samba-devel-4.15.8+git.527.8d0c05d313e-150400.3.14.1 >  A cp9|Dj՗kƲԓk@D)C!pmp-AeVma_>0&+*(~gwOn>mRda3 Pt޷.:EpLQSCPA,dŴS{޿ |cώhcB5<'o4䉳Fԭ%F*6Hj=ݜIqд\{;RN+[oDI|~$zP]-89&&?Ps/j(j6f:c /9Azvpf+=ԺdI!6kYs bX͞/m*>pAl?ld) 7 e+ Aax~    ! $&(+F+-$0d01(28296:GFBMJFNGNHPISXS$YT $ZV[W4\YP][d^a bc#ccddLedQfdTldVudhvf|wgTxihyk|,zl,l<l@lFlCsamba-devel4.15.8+git.527.8d0c05d313e150400.3.14.1Development files shared by Samba subpackagesThis package contains the libraries and header files needed to develop programs which make use of Samba.csheep21ySUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/Development/Libraries/C and C++https://www.samba.org/linuxx86_64( p=A@!1N  aF ENTv |H)KU +d`@t2!CY~W +g > v&HI!>,'I:l ha Z=1y<u .Y3T4&{66)w+3'A,;BG]AA큤A큤A큤A큤A큤A큤A큤A큤cc-cc-ccccccccccccc-cccccccccccccccccccccccccccccc-cccccccccccc-ccccccccccc-ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc57f48e6acfed5fa9841df0f458c77820b6e24ed8279bb23819c0698df22bbbf19a87ebf5c3ecf098bad8fdc2e0c08317efd3ecd4947169677feb755c5f86b325aa97c3dc8a6da5e8d196a73bfb4bae250089de7237665a3a6dcf5512c71503695cd7da44b981f9782081d3d97dc2d2f26726208f56b10bceaaae6e1a3b497bfefa19c5bf4838b4013a16d205238e5fa9819e04902a006a08044a0da795cbaf34f53c103d9d508de1883fac4df0fff12ac27300409f3a1c8edaf31c05c054340a1dc2974d9c574811447befbe13fc0f8b3d8906fa58ca173857f5b73359ec30f161766db604986021c872a81bc3e6dc403b8960c06edad4595f168293005943b8486186e935623059f05839ab0f3604f56687ceab73bf9ad6070e58a7161041e32e3a21a55901cc3c7a46d6560c167ecef63390fb04b124e508eccf8156fd650dbd572ab4954abffbeef5c35b30e8c5806501278b70a08d6041d8a5685a69cd65ef487680f99891e461bcaf8245acdfac7964fa40fa4a298184528c2fe2b51b3066156e28d7375c095735fe583c41fe10f68711a286dd7616111bd0ba9a6c39eca72b30f0da89b141671dac7d0b96636639545a74f12fbbcc745e7e2597d71b4c7bcfa6e9c2d3666eaf6fbe6b63194f9d4b8991619ced1de631f1d7c854271bc4d7d6caed90f3ed522fb13effd5b3f9ce1d10f57b87a233f8b1cb8bb000a06b812e45f1d76df8d2fe7405deea4c26e6e1ccf3951c59a55836952be0923e7928b343892fe61c87666774dd2e18e31d70da33b45c5986aa1c23a6a853a6cecc906960aa488b92850596697a2ce4811cd350af7aec0b5278c15b3700ff5759a3a9ac8a09b87e376224e944e12a2067e9fc485ece8ebfbc7d5cf0bf573e0500c5bf24c38a14ecb5e00e24e7947b8517b8f39a652b5a4a7cc6ed2dd04dbc35210090e571af576c5ac08f897ec08b3d0d2d5d40952aa94d082f5550483c051b99b33ee65aad7a50a60ccf805be82f6209c702e0e7f73a5ae774d0c68b57b28dd1821c1ab067bcc678b898c16d290afc34539c478fc1f6b47270a45b389de9fb9ec0042b98e789e2e76a17d01c1684441f27e27f5c54d7d8d1607fb9cede012344438922ffecaceea8800ef2175f1046485790f995229035a56992eb9f80f586460519b697827df8285c4ebf06595b743e148919677ae2a40442c80549d7aba0bc0b696ca55cc095723a52645cf7513c55934096218760deb28a607b5e85f82db7c1ab580e91df20133ceaa62399bfcfa07ae216642332bf119c5a28639f3e6841dd74e2dd515f2b48efd9117bd5054262dfd09a3617405695236094798559211d988a68effc888123ae63e8d2ba5b96004c14b3356dbf490b4e731cfc7a56467079075b6004265e32c0338f01e95f47cda607f72abd98a2031f32f45a1470dec6e13f4c8e17e93041953c7a33ac4dadb193dc843bf0dc47196230f74fc5a9c4ac1989654849afcccbc35c0a397ed9b8ec9579d7a3539a11d9a1f4db4d40dfdf2846bc81f966b17d69a728af436e405c6653b76b8b1b0cea1ff3094b88f184043efdeaaef078ca39f9c1b6ffd2a287d8380c0ea5cf53ceb43040bca0c4f8a37c75c1cfd40923c16ebfe2ac820e071af1cba5cae4b019dc46eb22b6fc37174d15ac7b72c723c10d44a520b2054944d0606d29c16714a4196910a433f607fed4e35d63918562c260077a6a23b99eb7ea40a5e790a7d97b17c8adc0fe8152598db810a35a439e0fd2184591f449c79b6bc5b5468443920523ea943440534df04294b940ce1c00c0a68cab9a5eee13b0a18e6e5b9d87693f25c1f804ac1878bf03800367d25438369395e7f2006fb647db68043d1590be759478e33b123ff9a54bbcf1dd70a038467eb6dd4dee91c9309efa27bed7b9d371cc936612a2998c16e815dca6ab2131a2f005b7837ddaceb2598db386c1d34c1a777baf0d741ea2d153c399b4b0fa22367ee1921737df26ec3e9fea81c7f525ee4076db13008901c9ca9f404a6db835aabe1a026f6f3e5c05cd08a28a339b762c6189d4af93a1b6a87f9d9483d5833fd883506b51ecca8ad6df0baceb27177fb6499a7918703b897a45cdc7605a9ec9315a0f82f2518db30b753b0d4ca10b18a94c382f3ec70dcc443437b2dc9e3ce610ac30bfc17aba981efd38215a457355b1f19ee2e93d26cfc3f6127d4e633b3d89ae70e214c6869f39c6eba1bd4d835c031b67bc5c4f908e60816711e8d87e6d93f84fea1eb1df4a7c2bb8a671480afe65f9dc7f671e0e15cd8eea8e37927520f3ac8ae6b63fe8f7aea81f7680951eec3ab67f4383db52789c38b254cd5a9e4766b17aab8a99813258ebb4b147bf98c9f0b9ac8e9e07ad86cc4811fd17c0ca05ad6fa67befb082b2cd23859d7002fa75a5794f15fad8157402985d19cdd5acb5cc68fe5a3560b24f14ae06a7601c3509722fadaacceba96907debd9d7a6a350c1acf956f394afcde8741c7d3eb9c1f0d24e77ba69ff7eee8ba90786ffa6c5f4ec183f16ec4fc964c65b35a84e0be1b1f830b8494c8e895196ab132fd82e055cc808ec43d0bf84e5bcc059302e71c0e23a257f197463a9ecad24f59aa597f875a287795dbd2ce8b56438e84f9976bb4b587c364e2b03cea9ac7bfe92f670c4d88fc1b382789f66d991a6e526f4093a1972e1391aadde980420a1dec670f3549f87169c890fba90086de0d8498f0fb36921439a3568cd3a29c34bc8fd9c25772cff89b4edcc989ff5af4189ef2e0ce0e37872c17ad0196c4101f1dab6f2233d4987af03f7dbbfcad01f857b4576ffbb67ed2f4c6cbd9f0a9cd2192a7cd36f8201ae7dc5c1bb59244752a7c96d0bcd9f3e3ad075aecf96bc9006c8087a428c2cbf46832f58f5a9a8a1269d77685a6ea46e21b05e9d22e79fff5ff59e2f6fd5ef76604c85c807b4e3fc0dd84beacab1ff25be2672650e35fc5a2a04de281d9dc535f9718a0c12832630ba0008a46bdb263c2610acfbf6da60c6d585687581e877d06ac2587e1c560a57a924744d428603f832aa43148df878f81961c305f367353717bda17d2ab1d3df620a04711fd5a61149d16c19f34a48740662395d01a17ad400b8e6af775cd8eeeec7fa786bd0c1c686c5562fc60c40b7f0fb213627e0208eaa36a7262e7680bfdf38ab43a302de7a5ee1b18fb5e5a69c693660e5ab407d1696c7b4ac8f6ed075a178fc967e2e68e1bac448bf37478948a1f40401d26eab750f4c70faa63142713b1ca959bdea59f5c83e1d20b52792246b46127464459c635949c3f779518d0e830d9f34a33bef4b8d49477a4a648a2d279c88584caef10d814fafc233b2ed62e1b088b7b99fc6b8017b38dd73cf8dc94a4e97837ae5a7631da503521a5133a57f0445a4dfa2427eeb926d7ece4119a01cd20ba4acec5db90984ce61844ebfb044780a402cb880b08cb0e3b6d709b17117204b5ce3a21b987f0c33c9147e5197c8e52257325852c5c181908a3f4082b5520d1cf8599ee8c5ca7e8584f8e6deb53c1682692aec09dc7339df4507a69a44fc4e889663a695d0e42c4ca1819bd7e814f21ea857ca7a1cf61daa69affa14cb497273b24b2f9adc344da28391ae7e27ea058e1909f8fd85bf9eb7fedcd7dde1fddb48b6600c8b61eccc6409a5a5391dfba7e45844c4f2da58e90d275e42aac178717449816161fe77e2af95aff8ff703003f5691ae2280c0809d15386619c3aaf0620e8697c3c0d494cf0d6a2fbbde841699930bd1f5d8c43118be577f601d6cc6d9ea72bd4e42fa96b0bf03b1764946f28b3deeae86aea0bec44e3c3fd05afd367128b4e2513