ3.j@%eMIHc~690 bB @bwzD h\CUZ^QȀc,-AT_a^7v*6/ ؃KwrE?r&d${ Dտ(u-TKpH9̬V39S'3q$5xH)Ÿk%3YFޛ˶1n2qn!L$0 ;<"$"SVmp -e h3 p$߅(UFqc?]{@SS*֐;GlIgwݏեl56=  LES ]g\bI<"CQdĠ#%бY*>&j[z  ʧƯ)P~M j 7"<^cF>?rcWP.'Ȯ+e?ggABM!i"$+/RwgFMwȶƮhuKn GEc|dxC5"~ãh|kqUIî3qJ uQTIq9n%XcmU_̈́N) 7D|1Td|YceQՐcSԽObWtʱ,eT?Lz4+A9#wgӆ|C͚p 5|1`)@}SW ب~ڱ(=Gva3xoi+ORYk[VoCH*G&L$ A1p CNɇ&fF#Ʒȷ/# F~ai.\QKY+2A rR^rH=hv>1?)70Eg8O|$Nd{l1){L7cgK߇t[ /gf|kVLiƱka]J4UƜzWpJ-)k cCoVh~dN 'Fny|z1+)C(=_'@$!NLD7s*eJ71d2?@ӄWRzzYtQeusaD$Y2[>3.wtX-=Zf7sEЛƲ%J1. o|> 'ilѯ=|7ftDQ^2Pi%NL A;IAD%v݌01Qpf>z݅xIT{T}-e5A'~=\^IVݺOFj$! +PPq#ư>T,"j&"y '}ARKJ{7I3zG)O#'"Z~TU>=]@1fz܊&ww}@4Ѯߧ=:=93K 'NU|uLz:f_MB(@#n1%2Bc{hV&ÓYqh?#6 Ь 1BVwjJ nR͢à$[?|M8̷wF*5InR.푏 Nxa ]`RUv-NdS\pZ`mͫlAXɺvS\}Y!9 \ D;&#,fzM1;?22hc7%c7ޱs!DR~̳)xZ ˒^fS8 ꟏wmNHHXYY)b1ʹ8·F"Xdz7  j}52' eQJd}(G PðэM:'n?zGh39gRC6Jad6$r?ÐY¨R9W6 'Ev!`+RӥDJۺKŊlA>g Т"0)$} c[͓>\} [ЯL*8`ۨ7=O 2A YJ+4p]?28Y!x>2SC.t'ۥUP_BC H%H{u]tp}yIKhMsy'Rج~f!^ aZ5-~bAcR4UNKuq$02mX%jK\]urLb* _nnwZl*pHܼ8^5g2]oiFWPeP ^u0İ:`}]mHtiڢTfԣ޼Z|־K &|"`2(L8~p$$ qK/caX4faUO"ƧKI2]ɚ%W%s)lOgt,y׊6I?a}SޏOu쇱Zϗ0{~)CtձE{mfqŊ>m{+| "ٺ0YlrykVҍ=丘~] oXJǜC>}fwH\#ײv:|(Z6a8%tFt'dxYV6UdA s8d#onyd Y܃Nw6XN=C]qN>;S:Lgw pE6o;~ͱJT3k!uZ.r:v| 83k o- QZˎyb$GO k(V=ș+M!`,Ilzy 磕VQ7P;F#`$5.g&LVGRl%Z+6,' ք.~l_&65Q߷٨aI&DEe hvCC(ą-O0g6fX)O 2YP!& 4:r>*V7 MmN"0\QN &qe\!l0DbMUbm!"o҈ Q`zOZd8RV'gCRn4ahO`Lvz uކU8,fQhśw &dvh5CԞ˜s}Aњ7 ^vGf$MGk!쟇݊ +U/:e ,4zzLڡG4 q5 QJ _k4sFiQCIk9"̯| `,@D_OG3􉸩j?"ׅJ_JJqvS~^#Vz屣BܶEhkUs1&2\c|ƺ' +GuQc| 'ۿAh3G٧ޱiܠ_e !:2A^S8 ; ^fJU꯮/aؠNOI;$$8l+QkUZ@@_2 >O?qΏ96Rj_"1.S3ӆ90|N|&D%SMMz8q()u^CQ"b)LZ ]GdUKBhم_(9 eQBS?Vjx[} `|HyLx+ L<`^|& uM'B'Ep BMВ/4Dx|f:{[Q'}8:sy"5?;L<#H&,RYMWʼqŌUx,D .j^+,[ ]4h''߿E,9a(IgJ_d698Qg*T GgI&uFS|T]|kwA_W^ ;"i;>Z@ S7S"V6[݄?ӎXF}> 55]Tp˵ƍ57%gㆹtWFu?Rel(޹vS…3 P*M7FJmpcp 8|78»AUA+bʧl~N*ؑ|M =4,)x5A':ݫ<( }yNIraҍ3=NLR K-2hO ;n&/C}a?Қ͑.PRkxwZY, M2siH\rp‰shxB=um1j$PY ,8{#qa0FNGF 3_[o'A*Qʾai)zΆ%4?