a6a73ba9cdc263d00d43eebac1c05313154d5bba4025f00fba9ada003bf6e08ec3717c956f9a10aa3bcfaadbe145f7723177bebe2a8119752430aecb7121eecb4e1998b5a24b456197855a143c84f2ecaf31540b1f5457c0a2fdbfd8f53f9b9b119b1918376d12eef6aa5248f7ac7d7deb71f336a52fac364750774f797c061e915eb24775ae28d1738bd86f5a5b902862b25dabfc4618da50b85e66272bf52218a6cd2e26338d04c25404fc53d6b230205d0351470ccd8809d4ec02d86007929edab0432c4386098ef7d1c09bdd8cbd6e9b0ff02a77cf2d3de460ded50b04f15ae58b86ce48bba579542df1b00f69e97fe1427fb1031f6930e7c3b058c09850bc72e8361579d8f0b97ce6c33df91db1edab5412d88550bfe89e5d34a73e8be26c6cd20a922ff73294bacfd6ab37123f9f6304ac62b5f3f2c020b7cf90ed8279bb84b70e146d0a47d12743138659271122b65de007d76a54634fb3fa657a0e6c8a3cd600d4be43800c4a74bb5e41f57bbf05d01629d0cd9856ca1c5cd05b52579c70d58b6328de9543dba02672487939e41e910f508c1dbb0923f0726dafc2b4fac411ed2b40275fe0fec3322730f62b84daf91fb23bbb081489863168493d1d893df191dd1a0597fa2bc7c08eeb7f3e7aebc136e2d47f375bc7a94c423e7e203f66b8b1aca32a0a28bc29431b120f67b1ae0d47ac90227562ae1ba4ae6c00569libdcerpc-binding.so.0.0.1libdcerpc-samr.so.0.0.1libdcerpc-server-core.so.0.0.1libdcerpc-server.so.0.0.1libdcerpc.so.0.0.1libndr-krb5pac.so.0.0.1libndr-nbt.so.0.0.1libndr-standard.so.0.0.1libndr.so.2.0.0libnetapi.so.1.0.0libnss_winbind.so.2libnss_wins.so.2libsamba-credentials.so.1.0.0libsamba-errors.so.1libsamba-hostconfig.so.0.0.1libsamba-passdb.so.0.28.0libsamba-util.so.0.0.1libsamdb.so.0.0.1libsmbclient.so.0.7.0libsmbconf.so.0.0.1libsmbldap.so.2.1.0libtevent-util.so.0.0.1libwbclient.so.0.15rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootsamba-4.15.8+git.527.8d0c05d313e-150400.3.14.1.src.rpmlibdcerpc-devellibdcerpc-samr-devellibndr-devellibndr-krb5pac-devellibndr-nbt-devellibndr-standard-devellibnetapi-devellibsamba-credentials-devellibsamba-errors-devellibsamba-hostconfig-devellibsamba-passdb-devellibsamba-util-devellibsamdb-devellibsmbclient-devellibsmbconf-devellibsmbldap-devellibtevent-util-devellibwbclient-devellibwbclient0-develpkgconfig(dcerpc)pkgconfig(dcerpc_samr)pkgconfig(dcerpc_server)pkgconfig(ndr)pkgconfig(ndr_krb5pac)pkgconfig(ndr_nbt)pkgconfig(ndr_standard)pkgconfig(netapi)pkgconfig(samba-credentials)pkgconfig(samba-hostconfig)pkgconfig(samba-util)pkgconfig(samdb)pkgconfig(smbclient)pkgconfig(wbclient)samba-core-develsamba-develsamba-devel(x86-64)@@@@@@@    /usr/bin/pkg-configpkgconfig(dcerpc)pkgconfig(krb5)pkgconfig(ndr)pkgconfig(ndr_standard)pkgconfig(samba-util)pkgconfig(talloc)pkgconfig(tevent)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)samba-ad-dc-libssamba-client-libssamba-libssamba-winbind-libs3.0.4-14.6.0-14.0-15.2-14.14.3cM@b@b@b@ba@bascabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedimstar@opensuse.orgscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- CVE-2022-1615: Do not ignore errors in random number generation; (bso#15103); (bsc#1202976); - CVE-2022-32743: Implement validated dnsHostName write rights; (bso#14833); (bsc#1202803);- Fix Use after free when iterating smbd_server_connection->connections after tree disconnect failure; (bso#15128); (bsc#1200102).- CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). - CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). - CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); - CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). - CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- Update to 4.15.8 * Use pathref fd instead of io fd in vfs_default_durable_cookie; (bso#15042); * Setting fruit:resource = stream in vfs_fruit causes a panic; (bso#15099); * Add support for bind 9.18; (bso#14986); * logging dsdb audit to specific files does not work; (bso#15076); * vfs_gpfs with vfs_shadowcopy2 fail to restore file if original file had been deleted; (bso#15069); * netgroups support removed; (bso#15087); (bsc#1199247); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); (bsc#1199734); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * smbclient commands del & deltree fail with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556); * vfs_gpfs recalls=no option prevents listing files; (bso#15055); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * Compile error in source3/utils/regedit_hexedit.c; (bso#15091); * ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link; (bso#15108); * smbd doesn't handle UPNs for looking up names; (bso#15054); * Out-by-4 error in smbd read reply max_send clamp; (bso#14443); - Move pdb backends from package samba-libs to package samba-client-libs and remove samba-libs requirement from samba-winbind; (bsc#1200964); (bsc#1198255); - Use the canonical realm name to refresh the Kerberos tickets; (bsc#1196224); (bso#14979);- Fix smbclient commands del & deltree failing with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556).- Revert NIS support removal; (bsc#1199247);- Use requires_eq macro to require the libldb2 version available at samba-dsdb-modules build time; (bsc#1199362);- Add missing samba-client requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.7 * Share and server swapped in smbget password prompt; (bso#14831); * Durable handles won't reconnect if the leased file is written to; (bso#15022); * rmdir silently fails if directory contains unreadable files and hide unreadable is yes; (bso#15023); * SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on renamed file handle; (bso#15038); * vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback; (bso#14957); * shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes; (bso#15035); * PAM Kerberos authentication incorrectly fails with a clock skew error; (bso#15046); * username map - samba erroneously applies unix group memberships to user account entries; (bso#15041); * NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES in SMBC_server_internal; (bso#14983); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Crash of winbind on RODC; (bso#14641); * uncached logon on RODC always fails once; (bso#14865); * KVNO off by 100000; (bso#14951); * LDAP simple binds should honour "old password allowed period"; (bso#15001); * wbinfo -a doesn't work reliable with upn names; (bso#15003); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Uninitialized litemask in variable in vfs_gpfs module; (bso#15027); * Regression: create krb5 conf = yes doesn't work with a single KDC; (bso#15016);- Add provides to samba-client-libs package to fix upgrades from previous versions; (bsc#1197995);- Add missing samba-libs requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.6 * Renaming file on DFS root fails with NT_STATUS_OBJECT_PATH_NOT_FOUND; (bso#14169); * Samba does not response STATUS_INVALID_PARAMETER when opening 2 objects with same lease key; (bso#14737); * NT error code is not set when overwriting a file during rename in libsmbclient; (bso#14938); * Fix ldap simple bind with TLS auditing; (bso#14996); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); * Problem when winbind renews Kerberos; (bso#14979); (bsc#1196224); * pam_winbind will not allow gdm login if password about to expire; (bso#8691); * virusfilter_vfs_openat: Not scanned: Directory or special file; (bso#14971); * DFS fix for AIX broken; (bso#13631); * Solaris and AIX acl modules: wrong function arguments; (bso#14974); * Function aixacl_sys_acl_get_file not declared / coredump; (bso#7239); * Regression: Samba 4.15.2 on macOS segfaults intermittently during strcpy in tdbsam_getsampwnam; (bso#14900); * Fix a use-after-free in SMB1 server; (bso#14989); * smb2_signing_decrypt_pdu() may not decrypt with gnutls_aead_cipher_decrypt() from gnutls before 3.5.2; (bso#14968); * Changing the machine password against an RODC likely destroys the domain join; (bso#14984); * authsam_make_user_info_dc() steals memory from its struct ldb_message *msg argument; (bso#14993); * Use Heimdal 8.0 (pre) rather than an earlier snapshot; (bso#14995); * Samba autorid fails to map AD users if id rangesize fits in the id range only once; (bso#14967);- Fix mismatched version of libldb2; (bsc#1196788). - Drop obsolete SuSEfirewall2 service files.- Drop obsolete Samba fsrvp v0->v1 state upgrade functionality; (bsc#1080338).- Fix ntlm authentications with "winbind use default domain = yes"; (bso#13126); (bsc#1173429); (bsc#1196308).- Fix samba-ad-dc status warning notification message by disabling systemd notifications in bgqd; (bsc#1195896); (bso#14947).- libldb version mismatch in Samba dsdb component; (bsc#1118508);- Update to 4.15.5 * CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target of a symlink exists; (bso#14911); (bsc#1193690). * CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module; (bso#14914); (bsc#1194859). * CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks; bso#14950); (bsc#1195048).- CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share; (bso#14911); (bsc#1193690); - CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution; (bso#14914); (bsc#1194859); - CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services; (bso#14950); (bsc#1195048);- Update to 4.15.4 * Duplicate SMB file_ids leading to Windows client cache poisoning; (bso#14928); * Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error - NT_STATUS_BUFFER_TOO_SMALL; (bso#14932); * kill_tcp_connections does not work; (bso#14934); * Can't connect to Windows shares not requiring authentication using KDE/Gnome; (bso#14935); * smbclient -L doesn't set "client max protocol" to NT1 before calling the "Reconnecting with SMB1 for workgroup listing" path; (bso#14939); * Cross device copy of the crossrename module always fails; (bso#14940); * symlinkat function from VFS cap module always fails with an error; (bso#14941); * Fix possible fsp pointer deference; (bso#14942); * Missing pop_sec_ctx() in error path inside close_directory(); (bso#14944); * "smbd --build-options" no longer works without an smb.conf file; (bso#14945);- Use pkgconfig(krb5) as dependency for the -devel package: allow OBS to pick the right flavor of krb5-devel (full vs mini). - Do not require the 'krb5' symbol by samba-client-libs: this package has an automatic dependency due to linkage on libgssapi_krb5.so.2. Automatic deps are always better. - Do not require the 'krb5' symbol from samba-libs: samba-libs requires samba-client-libs, which in turn requires krb5 libraries. Samba-libs itself has no need for krb5 (but get it indirectly anyway).- Reorganize libs packages. Split samba-libs into samba-client-libs, samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba public libraries depending on internal samba libraries into these packages as there were dependency problems everytime one of these public libraries changed its version (bsc#1192684). The devel packages are merged into samba-devel. - Rename package samba-core-devel to samba-devel - Add python-rpm-macros to build requirements - Update the symlink create by samba-dsdb-modules to private samba ldb modules following libldb2 changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba- Update to 4.15.3 * Recursive directory delete with veto files is broken in 4.15.0; (bso#14878); * A directory containing dangling symlinks cannot be deleted by SMB2 alone when they are the only entry in the directory; (bso#14879); * SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used uninitialized in rmdir_internals(); (bso#14892); * MaxQueryDuration not honoured in Samba AD DC LDAP; (bso#14694); * The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token; (bso#14901); (bsc#1192849); * User with multiple spaces (eg FredNurk) become un-deletable; (bso#14902); * Avoid storing NTTIME_THAW (-2) as value on disk; (bso#14127); * smbXsrv_client_global record validation leads to crash if existing record points at non-existing process; (bso#14882); * Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call; (bso#14890); * Samba process doesn't log to logfile; (bso#14897); * set_ea_dos_attribute() fallback calling get_file_handle_for_metadata() triggers locking.tdb assert; (bso#14907); * Kerberos authentication on standalone server in MIT realm broken; (bso#14922); * Segmentation fault when joining the domain; (bso#14923); * Support for ROLE_IPA_DC is incomplete; (bso#14903); * rpcclient cannot connect to ncacn_ip_tcp services anymore; (bso#14767); * winexe crashes since 4.15.0 after popt parsing; (bso#14893); * net ads status -P broken in a clustered environment; (bso#14908); * Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before smbd_smb2_ioctl_send; (bso#14788); * winbindd doesn't start when "allow trusted domains" is off; (bso#14899); * smbclient login without password using '-N' fails with NT_STATUS_INVALID_PARAMETER on Samba