^둍}DAsߍb[͏V3[ ~qQs#i5Yi^0Y9p8O䥵UdAu;/1p!@LOoYeu#ﱿ#mPZiy=M9'm[kUfn/ܛfO qnխMIUx8ig@1mi+E:-^)y㘹RXtTrfYFy9SH!tBI ) {# pc 40׷igf da|eU8Gzj lDP $b0ΖҪG!_DҖş1=4&5Gf #’HyˤZ\| ό{t]tU?Db})ۿ+at73:-XL4C G򸊢ɑN,!vk5$v*v YtV< Ydl+ I6-u!~vZW&:*L- Fbt=9v`d!4NVZ1,mP̚ NCx݌iW?82< E* PIr⮤S5gpcr.4ۙЍ84<rPdHb*=& /b#'^l-fx=ZQ.vL g] f.0`sV|8gG1Ē.HV;%S`LAQvy]usIHZ"ƂIyjm#`h %(p±=m3Fd ;xy_4 - }MGUD-RdhT ՘uS^CI8)˲]ԊEQ/>d`:,ܥz.sB}qlm^Ndjz>Խ..çh).q+=prq[!8vC3VYK~Qo k<ʝӢhXQ+4`R/‚WN^ Zn*&n|k0]ӝ,U?.5Y BY4ѹ!|C4=Eۏ?i:{;"ϼ_,YOG3<㏰Xfs~jZ3זʁ"T(x@͍U9ip N{I} UzbQ{5%g@_'8G8zITJq8/aVv_Tm~ㇿ1uġDOAa PVqv4Aω):oxm]zڒF]gȷ)Y&޸7x}'B')vAV<FZ9g0o.aG>T/mF';X0'uJsƃiD*;t|۵݁ÄB@9mR|^|zi6'q11ҍ"{jYš4BI5"㑑|TzEGqTb)56/3BWg.ZfVx͙TrEs_43N)u45 i &G(g͋ cW [ ncҖX{keʊjY, fBYh[vCfQnHwDP&!V㕝ɻ JuvQީ* P!ZBseTLIOP9emLY`+^G/bN4fX2@4)X3me:imhh 6*WڡIٽzއ͝g1C43L G@$b0EYcn:>y-a>bQoj. Q@~ Z_v8FI(hF_5$Kcv ֭ch {#`>Mw*Y[MV(cxcȾiD$H怖{5 ؿQ"]Ϭ:c٨ח4jFI#*dI2&yH^bh-<.#]N"g,૓~=Xa0p ᇆHZx_ִ?{Ubg4gOwLX)13b#dV[*VIVv̝Qa&{_݆M yW;EAEE=W$DZv)FzAP%[ђoa}CUJ1aᘈ#hLLwU涌,ywu E^O΃JuUG{bfk2tJ-VC8-HU8"DK?MxBϏ>CAҦ_6|mOep=ÓY?XeB0! S^ʁ1{M&ɷptK |DId gpKN[";~7iȯ x`&sD~$pǖaaTu^t݊z#"5Y'"Bw^7JL +z@bOvtl{vr^oH哠o.㨋PXIU(VβJ;"^?Ҹ2bn!Wѵ)*U;C>r${\s X~eX~~JP0g1{-{j4P^w*V]:Q[]DAa Zg}Y_UP ; =|%mW;7͉5YZ93[+^kg!<sb.K_e /ZᙔaW|Ou5^P㢻*AbG ֓g`WOc¯ъAmmT"Nf$1f9l$C B2ЏPED#l ^уH̥@,Dn|\'v 灰UUp{zg'wmyH#pN!jڑJtswUZǹG?$aP@$ >)W<7zIVN\.>''W <0o,?(F$UEݑ,7Dm{RA@t$GD`r:n96z o:I-WC(HZ&{2!A!x3ޙrtuMhH{ Xl?!`BlOIrAv[`V *|yxt$p]HɡSV-OAߧ2OFvCcIhs-9?;%P7VA uT{B#Z>WwD$\ a d薋~eFPLnwf*"^0~)!&skdz_Ix,OX1[9?>Yw3U$Vw'1U^ 6\cr(>+^īQOmn6kZD!fH= ^PP_:ۄ2&7xk")f{f?v{خׄMllq~țđ%5WV%c#ZAox56~P6X99PKiCjÈ1Qˈ / UVIQ7g%7TFrtcAEx-;G v]b ܁`oYT%FT J2^&iD_C yɃA7ŴLxL,jA7jMEjkAqS-~9r/rSi džƍv+r|ZE&*A{+3W˭BE@c}D%껳H'yh3idapFZ6rzGPNFi#-MK cxo Y7{co_d'{KW N<9kЂ8Xg(D䏡1Iway ka&k\ [Ϻd(7gJkbIyDIRN'i,4&-M-0XlGk|F*gν61/!?&QH@"Y^Aǩ%Rw:F?0 |aR̠rVˠCA&k S$0GX/k4!FXD`<2)wItRcMacZ^^ @XdU2<6"nOF#c|03F[2!ʝb?58ޚF Lu3!Aꖘu;9OZ)PAvW@F iy@P/