AD DC; (bso#14883); * A schannel client incorrectly detects a downgrade connecting to an AES only server; (bso#14912); * Possible null pointer dereference in winbind; (bso#14921); * Fix -k legacy option for client tools like smbclient, rpcclient, net, etc.; (bso#14846); * Add Debian 11 CI bootstrap support; (bso#14872); * Crash in recycle_unlink_internal(); (bso#14888);- Fix dependency problem upgrading from libndr0 to libndr2 and from libsamba-credentials0 to libsamba-credentials1; (bsc#1192684);- Fix regression introduced by CVE-2020-25717 patches, winbindd does not start when 'allow trusted domains' is off; (bso#14899); - Update to 4.15.2 * CVE-2016-2124: SMB1 client connections can be downgraded to plaintext authentication; (bso#12444); (bsc#1014440); * CVE-2020-25717: A user on the domain can become root on domain members; (bso#14556); (bsc#1192284); * CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued by an RODC; (bso#14558); (bsc#1192246); * CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets; (bso#14561); (bsc#1192247); * CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers (eg objectSid); (bso#14557); (bsc#1192505); * CVE-2020-25722: Samba AD DC did not do suffienct access and conformance checking of data stored; (bso#14564); (bsc#1192283); * CVE-2021-3738: Use after free in Samba AD DC RPC server; (bso#14468); (bsc#1192215); * CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability; (bso#14875); (bsc#1192214); - Update to 4.15.1 * vfs_shadow_copy2: core dump in make_relative_path; (bso#14682); * Log clutter from filename_convert_internal; (bso#14685); * MacOSX compilation fixes; (bso#14862); * rodc_rwdc test flaps; (bso#14868); * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal; (bso#14642); * Python ldb.msg_diff() memory handling failure; (bso#14836); * "in" operator on ldb.Message is case sensitive; (bso#14845); * Release LDB 2.4.1 for Samba 4.15.1; (bso#14848); * samldb_krbtgtnumber_available() looks for incorrect string; (bso#14854); * Fix Samba support for UF_NO_AUTH_DATA_REQUIRED; (bso#14871); * Allow special chars like "@" in samAccountName when generating the salt; (bso#14874); * Correctly ignore comments in CTDB public addresses file; (bso#14826); * Fix transit path validation; (bso#12998); * Fix that child winbindd logs to log.winbindd instead of log.wb-; (bso#14852); * SMB3 cancel requests should only include the MID together with AsyncID when AES-128-GMAC is used; (bso#14855); * Prepare to operate with MIT krb5 >= 1.20; (bso#14870); * Heimdal prefers RC4 over AES for machine accounts; (bso#14864);- Enable samba-tool without ad dc.- Adjust spec to use pam macros; (bsc#1191046).- Adjust spec for size * allow some Recommends instead Requires to be configured for cifs-utils, samba-libs-python3 & samba-gpupdate; (bsc#1182847). * remove fam, undocumented and unneeded.- Add missing build dependency on bison when building with the embedded Heimdal Kerberos- Update to 4.15.0 * Removed SMB development dialects SMB2_22, SMB2_24 and SMB3_10 * VFS layer modernized. * Add the ability to set allow/deny lists for zone transfer clients in Bind DLZ plugin * Server multi-channel support no longer experimental * Improved command line user experience, unifying the options in different commands * Winbindd no longer scans trusted domains on startup and will use enterprise principals by default. * The net utility is now able to support the offline domain join feature * New options for 'samba-tool dns zoneoptions' for aging control and to mark old records as static or dynamic * DNS tombstones are now deleted as appropriate and use a consistent timestamp format * The 'samba-tool dns update' command validates and rejects now malformed IPv4 and IPv6 addresses * The 'samba-tool domain backup' command correctly takes out locks against concurrent modification during backup when using the LMDB backend * TruACL support has been removed * NIS support has been removed- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2.libdcerpc-devellibdcerpc-samr-devellibndr-devellibndr-krb5pac-devellibndr-nbt-devellibndr-standard-devellibnetapi-devellibsamba-credentials-devellibsamba-errors-devellibsamba-hostconfig-devellibsamba-passdb-devellibsamba-util-devellibsamdb-devellibsmbclient-devellibsmbconf-devellibsmbldap-devellibtevent-util-devellibwbclient-devellibwbclient0-develsamba-core-develsheep21 1662104806  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e0.0.10.0.10.0.12.0.00.0.10.0.10.0.11.0.01.0.00.0.10.0.10.0.10.7.00.154.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e-150400.3.14.14.15.8+git.527.8d0c05d313e-150400.3.14.14.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e4.15.8+git.527.8d0c05d313e sambasamba-4.0charset.hcoredoserr.herror.hhresult.hntstatus.hntstatus_gen.hwerror.hwerror_gen.hcredentials.hdcerpc.hdcerpc_server.hdcesrv_core.hdomain_credentials.hgen_ndratsvc.hauth.hdcerpc.hdrsblobs.hdrsuapi.hkrb5pac.hlsa.hmisc.hnbt.hndr_atsvc.hndr_dcerpc.hndr_drsblobs.hndr_drsuapi.hndr_krb5pac.hndr_misc.hndr_nbt.hndr_samr.hndr_samr_c.hndr_svcctl.hndr_svcctl_c.hnetlogon.hsamr.hsecurity.hserver_id.hsvcctl.hldb_wrap.hlibsmbclient.hlookup_sid.hmachine_sid.hndrndr.hndr_dcerpc.hndr_drsblobs.hndr_drsuapi.hndr_krb5pac.hndr_nbt.hndr_svcctl.hnetapi.hparam.hpassdb.hrpc_common.hsambasession.hversion.hshare.hsmb2_lease_struct.hsmb_ldap.hsmbconf.hsmbldap.htdr.htsocket.htsocket_internal.hutilattr.hblocking.hdata_blob.hdebug.hdiscard.hfault.hgenrand.hidtree.hidtree_random.hsignal.hsubstitute.htevent_ntstatus.htevent_unix.htevent_werror.htfork.htime.hutil_ldb.hwbclient.hnsswitchwinbind_client.hwinbind_nss_config.hwinbind_nss_linux.hwinbinddwinbindd.hwinbindd_proto.hlibdcerpc-binding.solibdcerpc-samr.solibdcerpc-server-core.solibdcerpc-server.solibdcerpc.solibndr-krb5pac.solibndr-nbt.solibndr-standard.solibndr.solibnetapi.solibnss_winbind.solibnss_wins.solibsamba-credentials.solibsamba-errors.solibsamba-hostconfig.solibsamba-passdb.solibsamba-util.solibsamdb.solibsmbclient.solibsmbconf.solibsmbldap.solibtevent-util.solibwbclient.sodcerpc.pcdcerpc_samr.pcdcerpc_server.pcndr.pcndr_krb5pac.pcndr_nbt.pcndr_standard.pcnetapi.pcsamba-credentials.pcsamba-hostconfig.pcsamba-util.pcsamdb.pcsmbclient.pcwbclient.pclibsmbclient.7.gz/usr/include//usr/include/samba-4.0//usr/include/samba-4.0/core//usr/include/samba-4.0/gen_ndr//usr/include/samba-4.0/ndr//usr/include/samba-4.0/samba//usr/include/samba-4.0/util//usr/include/samba//usr/include/samba/nsswitch//usr/include/samba/winbindd//usr/lib64//usr/lib64/pkgconfig//usr/share/man/man7/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:25691/SUSE_SLE-15-SP4_Update/b518cfb68f7ddfb5e239b417674eefa1-samba.SUSE_SLE-15-SP4_Updatecpioxz5x86_64-suse-linuxdirectoryC source, ASCII textC source, ASCII text, with very long linesASCII textpkgconfig filetroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, max compression, from Unix)  "&(*PRRRPRRRRPRRPRRRPRRRPRRPRRPRPRRRPRPRRRPRPRP RA93a+utf-862d364aca3fb834a425a14c0587d43a106a50dfd94e4f5e64687a988f00ba91d?7zXZ !t/] crt:bLL eӾC@Kʦ([}%4g2’3X}J5Ԭ`onU9 >6d&(" n@dz0ͷ0 "'ӱzb۝qQ\H'm,:<,~t Y;q|DsE1Њ0VL>4!H5D4VerYt3zj\Bޜ,0(AG^gyX YjR毒ϡpspHi#sm'g*h|#au_S_g#szcMj|iu󘜡"~3>J;LK]1 |i5$θbE=oG"~xQ< ȶPA_~L_m@;,#S#,RzPBN4׽yh M 14"gÙa HT+^hA y- &)g݌^g4vP\Qr_>rׯ H5qx\QAOHGy}ڛTgfoB [0}eM3eU_]7#:ӮUAzv$fN9,2RΩ3RgA<K~e)&x3KGCɆD#\[#`\G2o'yq-N硄XVqgAx2,k- 3ڿ>2fS3ݨ5 ?Uu CFLٖa vO0 @ ~̰4żrۡyX>XlçJI-ck`AwKq]/7C4naroa;,ҍpwC-":c#*vb #mŧ> 4|e.O {#jfۗx/0`"1 7!Ʈ*]8 2ڹߧi@q;Fe0Ay+T͏-rT-Rfw~)Y5T'V,5σF|I;l=>_@~:{qPP\{%'h!>Aea%$HʉSײ"r`^S kLR:Ok(zZmŁ._:̲W)o6E /0 PA|ηQ:A11"H⇴k{ޤKJ6IU '׭گn'kǶw@*ڇV^×2SK_"f9=10Mtic#\jviޢl$CHmz- ]NƂ#І 4+MջH-q| ĩM̒p^̋N4dōs I۳xd|O,t~rc9|Urdn0Qh_ 4s=lw (ЈD0Y[UPȷ"{z ^Ċ+%r:SzH{]dvY@.ps­_b= 4\bTM<`SZUg{ey>3 r *KEJ6Q8\] ur4k-7Ad3tj 2ʤwhs{ kN>pQoغ,Tx*Og:3_&2ADAdA/)[mQd t8$);%nEq&xE Di,-(Yl^/EX1b>`NIӁ(+٭Ͱ>\+fy@l.6g0'6e35r 3M $m ޠu}ކof[m@Kg~pc4+tЊ<;U?A[&:/Gvc@}^2Y̺i*zĿjhJ?3j$7d\U v):(fO݀w. hHk68x~=.1҈`ZY歼F5|Nl+hVd+~!+|XyU4z6{YsX= =Cψ%S`48ŏ ʑ a {smvbkO8{ImGcBadNUO Ģ)K֦|9Nܥ98Y6s,Hmx$ [mjK?z׿)N I^˴ӏ٦ʉ>`d+[dMa|') 'M!uK*Ho 54c3 q ôW6d-WS%Ntz ,FM@%wU˃N-Hp+]YL ;Ua'A D?7Ah鋍 )mo*T1@T7ƚ7+;_R.TCA}HfM r9Џ3ObcdoD0Z tްƌr% rOQd0|: Q?е+~|ϪGv5K͠Q/[?'1N=) MVXFaK^+qgR:jL<"K@l<M`k-1d\baj+WݒC, g⓼]K:p_hM5Aj( l"MVD7SYSV;=ys%5G=AN Q'J;φ9ؘCb=S+[Np vg^4;PEܣwiR1Xg3SKAQ l>k ])d$̀1jB3[gpv(Xic'UXĊϳv߀|"b 90&gm$=Sc\*Z%ަ#xYBOQ,x%;V]TRXuV1GMmqmC W 絡dw] \='NAX)mJiAknL]u<jؐrʥa8zN?2 Or ~kRQك^YH \Z PÊmSR˳ٳݠ[P}XxJLh4#3\i?µ${ABr6@q,a{kK 'lFi(h6]_AK69A!^ݰ+@,Dir[T.7ol{Z :G=lp=uipQ 4PH0uϻ.A;c_x?Y@||ry -QF'C##?hv[>xEZ^I~4Y$׉%B ;T_ 1?ݚ<)yKNMХ첝~/#BeL(.KTmvh&cæk@p/&r*ђaS;O.N%r㔑6'X ^zwá?Cny`v $ ..M,V6meiۆ}}01*vE11<&h刏wˉX0Z=+=TiPUr.gS'6#A]cYt.9/𙟚 ?KL!5՚*-#iAUm4x-Lx{n!"$'QۮJRwq9fJx$IÈL=M*>x.9HĊV,.ç.Rkp.49x2I8kaћ!U{ zm!%``O=^e&xN(DZδK#L ms2ryFn/~ܗY9d oyY\u!?q ;}of3ݺжbxЇcf[3?búɽM"5ckiH;!sZU,,b֘j{.%} T㰚}G< E4%6!<TJ}xu6Se8gN~IS]|ؗr^ )E$)d,ũҏQj9KV,B?ʴ1er#rF'|QԽ,ϓI?U9Q,Y*gRٓSȭ&^7~}.jx}h=aU@ܤo/K$lbYRyDǩ dlp:CR}ݻA׉ջ?% jJ%%ЋIsf"kJタGEO uˑiسOvc*T ^M&CNG7Tb|k)ު6Hi:fݦI2xί1va2 j7[N|Gv %lzQNG\px/#0DNTs-Wr,̋FW@ Dy[Nzg@ΨZV0+CR:HXTo>ƳM m^ ǂw`&ԣ Pywv{YR S<neE{-גaUP7G ,mdP(OYA7VcX n 29~&wҷߍ`ֵA)͟ =sBȪkoz[}4Y]ifvJr<*@HW= tM!|2ž1X $Qgb r k/NT#ѡ xPH*J/FO􍩴qt_ߢ3]07i -apqgY;zq@#9 yJfw!<_iɬ?۽}=ƴf‰^(#I ^sԉ!cԇ2Lb X{@C?w{%cl/k)Ob/3 .M> :Y|xvc{_J߶>fzyE+~HLvJ+\FR= +i2P8/ se1Pi|$#mDG&E5ưHrnT+zX e/>= a v|p)MB-ƦsԳF=ac MZ12<7'\Kyn`ce*}^ʯZ1I:WoM&Hq$82 }e$~d^5d7cp tq]wOEVwvF(񐶏vh+2eiA1k Sii¨nSJw"]!H@4MeqZT Rqh5uTkr^|V1rOhrtU P! |i^cQ?!V]~,=C++q- `_ԯ$FZ`_S{04nȆd )cu8DXPAZ,=Zx xa"XMyQ(0>i\RBniasyz+r08n ^ҕd==q{m>%!1u;YuH4--m:?_zr@z2B`*E˻PGcN.]{IPJgUf0'Q1pp)R*@j9w%јΰEqZ.G1eU?X0$J3=92WDxQ;/(^?ZxMSqGY hrb3>c`^ D/yzC"LzQп鶹D'Z yUR{0ꪅe/!t7ɺ+OnN [Q "M̓(q8{&X ќ^wH>A)GkcZ5Ult^0z M7N#Q3lJ- xn$Uk>"ȍ7B6bFY𛙦sy:V]碄֪gk?&,~3'zߖ|xGJG!peWȶ%T% : l;n*K*Ō4?1OQXhtx` !K羱3Se&~tY+UaL 'JA š e WvH, K2te>I6+٭ ̴9@U:GU! J4nꪚRzd) H^"E\ HHrB&qu@󾌫VRF[>!ٴ, o[`zv⫗hMK%:O ы:g{yH+zҠ~G: $h $$lh%:,9Z,?> 2S*-m Cפ#=T =A)1,|0GY-qBv ]Q%r/"n.j@MX{W!ՓZ@zr_AщV#R'QS}vkJE?g$;bwV8LL|Z%aÇ ?[i٢"jr:.} ̚+_ ʝcٿ{PUWxZҬwy(9@|HXɗ#˧odY҂3=B}.n{Pi6շXWy=z sOeem@%J |5~ 3>opFB.[[ڙiEJl˾ Zv/mTYLo;f)KBm>c9-P $ XR ,HƏx r{_irb3&D wsjHxrLxGa2@l0A 5UMb]DI Ss@k8 0lsE<&3槲]BJl #R3/4fAhFR B:,J~|ob ]9fAe`Hp PT|x 6r~G$3.SU[ &yE#4@NV4r{8q$@T'Dj.G.hd'ՠeXcu]u@YmGV_X:F d&RLRW ϾlS3JGnbvmZ=&v+Т:P9õy6YA奸Rϩ_XUeUUD"?[HᤎqxCL xqrwh'P{`D[۷57> Q! ZgA_ !X2 ?m{P;a"֔JZhLåP+F?U{ k:aIy(#?]ofa0dK.q@VH)z pE65ǀ"r]̏ZN'0e,Y- ęy>Z^vbk#^[#J_->}uEx .eWWXKi957BW0nn$(7\o_ZyqP z$T1EgWL7F-z񆂒楾wyIɧ'unQ=P3G1Djshq7+%Ei}R70DEe,s>EcOZ*7hL<w7|.؋2H-/nSͶjC,7sEt1~f"'qq)یN³c?-tlƂ_HRϊxb>HB5J<~4}-~x KNͣrr Y^ W:ʹhHew\dˤ.=&Q?k;^*gqB, +h؂xs7@T1xm$I0l2Nf}뇡>ɣb 5p\0-Gܟ9+;C!2 G k{nN6d!U&mzXs_9^CBqnAO^". -2FV>=[f8K.$FpI*V,1N:HĒ#F{z T,Xhƈ8pl~XPby]3ߋ'PO@_nGtYc("C$ȋk֧k;8m( Lxt`Њ+כ8.⌆“+{g1 hژ)˪HGyL_C͂3=x/N!}o yǽgL:tcameNY6lb{yp PZ~@>7*Q.u,h GL#?fkIП[aѕCѶQZ~!\.֣V,D#nGpy^qd]cr\# saa~\2X55뙦@~*Ox)y!k;]()il", sTkSi涉H9̌Y:$ #`ȕˀHG99Lg~}\X\Ԫa..C^@8h$> Ccʚ+@(zr}Zv _⍗1Auv`B#*ԡ*rzm.T脃JIjUp[լ ʈq.Y꺽v1˚LOK)F dep)reCU *  @(Q[mXJiTаgZwА}ܷlusE}T H<ꂶ7oZ)34Ao9 (팓ʓ? XS ]iD[yDZ,z?iKM JDASWVH@!XT~@4~ws r®;En3nʓ-g'/Ąad `,ǟLwS_ 9$L) Rb{DYU1D/]foV:X@c`4Z 6[9ɧ '8 23E)Q.ws'^}mӯ.][l>/qR ަ͗A'IzBG(Oi%PKXfAe<^wD]#G+BBGj`rv nV{ߡ@nuP\Jo\NЩ  Z?,WR)Ez N9m6Gw(Ju Aj'5Jn%M5E0;gd.dU )M͔&t;Aǁm15a!d?;Pe][M'eSGWԤ))atϬ.kӛ6kq㹿oSalp./=›: m}rʪKYU5\Egz$oab ȷs']tȳ;S|C)&7c_m*ٯNIP RW'1_3U'PWK ..NfEhÑЏɗ@`0oX> bۛ^UkvX7;6q">F?zTP*~kwCd利xt٢Y sUNz~hF[Ow iJPBgDPR1磀}%L1u Ɏ0W6LoȈzJiԁբD΀@h+ :7βQa~EPDyрqC4oJH1489!'HluTuyXȶ5hzb;T5 R9}dA\荸lr}i~^*ء rMC6FA%H.mPQP5>+ &)̡wM~j@긙#sI7=eX1fnK5C2#ԑ'$o,ƺ߿86BÁ,#ӒuT4=65&d@*6OpАZ~,N͂fӿgde8 '4ߪq= .JTϣNyT@P 崂_C]}+?;Ӂx4369A*M>-y~"H%~Dߨb/y~Arb%If[=_2oXM~iq-:r`1*}u  >A[jI' jP V?*En PyՒGQxxOyFSXeL|%\LeJ<{( 4 j\ٳ@JqiBrO)؉u vMe9 Mc$3v-d79坕R$NqnK>a$15 ?tXV42"WV;Kj#essL49Ř,{Wwh%~34. `QwZY=H%DS~ϨI+(@0%V\+?&+Cb j';.ʅ0/A^{w˒}L[ Zҷ]j#cp(]^79z; LIOۀjUMMM3`Q* lΗTޫU/IŠMݢ2yV=}c::ah)Qׯ5&TB_KS5ppْdݩ%&P`sBG,D4bv0#(hV(ۅ >|?ł)4Qk׶=Gu@pr霍pOӓJGVy[UK |]E45s$hq4弴K.-`~R^aZtU7!F:1G*}ba7ZAq򆤕I *.4jhY28L%ߗiɚf +ͬ4z^wdi2URku5R' 5qBU CR xdc̜ڮ"jd ܙ*c#rViVd;,8˲;@ist D#f=qXXB+OQf}*b.l6v7Jb90x/mMe섫Z3 _9VhN(T~1gMmdݘ{V Cce/9pSBLH@L vk;7=>Rpkl3DLh*wIrmb{/pI@,6PA+LHD*s$5o_'@컗 ,bH,\fݟ%Hr g̼|/) 4}2|ư7 ;B Oiv jn 9r[W`fxv^''ϦNo+ۚRwjf&~ wZkyO8k} E <'E}(p{=OqI2QֹnFwB-5`9$ zslUiE/V+|3T8C^\\OsX0o~S}{4u6اXyfdul `!4ip^*XU(G脭XڀOP|&`\}e0&q+:60٢J|8=r{bI#sgj\t0ڦ @oyUĹ˫i~LN\}kw4C_ B<<[QгV8b"=Rcq07 C1ךd kI6}iJ‚vg-#Kn+U;ÜI;^ohzW7eí4kloK"Yoݞ/v.kB5m83eVZcTY8CM%:o\fRuxz t,If5ɞW76U-ĨlKR4&+xnҫߞxha'-rSÉ/hC)kY-eLiy[C9\t+v5ȱ',eFJǔJ]n(yhDnuF5Tᯂj DJ>t$4f נ_PjV, DpeC]J+MH\0byIV@AJ &$I"Qwo+< 4%EN^E/u Tcc;yOo JTnCJ"!,H3 !]_,!N_Vwph?NN%fJ T'Wkv ծǩM=ʆ6Ѫ.hH+dvҪ3~A&5D, |9ԡۏ[w,='D,c]HSvfFWGӧcl0Sx!+զIg '"0kЏEZil~?ǃI9j q/a'}5<œ]dXr܈t| 23ݒA. DŸVNUƴ݊t95 5H2qQ̪j¨όOXAR=^ujݰR#nsgk^kG]HT.sӷ8՗%ݛUYIo(ҭVYhظg27.iZ^׆ΖSkQ-7ƮPe@+!RT4a t@&T>AYk -Se-nw,8aCg%#<5HD}+^ y=4GWh\Bd%b:4񻽊[n#_H5J bq{<#'? 'nruSȎ3 g8Pú"EFxFy[Ei˕®]TQ;ijH+9gG8?8IYxHzwȞu:@Sk NFK1wªV]TTIC,yosMVg̮KWQ?( ɟBŘ&aV//N]^/%qJ@6qM"I>1T0Ezt[ n|$ڀR|nY[4@ƩJVs`ݎ!`$9mi}?=^:>/y(/t|zY&(67Ro#!͆ƍc6-PtiUV.hܿD7ߊqgsx62amzKT*[૩$-` 72LΗIx'p jpjV>xkf&|ˀQ>kRHF5X]+Sp*OV4y#b:W}+O!x"1y'#0^:1ŞEy% `өuru8dk!QnS_KXt7ACk},A9,bVOG[꭭완]qS7Zւ,+% J~J`j@5 AǦb-,5ㄌbg5Nr "Dҁbd/fdR1I aD[#=' Ӏ|mS=Fx뫅дI2 ИPo/&GNvϵMo%ư?~)PEIdCR\l`K.T( R82mVFDJ od!JB߁~5$qK0"SxUg&enbDZYވ#5Rh^$O)_AeFoKRN2Cݪڧ[ ,!Mgq_* h~ ԅhu5FtF"lFҜ9d )yIq#BToc>y E1_SφGG mw8WM9歠fb?0_țiYD^ do^J B9kVO݃xjot%Z;f>T ǩl(ԇLv-Λ\[1 ޜT_&Y<42rlDgE3>dZF c? ?Uq4ovh4Egyݧ<_wyv@)9X 5̮3z*rfK{D5&TkWkc;+[2 zѦ,"> \$ql PeFJ=!`4Qmg<-p^S@yEsH^A<&DOe);n Vt0auw MI>c:`fё/zxݬqw|РQK^"ĨxGV z{O#ց}(wLF0ed!q?b:ЦOվ*sm5TM;̈TZk̦0 8yR& xI<4}t%f6mE0HGĮ{|LƔ)I"ا6 Fh=wMsR'-V'[c(Dl2/p!'9Y5 4;nwsQ['ŗCyqYfe޴4 Zm%hTsJT-[FFAi!he|R̽VuJ`m,^ƽ<[; **s81Bb2Z.z$QmuQK/0j{ůzm? ԴVgJ[<Ϸ0%dZ;Mֈ= Vs?tpëcY F]pVY&Mdr8 F2/3[KmsB ~9A]FrǒcMm eB\4W}JL`ymqֶj͡g0̸܏kO{vLޮIƥqV*^ӃN|n>9t$& ;ȴd-'(X9?Ź/vԀrO&PZȿ$}F@4 &i֕a=Iٮi7 V:|/_Ϫ[q n|ynXR"VlVnq^I 2h@ӒW1$Yk9 *7qkr$:h}r`f'y,ݥZ= @\\zK &J1CP˖a2smMᱺTcY(ur>01^YBXNOA"̐D BKɘəÜB+:aQEd-9 0vz}Sp'78J5.(0J[&}5)r!5oy(qj c>aw +gT:ΓX (=1EN5ע=sm87E)&*bN|bH\v5B?8@\yYx\#_E|+azͅ51eKã,̸hn/h,(|}Xg,q"?R/WʫZX{n*̔e4Th@2v$詅sF|e+v@69?"rzÓSR>U,픪/_Yhg]\JĎKmߜ ?Au/he`z M` 'W@} ,9lL\XC7|U#_* &$r=,Qos>k:@A\朙n\:P|uz=rIp[:-]D,EMM.u:8l!WhNb, AHGnǒ@'n*akbncⲃkFJm>Jy6Ui$^gsU]7alg=Yh;|~"%=GwCF Qhi\IQNP]۴jW]V;YAÞG\,)Sп/[,t'*?z62dYf\ZNE>TuS x#7U*e #s+~v~cseJ[ƿ]&hrٹ ;dޏϩ[Ṭ|xFt^Ydvս*%Rtu{ 4[vrE͘83XFzrl(a}OG,#,!z߾ATЃ cݡ_o<ˌ%5$nFw\gPgUC9=,G|s>'j "]P7mBd2xGef5e5eYYr:_lFBsk+\$GE g|J($Tud%OmD@gnA\,IiUlHP~mO駌[FSGV\=2BG$C@#KBvP١*=Q}|\X0O0WQFS-ASavG &B˹gԑ?D^d#Z6 @v xmfN-cW]C )7#*tZeZUOHZi9-8I 7{jxu=sAā/$0Qq)#,< gP SE˸C&^c?bqXAL;ZɁBv3B}J!.L,ure(R.| q#ǣ!7E9x}e5@u>s2S4 &CSR~u-ǡ *aP~#!7;EHyhzqIzk-fFgd~ơeSk 67:D--kc!䧁Rdבš mH(.U{qﭲtc^ܼ(>B1 FdeF4ecR8ݔ4U9 S>7.F Wzpe#KB۶ib4΍J'{N K͍+W[+׹?y84:2HN3[@&,dS4'4j{)DU'Vԧ&)2;Z%|CIQߧ$N JCeDh&.b&.K(3㫫LywY¡w'NMbZf|SPnw*YVbcʽFRgdw4Ԡ0Hڞu:]jڝ= !5jH(KW';X!*FyFsƣ7mt Bx?CPEw2*sc!|(KR!H%hT?8jIk4{:rd@Xs| |yS,a+z!o,݌f>*eNuKsҨzĵȘG],vy#~'; yXtrzǑ_LqR'g_[qkxF|'&ޒ8:`G+EKLEL$ y=nxWQj+4cf#c> xNGϸUkPEx\f|6E(\eg2ϟ>%KIoAdAZaŘUfbUqvk30ށ@?.w AX[(]$sVݾɋj}if(<*JU#ʁ/&RbTҨֻuumSE/-i<>-(Kr"ȴdp&.94Wu MEc>i6Q7xjs0^#ꎤ^*ۜ twHɄ%喂χeON8-pc"ZsOS:[rvy+_=(I%h[Ȍ Yg'{(aS :Z*#0sIYK{&e݅&s,/trkOw1O4J6rw9D)nqAZeTVFג~#gecdTk%S.0G}te)Hh.;maE!Y"3/R&'r}pv9嫴u4ap ![_U9bS]q!y*\C aZ) ֊ QwKR[GM]ۗ׷IpeI7Qu;;9Ez(YNL0NjQ c6%` &Ι0PQ\$1zp%EC R8[ V}zR4==ToZ粥 a:^vbũP2&P;clS 篲#_L?v Imhu \p;Xx6õk^N'W~=UtY×:rݗn^3 ZуZl~bVá%X\P.ךM Z#3"*j:  ^b=8KSjvdFƬ4,`k=WUz¨8ϩP ]Ȍn#=->ˤ}TdA3n#5qN{i.( N?5C=Lf)xKz_û1Ŗ݀^;o;~* 5)51 05Lb?3O3X{`]H(<46 [X =H3aBŏ0cixn Շ}TcXp*G+TȞCb+́úG!H\1ųKgTe%h/EȷUMhn, OpmgtVbxMR9긍9+gxIBxd]tvmQ@(<+ M04IQ.,"%Ic/$F(4}+^ 3d ⳋln8\n:"HF"bPJ ƞPx!e9A!gN$Z -RiNuzo9 M!Pz=ߎc#!u xo0?=se4>fo-l"v8!ty\CҖ}8U,{y7fvSV __U*b^PmĢ _Q8RCGCsPa3k+Y=-Ic==$=ԮE&:fL|T-$q.'WPA.{5)8 c͞#~ɠ6-;$L^ɝ'f$4ZQ1ϻ;O`r!^;n_!,~̅?wUT #+L(j*,^s7sX:C蹔5H Rƒg3Y\ߠtioڇڕg*)A!1~{>0G6\{h1.R48^a svWc.zy`/&b'y1"zx`rA-0_ Ou` 7oiSWd#.۞O9#ېV1(c ÒMֽXt*3U5@mgׂw?efQbdة'(I.C6uG_!.t-G@TIkv75޸>2ҖdXs@tI?`j#*q!XqfZ,A<];8Kl3Gk\9,=>r/>+N@Xp*昙ORߗP9ry=cap2r&pĤ}u ݄lSvK|y3tRӪnVkږOMZLA<}xBp>a:ڿ%2jFU9LXO4R>9ԯ,NKԝMqIhAXKhXCľ}]%:%|'jå8.Ѫ:Gi 5\n O IOԎ|>.2J;M2zj~= pqjxt3"D.nb7ٻlVgXy?qKV:SU`rV>gV9yۃz($YYMXb2!j.?Xs.z窟b"eK䆞z5uȰo:ay=\-/߆2ID߁P%d]UpK)'F)F AT e_pÚ?A}J\C!Y1ZL;U$8) GbҔl&`P=tH0EҞˉ!<8`E#C cs]9iKX (c=o'MAZ!r 3Oom73Xe!d fw?c{ ?VϮztÑ9+$mc\7gKDdA,X>`To 3~JN*ZrAe,:1]eV ePC(vlj[0{FDZ%7LNwxV#Pw쏝jȈF1ήyxo|+# B2O vI>(V6q0#OM"4n1!. m?&i+1Wf~/I|*tNQ}c4?WMUq<J:-!Ts Hc,2& mJxgC5+x@,;1A!xx i˞sw*mxh#|#ɭbo:a c < *0ɓdtHC6\6؃3-c}[o.VlΧ)L~g!p^=nc! DKQ.j*XX=U)̈V}Iگ'P gBqIxL%;+|Hq$Jr+H@LdK'7RvUtj0(toS t7'{8t z\YA1s9=Ŷ&o,RNR!>~P01"Z{T,ͯf0no;I'A[|Q2ۇ'3sf !M>Te"蹋jTo${aK$htY6TODW5&kX(_hODIW-!'twj6*f{bCF jb:%o.Kvτhx;F((3{E)Wb6 ,ۑɵTi3A'h-Zv[ Niџa爬Rsyghg;ǴՕg<-:әH{ٵk.N06=W(:_9Cj0}xmžx9˸(htc]0 ïޑ ֤(^#Bꁊ7Hq$pt)uh*_2| P#i:SV7x" g*2x-?r8 k*(+ZC¸T%]bŚ"g)cѐ.P,m9~\׫sx2+@rrM`s{>ٜjʸzJ^1yteKC`}S(?M4>jUϢRF'-a!7r|K݅e{6佇cuZEܲ,o~!ز`]f V^wأ  ڌ:s08(Ⱦ[wV$XǺ<91׶vQNgnvw>`j1P}KoR2vb I<< \[en#I 'C41?^BZ8;gc8#մ| };iE7%d`PR[ ]8ICX}?3]TX^tY7BEa#-&L碹iL6ȯ9=?Ӛ?<}{Ra\s;3|'5 ?L㳱qE^v5ףfЖYx-KB%]\m4gh]Yqm|E5&5zG%>;*%u͔2Z _/ S8L`pzg%Ec^QhfGCo mO ͒\c#Ѱv4(\0vN%#7to<Mɺ54;%TLF9BJ[tnh<1T1J8o*Zid+aJ! Z:.q!pa- zo w)H bf3'҉Cßcxjc8JJNSdQ4#KW%83ϴ0cY)O@E7w6E>86=݉HTVu=&R tWW&#&֡߮ E0?xyf˳{PaعLg#jpiD71@~ a~z:!,; lR_v#6$㰋 x-7y=m[>XFW{-( Grq ّB}Rpd1%H:ky1g )!m+6ll:7V~GԈ4Q^ ˫;vKhm[ʇI|tZOsڻRFkp#X:b|Tpi܍ޚUK3%Q [M. 9bTb@ACbb< N;*X,̑w&jSo*~IƝ`T|JgMyOe ןj\P )j ?CRZDZ2;HDM[AVCJ]a>dkt ~ţEXG7]zOT(]R-F Ys_MAWhLMu]ң.Q)X&to$n42hnA/H41hJ4_ۅ'/Q ڱئuE/]b`H<;mU3tP.Nț՛c-ko~S8Պ3tAh0,|R\D-3m Y}FT]@h8AQb}T4 4E$?ɗͧ&Bcl1w#' /vov# "T0YRܬn0MD1OvLJk_$a5-)*-~cg#R;gF ARq[[]A W2Gt3#ylh)jlBהכGe&yd$9q-;mw`Iz2>X`|'hA< qnf; ߴx }g|ѤU.5woof6X?Ո$4v]!X:𾰐O)[>ԃ%IhLxL,>(S{.?⚼A""B#ASD^%q ]#Mf$~n,.9p~>-YC NoYɹk^_{(u:Rbmvf!C@D:]2 G(@\^{"lhz4ZRrIZ/# *c(X 1(JNA}Q;,"hi mPeK˖ 7'VUW!eZӣoltһL~"yy=X]`䳒6j./`'F LbGtJjkt~3Dd7p;wARާ5{5Y !Lq97o;D'*lQ5*<% FGow$ r=WOYvȁi/ɛL)T X`%J f#35Rfqr8vj4zئv)HC#/82.&X@_CREo v[ 2jM/C񤵍0] zY*ok{}Q}Mff2ҦKe7;-r+M# B |Lf @acD {˳ޡ4jxh~ Q`z=3LTE%3ByٟU'MD]ې `X§ `DSDÔBݎ7geCnܷW.P wD̿QA+, \k* [ҫ̭fLjNp/Ÿo 2G$j}_PoE}ά*X{}TF qy j]gtڥu*e7QfXjfp0{D*ˑ*|J(S Ig0mXO^؀75!9$Vwh>` k6۞8AXAѝ֛`g]:BMK$e ֯l0]SB6P]?̭N$FL#Z0O16:AV"&˗mԒ\"/i&ֱ@Gs*Pq֋Cq~|dgY\ιhFNqgeN@Ϭl [lz$okW^fH`Ir+t4+Ab$G}!Ұh'GƠl:Col0;9*^uOPQ 9(У'eoMeMEó1Zq0Td_}*M=x VUkYLc F ֗Ž=)xYt@N2K̪oY H~l'mi&8Y5 ]cB.dHW>jayBIFĤءW-J@%?@eoyxpĚ꒸E١L1X -0`yxt|͹|| )12]m qά_6ﻧm:+߀ Wj[d;X~6 eAbTq&8_W>Q?uN,+:ep<1CҦ-OyL#նVQݘ#:Kzyc1 &|˝:0:Yc0ӈ0RN:7'ĕal1@~e8o<^jј. QBlİ|LuCE #UvϐGp򃣂6o3wVϜXc $DLLαl # ndG?Fe9=S?nwGWH ,1.h}}l 0Q!~1<}+^g`2}.{>Q9'ޔ"P#^i>z_ &@I\{ `K!܌ɱ~ 066&$r=wD0DH.A 2~ )Z=o9M'~ыpO͍a/ ZA=7JOQt5BL$9⤷ܢ \U?sʾ:W7*^ ݎbEOWK)6tS2YZoo'b."-_x3=˲FIjz/e[ʉ<a7O+GHഉ9c l-NR?/}#Vޜ-<}Vn)b lTЋ#AHU#[p3=J |IjS M{nB͈Ŀ4A@80MşC[krD.R/ұg-%+,#nuA%<}lnt]hMV%fO5BDTgb;SxEYTD,!M1ّ9fps"U0NCVP<8&4%AW=M*CֿwSmE` P4UlN>IP}]b LM .kUohlOkx,lD*yfkVecU5}T=3G6Y`ېY'DF'} )(P48BN9hnix'2HRVM5D9S0t+ukg!‰a =~~\.IXaUQه1A<|<͐yLg_o._*ei`T3y (&|dlO s;3q $ֆsN󲲽|2`VA"oh2\\ұ| 8=E3+V2LY0hׯ +?n\=pDVɱ!c޺ yE5)QTR?i NTq)y;;L@:tA2D60֓%k^Xq1!O-ΑَbX%+)zV89I% ['^ xE-t}fG?*ͣV=ff?[%:s}kĺN4t1|).4 k[ IfZ,Ճ WE013U X=, Rlv#^zJSQTV-Ԏ@HP5wiMgP xj7y 놸,iCqf bA$&T{'?1Ar&8*wg/nɉqPapzzPQFi>Z;0U5Xo4$n&+7MӋ"=h\w2{+e|kHJv/4 'bսm|&08P~J06Ċom*w^.8ޤM{)x(,VT#6?y rXϦMS#DvpF %A z x/‡*wK/zݔ^g*iTcvP)O7Q"Ho7q/6=^i 6~&G*b]vŊ,4̒ LdZw]TVQp \#b4*sFI[% /I gH[S^GS@uy^'jIA1 j[pAM^FJ(:IP90aT6 >US*RR‘ăyfWĬlՔgڒШq%u\X|AXr}Zd(@wvYFxj7y ,Z`DR&`Ջe,mb zH0.K1>?#2`O)n7ZHܖūF6H<ǤR*GH^6>JC#; дa$v  r諼͍9C=? H^ڕV(6ϭ0*^lr7-}gjKD!Map%[QVx@`\>h9G7/"2@) _9뻍9s C7=+7tIQyX JmtS!.jk޷K7ا ky@ :`1O3y:>wԥbIg&nVŀ*+_LL8ns FcWfLBɼ|o- ce)W̦.1yLF-{ȞDUįf-\pj^A<ҥuh G/q5h`|pmtaЙ{T?WG7!'eiD8 {CE ݊HK766RCEZ`x6 '+?D  QcȞh2cy ޽]z5+9n T@Kӱ1Yf2zI:גU.pU+}DYPwp;P/ByoTppIG)ZuyoAŒ+:«*}NZ2BwT~s/Њu [Ro҃Gr,p tg ёģM/o),&-ӫXcߩ;Hi\ҽ bqR4Ԯ/[8-ي`<ݘ`I_o d8DcB#)}Hzv mD2o0"+08pFlzuTKLE(Y *;`z~hQ`HiHKeVr@1݆Dy;zImLlbŹ֮u]ZS3&S0/܆mf6yGE4Y7@'b9p]A\) ɠ~>~K9$RJ0ҬsŻiS&nh.X UcP8Fo1Y#Nr9;|ɳ18|’ݗ&e 6Zb n BD5\ "l# QɑlPogAYi i#v0 XPTy6k=&AVo:7! >,-ڰ;!Uql&n{g;Q -.Buf} ]WP}¼~a1oM Q$kw' [%]qڻ/&9a{d+oe{GF$}۹M uH2u{R{gZlZ0qPpRlu nƬLH 5\O`ezQQf!`A!`kԳ4 ';4h65# 8%\=)r$2n2Zȵ\#R{T#Kg@J$<Bړ) Icj7sMk]4QN&!oM}Iq Himŕa Emul(%7ROt%W&F*HMFẇНVpQγ̕7[d`ޱhv;]C%PtCC Z;Q+$6"$a=V-1 Wq/{QóŮ6r/cfT;{7gtywDsg? ;A7Xipz(%?"(&?SGb,EB$(9z vJbA(^? UTb[V.?K/͑`J:r}KjH 8~8#L8h(4]ʛvTFG;e/<bw~]!\gz=CՇPWCgpr2jڙ6lj!E~ FIQ/{te_D.^8FfMI mUb5J&`,\׽25{0cV p6>zI6g_~RFGzi< :A^E [~(-NHx4_pK>m|5+˫Hj"+?劁B,@t`Ev&5Un8C` T\qE=aXt!fF a26>m̎}mN克5!/UU\,GȽ7 K V:Wɥ7 nZ%m\C[UՎ}sɡNK>T8m\U4iG`X;m_/^}@N[4+ :vęNxY] \CN iwټeBkO3c*.7qϒ _O7/pR`~}whkRgnFn*==[ T82Y~i]:>vćCO_y@`~sa EW,!6gfk]mW31ZaJC!"Maμ""X؁旹Wf.gc5͚غSMjBtyLJVeu4N#q~Q=" h޳HSޠe\{Pt眰['8dIb C.α'vK:-~eHj8:(ZEye4c4kTB1&"@7k] F¼=f_4lPRa|KfJ e @}ҭU6w0]0Ku-„_㶫zc|jᎵ?~&ݕ.FmX&Š3yA >#*'r(smtD=׏ʧNj9vjxDEc)ۮjes(/w?Xͷn:וN.WSwO^63HmaW@Pߩ tE>M8M;|DKCg݌R2 CfBߋJLgR{ܐ)W5"p#M:s~Ȩy#J99eW CR Ԯ~!rKt5!`LemQ'p\EZYS:KUyagbDRsjb(-`? D¹cgmգ _UX[.⟻ObasOq x XWq 9$OSb-& aH3J<[R'?W@m^PD-/S\F ଀u^ee,S+]4pM;zni_ч-.3Qs! Ɗpm)NY@vhȥXъw<4{t;Sl;`ԭpu7P~HKlht^nmU|;˹DW6 %ui0X~u4✇|kDGj%LP0 i ˽*p.8G[<L[ؽVѺugX*% r0>A>-@˩X`-*'w@$rjw MW|ϊoK:gwɼûFsxyVJ,nAksVYo3L(Z4=fu"@yIR:Ԙύ$~;P}imaM4jB!Z;#򕦊Gms+nA6Hp$%$?szUZ[/LMQ窾֋z,^å²JkN!b㿮A'!tHbXdV2>ͣjԍE&Ph7T7tei)-0Eg[o$f~JM01| 7|ϦL+`Jb/0JsczQۢG*BǑ26V24`xe[]f"ؐ)`35xmF@6 pDX4AiyxDڎ7eBTHRXQMjCW ֔kk/SSJ7ws`O^~=f DRtIe֒1aHtT!bT\y84o-c;NL41}z$`_! 4 +K։oĝo4PL;V 3e뱈?1Š "9Y&F{1웴L(pb14\z5͉%oe(M}jƾT*Ou c73LtҊLBoEp5yWC ɣڼ(qK\[/#iڊUO] FPmpKc1rvAF3ce vDkG2POv:Ɵ8laĆB9TF <"̏,skc{qM]iLx=f0f-/׵ j`Cq.FxoD=c~Esz=ar(Y3!3=0 ><606`o 0K(Xmҟ®F6U$j<ֻ!,]4?+r~Ԫ6PaSO@Lqwݽ f`5+}+8$<}r(iF"Ѿ2-57)ǩxp x tuKQ;!vds=3:L:LLsއ~7ל4sZn-i .Sw 8$_khm뙓6G'JDtj4<1"92mfC%E!DJ]$Yo (zzHvʙanj/4l{?u5 ooq>Pf(]X?t}A>~.Ȕ({#̀d2hP6τqi.(Č$/骊㒮ĶrZv9ݏQsJ]j~3yD!KT BjcVz ߊ 6n=WU_+D~[o(lp9+ɨ׍Vi$#(]>k۔&މD|V(FDUюVh"Xpf7{qvfWf- I{~,ܠtL0]L-4:q=ޭy}礼¬p#H#܋e`~K]O-oE Wjo%ur>)T d%;O>2b ġnϓF 08 2\/M΋kf2՛h YǍ8 .&K 7Q; 6<F'i݉Ϗk%mE+64~`"T)V Ʈ:7$̴AhB{oCR`.=J&,q[0r jUJA=XT}[ ȏk_Ɔ<±y4h7'jE5"eaBɁ:@[Py ǯ.vs*>=Dk,ݓ'KVtt#={WSEf',m?ѹ W1 @.1c"}>: ? ֔$|YVstJ>6 CWwK7X֚!TFr0\D2MbgES5j`:>{9kd[&|YÃۋm{ 3|RVN?FG8(d>38/j)`悛/~)#VyM A˲~pMpFU{PI!xo&%_b b]vEu`*,-w};QTu΍vL?:Xo߉@ea( v {, k@VGO߷YށZC͏ދ w;} BK9DF4"+w\^d^ت.ηf`esԝ$nJfRsj7|7̷"8wHB5|⑵*O TÖ H A„V~5&4cHN7#N˞6vw2j&yے΁!Mф!^S<0i|#.PbN4[*ܮ%]Alqa =]Hk˳,"\!AICΦiL'9ޤּuU_cƗ[>q\bz.Yg؞庲ڽ9EdU$?DZv~"ZӅr^AG2kkܨDQ,<{t26Aiˠ{ٴ;K\Q̓J&ЁD0Ir:rt 9_ 6іIS)v!˙̰uE3AMT{)VҢ챪j^&\T83^,ͩUfs4 Y^,p#*!#BvXJtՅfFJ \™o~Q84O.Tŋc߉i!J10-wMIl]a;>$;%/8Wb)Q)߳PǦS#x3wQeq_r6-+E4v@3nԿ)u!ﭮ`S:GU2IJ4e3 h](&d.pd^E*Sh_&kJ$FʤYaB,#@Y19|Fx'GM$9o5]2"9͞@\D}jEζJA+#eЗrJZ@u;΢b 5[RyܦRчT>6 Tr0QrAGWhRi,v^#|rXқFƝ,>K1G|~~:& Kc4N|4v ? f2 RˬLyL]aoHbcl5PG:Yc.I+oNr.س|u7 n:T3F!%iRZPz5֪s% .&R]72d<ׯ.Wk̹dcF>ՕFK Acq|YWl yXx6"w DI^H12KxGFmy9?1w._Rr;D54F~"0mu7Qiˁ&4@ݶH2ºQb$&!L&l4ʒ Ta(4jgImw.D2W9 ^Qqg3g|~LԵN ]Wiw뿃 `Kr 7|Gx{ ԯqa+Al+dR[%\2˦.B#m S$AXӿBXwh @_^ز%g"e.kJLH9ʧص5hpD_˹!ܰ>`΂h=.#8ehr$>s8Tuvh`/(pr$=Pn, 2 ΏI޻U@!P!DU>xTI 'HuAM` wg*^ݦm#^o\Z:E֔FM8)xqa0k ]}K"^óTKϖ]MEB .(պMR}O5cC^dP\kv2Vnh3TG)y0@`zMҖJ'. n"1Ù;55,+H4@I9Aր s?MkNY7žGʺ=jЅ/jZP }8躀|aF[x%MNor %I$\c~(:ۏ|z[sc|rCV "![ y@[4A^^\^ T\Fc\DJZ ,@Wb+8`ܨֵg\L+_*6̎(Bqo]%))}x0gʥm|o2ʎ>>ug4CShem ˲,ª.'ߣtb #R9 wChNh2\ by[RAUBPuOϘ8A)?7ER.s8HlWYQ L*/u*5k{Vu|'cpDOk&1ZƶMt!;^蜾t&|)xR򖻶䂪c9@Kä)Lzo5s01} +UY4*صFHF-YPh`()x3"VƸ~3{D]Zʼnrr+N|%F'M'`OᇝAk0|ǡ:o?_^wQ?يv_X0O\c 0O0JӢ>I?4Ѳyx|]̢w[Hapnf_D ):'O \_HLeJj@D@8& 1̐f|:fHt?xQw|3Sŋ :sr~(hBpޮbwL˼Q)ENŚ\kՍ/6>)^ȗ~C9VvCk XN;ٞs} P@+kDhf8SbRMA krssJzVUmύ֧( s%yv% !zx=GGֵ Cj젵Ww{pjf{Z.4!Xkt'Zi| ڽ7?BAzgfa4&4,AYyblcJM/6(.oPYv|Ќ\/ NtIM̠Rn 7?5bqoCG15~ZMS{LL}ge9f-@0B @?,\bGR!o;R5U #;Q6YD8HWȴ'ܙ> hd[a"_lQW ˵,.sBG 7Mke%A DxvvP>qm]u>U@,RsF♨}g9:wLAm Ӈ ?P^6'@ݘt5[)ˆA}Ex6,W&n vH9MT9Gkj.A8`uYZSyiLKGHEI%iƤ/:= E{bPG~ LƂ 4}[k;Vro&f馊,!ex #4Mr68M5iD;xu]2?DJ"R)(fW$%ef} J()hh_>Wn'\oB(Ǎpq$JccY.=K a:Es.ɧ@~FY9eVBk<9(IM#@okHl9|7J$ ;ef89\u\q]ޣ>Xy:}13JF }G`M=8PK'|wtj&d.V2¹C4U[ 0@>/V1vu!~q3KKlVi0ѿm[Rܓ-tIIδ]G9@;{;,NHE?)M}ԣS.cgy5h8ZD( )|fA7 م> RƉz=37w7%!lnU{ֺ hZO$ #-f{(}9 CxUhV3/2'ڊ蘆fO`7{?,4m2pw!I3grѼqdq\4L0DxGxnV![i> \?f\ o^;5 F0QQʁ_zPKKY䣰zP\2)-QiZ@6Y<>Ra\cAzGC7[)yz kJ'KmHT*_fS?1lyxLisw4=9$ILf$zC엓gCb8m`L\ MBZ J')\v71Uv ᰣ5(ٜz@Fu,pŭW>P _~L".˻*V4?6BH*cԹMvfZ]d);؅,sBץPlx8J#k !ppߓɣ5M4jÝ FV8e'2JH[هg=7ǩJhA;AY󮼛t2 E.1{9(9ψ t(iX'xяKeSB%]~#e(K: Maȃ,ovT͟A9Rqۣs(O7UXM[= 钏M8?8XysҊ)JڃLpҶ!v4A[SΙݭISq#3Mꐅa'CU̓kh[%,0uU;[YW%ׁ@Ӹj^"@$*`$`4"V0 T }d30".|6p-h䑯@Hs=X`ֻW:E!jdNć((FbHfm& to\ߖKڻǰ~i]Z݋ o_=G^gl]\uh۬+YD>o7$Ɖfa{iZēv`$gL MVÚcy\V@33'm([Y9֕"ƬR9} \Ų0]B%fNܒ:_'}1eOU gƥk򢳷-`'4E,@E ꋳ}$A֬xyv&=4ATOGxA#nb*gjthE+ V3O_hҊ2Y~+msMǛGx`y'?}}Ti񱮧O 2a(KDN\K_"+9B5)u#Z]~lFT~@b8D{r1D(ƒP9WpkSc ҄Ā>IcW -ilMN4.Y~cl 5.¿fI<+%Ɨ H5pWW[U$պҦ6Eq^D/4Vpk5_Бz\,s|%OgI+s`7tjorw#_`a%t r]o&dP|ᅨ5r\6!4@ٵUUTUfLQ?sα@;`#/DCbhisc2JO쟐Ie4-k}_A, mJnc$ H)\  y}EY̳|W/fقoQۃ3:e32{Q@ӂ>W=}>pTt&C;j ^=ܢ{FeGeHqIGIP-Bsɿ?~B^?8\/ `+r #9DMiLZ*t•'6VҴ_ c )1,^N\g^˹Ttihcܚܘ3Dy9٢ ?l̀AU/ |` 2WQz0~(ŁTt{v|f *l+8YHj~.p1pWCZm/HvPE0Um0+I$j wСl`/,`/=iw{!D^_T'JWk-{>yI`aM i3wD}Y4Rj]ϕ* ~ %R dNH/)lONgy1}+9E_2_I׾v+ogc)t4\i.G!{$A^)[Wå0[|9s|י[ 8ʄf<HBkS} Ic8s Ebh4Z&3,761X#S΋H=] Ǿu%.e|?5HxmWlP;wUj ?C&܋i>qTZ'U隷g5,XJPK|x+aߋh+8^iG3PmH#pA3V*CF?1w,lr&&m2҂X@#u$(mC7rzOO-1?|oz hـ};cѐʐ?p_Ĥv澾a3@j#r5 siW, _!;9At}+ e%nXdhnP=1uړxTn~oqW+OEޮǶP_,T:f^畫>VB~{UvɜaƱc\m^ ':NPBf;GMN9cl/)rqδ[Nc^ @ʉt#=̆>G^Pab˓cnh#[^%<̀zf=TRkuSbq^)#0QdrBDVv&py!>it4(K[UG^'*2K*Z6@ZĈĘ S0k:J 75?$!/QBwNOM;S:DAt-ԃET|iCX ùdz~VKu:4xl /aLK03yHl!bL2lN-jQ` Mc˷sޠ˿mY>+j/c5O:p[\*Qɳ*̰P/@T.?(!-477.ͮbME[3[hhviWzL-!K@~^Zkgsc^C+snҀ8fr@V 'Gw2 =QΠO=|h,e1oNk0wRz ܘ8y6O'ϡ5v@s܄i+Jm†n ՚%6[nxd+ٜǒKߍ12\]QFp8;ź|pEЧ\w)Ef HjyySsQˢ%S2BtY_U@Zl?}( 7wL{ !Ns2 Vl| q_>t-f׏O3J'g'#qfʤp ݧƷd@EEIТjU|ŝ3+~ѝr1OCD&2M˜wÄjeN4$ q7+(55d"Dغɛ^c]^6I 0cRgɡLLCP`%yB1#~1"?C~%¨L%ȿtQyt 'yVI*aAZaF_S(NcI{Y%KӱCР3Խ_,'StNɞˡn՚IGm7\ff[RTO!%W/ʑD_C|w];dRW׬U~NTV&k^Stms%H+"B̐#?k J-> a^sucӉOw_\..8K"`0T֥e lu]:B `rQVEe>XƝ Qc1:?hɧOPpr~QGB?-gUpPVd/Ҡrl, NlŵdmY/O{Nܛf pypvB`gkˑ L>Kؒi2zH0n쮂Bá?pؑMǔ'pq*z]yH~ ڢM|G pk ='5elSHboK,{>U /}3F8tE.f2 7c&h[*{[p9 $JCڎ =2zDҗ* ow)G6w)U=\qd$' S9ƒI*3^> xP"8am>SS7k^j B'MລW2^<+_%rjA 2c$Za%Iu uӯ6{hkηValj)$bjh}35ћJ&c#]-@ hkM0rqaNGF톙ן9=& G`Zd"AA+nSX 2  ~aE{,Q:}AqZ@_%j:#(USeiqըFu&XK$|ms&B ,6d_/͡ܣP<>zm@֗ϷIe AMjj/j_oG螤θabL@@y#LZ'`2";zzMS]YT6ñ^czB+)w=^0Y$lωñÖNdƣ E2Jq f"nyր\f8k'JF(x )M?mc9iF_ƒ$ '! A% ϳm:؆A5^ؽe" )2 "@10$b> p& BH=9e! .\[6_n.S!Kn)Z5 M14j+vĉ\I@sJT&:louR XX~,:MKW;$̅<A _풚M7;O$v]5XWg7V?{wi.ZmB&Mgi :8N3x&d$Aގ+č־z}n$YsR_ gf:t\U {RKT̚wPARE K$ץ8L=[P4(HJX֨NuGhAϡZ@ Bu0 'Y(yt茁_Ѕu.Vg{rìwmua0X=qi/}eiWơ T%(v!v'O+v"Ԩ˝cWd*"\@cA%ī쨴CͱXV&(&ʳ!J)j~7gwY11YPzXh> k[d,%'XsWf Բ8l|;NU9'@n4b W7w 13 w{(o'HrN6 ׂݶu _TLY=N%i.-s^)qBP~?))G3?{5eˆgGơ9Τd/LY~͏BGEE׷o|JˤF@AӴsS %{ ɛD4Z@ol)5*,VԿҵWE$Ba<0T+s2*>UExkfz6bK5+jv<5^muOo΂4EX1փ5 }q]!*JB\d5^,mCTb'? *kjV9?,8>ֶxtS"'unՖݣhf,tɝp+5Z^ɱVɶ/^kqZ'tY; )DŸfZ,S4,LWrn)}8>1|SyP`a؎k7i rB9Ѫ{It }P${YiThtL.6\l25svč_(i jj> U5u#+|Le$@N1:2ۆKGѾTMHjN4l.'U3Np3>yfኩ$tc_0:X3/qxF6^BKX8lƀ]5Wщm{^!q4tb}#Q1ޟ6u"M)oN6t-zІ8('\yW,?&0+٪$M0Կ'v0R5s(vd$L{Y'!uQ8\V.W_xR390_Bﯟ݂?>K Ne< :;.?ZIy]6Ul(ΔU+[Һnx6dO8xu/ 'ҷ}S&HYdtڭTZ+K./<};tr0ݷT} \DAd!<:'p>ͅ"L++4{S9%=a`o Tս2_<~ C9ŸE#Ӈ~OҘeSOLf:pv{0>wL_GguнCNfj߸"$ʘ3-hӜ5D _5A[Jb%Fu5@z(y+i9!,ӻ#yػ#.vݵ`zY$iO>)b&*Q#$_~ 78sm"l`m6Ԇ?Ǎ/X"wVGZĺ Hl@P"Ҫ ~~AL';P@ْS^$C]8L :議1hPLI&nEvK[U,/ؕ⃅u dh DA`9:r0*Ybc!cu*s k~<[r :X{WV 6 (O|>ռ\Zk=n]:8&ikYv %A}ܜ8A2G,VBk(a'xz"{6|ѿ?mrXavp{Cj2Av=25#`}:![]Cw'y/)!H!C@OSHrM__CG^=/nnc5]e17vRxu0=faͳ;t!hA@iiO$L߀>/r%7q3I7ZbUיKzթ>eV|k1ˁm5h "3V<oO#Py:9\uɆltt@b:[̘G|,)1Ay J>>kjB W<WY4Tˬsc 'ב#C-7c$ljB/ؤ;%3\Rm'6ӕΔޖjֳ"Em{%T#Og^QF8<2 ?^%F&;o,1,uDxJ Aq-s̬](7nV<<e /HX[f-q )I6*A*^b$=!=_=702iY5\.jmGIvLO==Vj=VksbٚwDr1Iκ}TjMi-lUB0Ʊdy1)D;jda<'fwObL*4c.+|^oO6a%j M~yHs*ɝ%`D^j-Wo$ Al'(xk϶ִXT N2 |*Dؽ P,"e"6JfN<{'sꃴ3 9YN-ޫ9"*c #b g1v$;~mg\ 8ݣ)Fo`ylrSmXO5wqlP/%|NeWxx~~zacYi`DZ !o>h+GMljKLgQqlx-7l۠5%ݡ TܬL=|+>zx;З'{òfxvѿ^i23k.N1#I(f =pӽ+?>N"(.(֤Q\qNi0-R'kN$bB5*%ң( / jľd#HS?X/eL_KUIpΌ)GR%."yV3 shhJiR\HLd Ӣ>HtX{)dm\{ JJwWF-1K,̖Xg^GE]I:j\OMe R&F5Mj1fAahxڿ { QU}@^4 ͹7H01ɠBZ`L7x4Ob{01,1e>("VRj 5ii /fzH7^Q{}n>˥ѩ+Vl`ڵhah~bv~hQҁ^iY=zTv/=]#zVX1R;U:q E[ w 0 TF543a-Ae1@)i5j0`)DdJ׮c vqAd|rZwzfb&ȫ9E6P#rvO,v%Ы@BCWUm ַ$Hѣ4N5if{ƒjpA(#ϋew?.2cI; +.Qק.CeWkST4JD~8/AtYq$NrJ+?OZJ69gE9}K^Ȏאcdhtr:v,yg5aͦVsiEʱ$ ^ol'_tjh:gky[㪌8OSA3"~WXLuMGX%S,2Fg12ju=\&r0P8Y2Ǿi%$lZpnI uf֦Lw~vQ98(|rFG3'nK8w Fq,s.p+01XtB{jpk? CP9J]W~D;{I~0aSsW-u1ocU>= ݈T|Z{Ă BBjdOւb_"?D~9T< 7I'â8~&vաl0僞/ Dɩi5 kz79:we6{gcVx('7 A2҄ngt&DsSyp>(SջKQV`c'.W@61kMjH˔>NS٬ -z+e+ xcsP&19A[ſ"0?u3# RF2𚧊dh=sܧ>33XD}(w;L *AP]d:)()>X]䗜"{^Smn1 j<}-~2pR&R٬SYQ6r޹&OvL շLGe<'x3&BFg(A=4}]rYp>}Ylfīr5tsK<)x'r-mr Tn6r;jV +sG0 ]W6T#o1Qk.7=1+kQ {M_wJt.~q7Wh`~|Ab'))sࣚZ*1H0d.̪I F,u$hr̈́*xbWۿʫSOt}w:iai!^;L1֎ۄd |w!Ě!k dxDc{, drwZ?Ӄh,Z;SRO[F@`Ld#HjWYA͎O!F*ᄱjwER?Pxm,ˆw '-Vo1K2c:ZPJ[+ vI@1HUx2'O.ˀ {src;$xƑ3O~צfH]fOxir\$_\BVΎjۺxҨ-LGO1]~8~am#1beqo83,FP_A YP=ژ CHNU_,<Uk]ÅK5fbɦ uŸoRS% ED}0 t->3 }zuY]jq. GTmVHQ^GEݠeljܨNסX+2ſDlBj 8oqEb SHȲm:({$ސTeFduhXF;oQ֜=^f? k~]0vԌ::5@Q&gۜ|߮]6/O~!AEvC:@IL$'+rSKOfΞuxF>$'V\+ZrgÐ!ԙ&?q@ď/qgJ68Kq87l=l[mB~%j))ZX~atO=ʥWU`+eJbA*ɔ H6"\Gއj@VW&!3H.A*X"]/2?HF?$]DIwx~e C 'j0ƛZ?^_,}lBJ2d{µ9[hK-ęc ?M/dXG٬_ J?dԲ.+c8fU 3{d@sFәGN;I'HU,dX A&29|t{fcבgYPh0t[u{ h*-myxª<6P 66J̨A`IO2ORoup֐DfﴽJ|c׫}ExQ.dMV[)db HR>>CcˆgB*4q@b_b0.72A(ј? sQ"=۷9ʁ-J.7?VK<{K4M/X4 w38Ý40%LZ咯!%t$Lp'֘h˓hT=2ؼ|߼>B JoEOTkcWeWx{Ύy}۸oe 5ZDZ"7wvw$Cɚq !5 y3nF+ LY *(rPTej\ܔ+tР ? Zvj+Lʅ:1V4@@UmS}r8#ܔ@?AY+F6w w iMyC-ձLؐD;;A |mBπhi AӁJKIȤfF P,'HNw^Ic}OBQw\jQ"3@XWvk˖Y+no׌7Y}\ 21G q}By4@Y?\>j~R/m]@ÚT4Fmov fJ)oB>x!+^^⻎ѳ' [w hdUlMݎ{R):"7̼,3.cFsfQ= nt0_'"` ѕD᳖7OWtrĖ馭)#y`ͨ6KDw##A"X&絖*f"閈eF ꍜ87zxtҧ(If, YFVJ`:[mW.vGH}?KQ<4ClԉRNRf?hOAeed W.@e ↖[e7y@-9C_02rD^rȃ}N} > ϡŢs3nR КܷÓl$ gMؗ%`-*NXQugVކV9Zg^ HGX9_$y!JzSBo>C\ھ7˂XNVEu5KD6>Ǫ «1yѶ[, 3xtu[W-;`LFr_}@4}V1%.{`aP~J1oĊbvjTu v@;;J$c^,(IsaZHnX&o~6]:^x۟R1!Y}ofm' #)訅zL 5n:yj|g +»nFj&EgZ2uêTpX;uSs*QO,osWJcQ}!oes[ ,".'[ߍZ԰o+lȮa_hGuG͂wBtΒ3HTG/s,qb1}5L_l]vwյ*[#"_hGVLY:WϏӶMP֩fYhg?[P4zdm`^ b@S[-m PuNTRqCG< W t>&Hq: |6PD"j)!X1ts绑 flB<+#[phy1[2yTp-M_ʀU봻洞׫"&ug[mil&0RҊ Ͼi`Э׷ZEKj*"H<V Y P^py1LUB)-3):la,C+wd*%FE\lƝU3p7q7gP6 ̮;SH1DRw5$K4.`R'P.ن;TfV8g(G%##|w#P6pb`gON.]di X,&D1 )V4yaJitYA+u֜g!=nmTV\5 R-=Nj<.'{O-9>nvmjhQm:n0`G}W#6(2/K1R]Zdnjiy3%޼oSd {P% ({<[/'pkx%~r!m8BX'yjQKi$b%2G-I3w.aӉH kIhv뿠I g '`As*b"N2-77# 6QIJ_'oA]r/Ird#G5d/ 9:yP} kFwQJ(Pis5n߰<`/X[wJ};:'7%&lU Q  :x'! &BU8%4b'A#_tcͺE_^_7;#e *M]0­Dih [x NVYWRH9j G V1) 4rW"ڦTCiv9z7 TSӌ ? |umG"VrHg!Baq:О;@]Ap/, huv>s]o-ZMvV7Zaj*L'5j,'zdd }&IMb8QG,=M˸7*w=1ǒO^ڛNn!H3#< 7J/4#ݚ5r"*3 ʨ֜eYwxۮGif"8WQ$*p/y^"n'j˶Bݭ&)ʹ\?Wv٤I$^OOA<$=FNDm {d#-#B9m;3?y1y澪X?Tl l DZXqc|6z'zH`3(kؤ{Ͽ':iIkщюqw= Tr#AL*|䬮âj6^ktfAr7G,+“dwڑl'6O wv8ēc'_*QWHs!=?'ʍ*0_}DYc ]<{9[>!EGy5^FӖAG&+ gV_Izz.~tK%]RFJwIq&#W6T, }aI]$Fx)w>j2ۣU=Bbyk La!F;V ]O`.Jv:cY-\q~Q䄗A,+77DA[p{.3بd,ؐY&dP0Ϲ g %IAI5Cۭr@n'n4? _dzѺ&KY! -MKkU3 CE!* /im |F+2Ὶk\jkw_}['|h[P?DB=D.5D N aP^gC`#9s[z_\BcĖGߨߠfj ;K 5-#hmĚDhI&zBߺMg~fIs8rOx09[8p/?C6BZSmiBS&i tZF2h.o_&pU OS0xc_3 fBx@ڶeҥV&HQe yEV,;%zzsצؠ+*zjrL`W' !{m}LTp% t`ߙ_KtD|/xuΈO˟>dgUKjyU;Jpo.oHul2A'a\o ^^cQ3˟XwϢlHȉq\5+y!W̹9`>j@δ&A3X`EـU,'eXufBZvujmU+wޛC—9Tuyr&=ddCeda5gkX~tsyB7>/e{Vkd_`}\y-suI0-dȢjUpڗsmJt'1 %ScR*/z*~dATf xAR Ӎ\hMyfdLsIX EoS04ď\O٬рՅʓq>s0l˪Amv7nVnNOTmLpMtcA3J$&ي=sAmQ? D l%Wo1\8@؄8_!_ͣV+0= v(,Ⱥ {)74ڂ0|ЧkzS7VY&Ru'sËF1]2Dkԇ7Ҙŀ{$UWjQxggWpz`sGYuum/# M`6wn䃆'X=.5;ɳV>,(?;oJaE~j0kQoeu$s`;#HWKzwF4{ ̋u *O4z[}˄-t;1;lG|aDI8$\~XE~ԇIeud7 f{3]0|oouR844ےAWxu+~E:/T )jl30ө@ADVw%P[.JxCE5 nj!`ֱB w /].a:6WbӌkuOTۙa%& ĻuP;" ,ԭR6ԙZp=*qtb4O#$X w_'}xo 'c&:,ݶ)OPD|tNx^#r p !Pw}IM5+AZm:iFx4Y5m?a^wK_S 锨+pj^ܹ!B <VyǨr!ٟko1:%>;@sCx@7tePU,/,(Dpb$u|5DY@CսXZKDo_~<@ f;=?A)AO! xhc KI'Ky]8OhJ~DHP$5-*6Fiz;?@!S9@ kxF :żvy5ܔS2Ig&^EGD^Ao"%2qJֲqa+~u re Y$Μ>8-vION00@=,+FpۓL/*d; x|B3!Ԓje: 3lGdB-*a|0®Jx vu"nH$":KkPⅷ䛑[=]deeeqf`6!7Z#=Üߡ:cT+}PL3gD\;sUmB0$uegu6)n94[7FXH庤{`f",k:cބ!Hdcdo-Wݥ0aB oD6(B]}]l@#n]Z#ŪWȥ tol1EmS-h9ԶfKw#[C,_d/9ozC=e/ kzE q"Ok94"Io]iK]f#T,`{x !m]ⓙ ʧa= 7`ښ;UK[oK:|3F9tl ]bxP9JFjUsfa^de=7R,o0 ]N^8}NAkTR/SlƊi,}kCPfCǤ KͶplR[`guD@4H(wJK" ˷ޢpgT=yHul +$c'@Y" _Lݐ"gGz[Tۂv6}embu{YvJ,~\(9Š#ށ-V헢5 Nq@ha"a3rl C "2`r->C VV7>(j1mC0.jAb%]CUVEP5JUepAG4eN8so!`0NϚ=5Xz$ %2l擂~"Xӟgݰk.:ƿ1!q-ozˀL=5.x|njEa.  7Fmj}m}c Z`!eӡe eJlhx?K{Ug味{sPYuVZjՅF ] l"*"߆BaYnδyLBXak V/Qe块ѕb@&")b3 D3:z֩Vb8JwqIa?P ba!G:ǭ+o<6 E<+vfzyFz]2+X5q'~_Mnhl* dsfh%u<ף ع{9HS?4^A1ψ؁@s^fUG(.+Pfj**U\2.oBujp`UWdsyܡtE!!aAk))u^iW!Rsةn\pG+s9O(:|#LP,\љ4ބU]W[ OkD@zϩ2xNKқ6)3V̇ >*=Eg8o@젉kȘ;? \~yIlC@|VxOX<,!ά1=As'砄fd'dx.+Yp:*sBL_wm8r~V(xs f:4]ot=.EMs`/ 2O̓6"‡*\ b5|S !SLY(#t9ܷYO""<ʂMD^>f$v76#Ld=J=(tIaMjQ5@ѝ9M /70 H8OKw[qV e]GRǜ.ߘ(ONtX-R6Nɿ-I|v{誟-.NLqO<=,พd M n\<."+YHZ2EM.1#Q!",9cطmiSqf4؀(( ila,QB藿#"}2*xOfBqUE2x젮 @)l&k =e9|$Z4/t j\.INlyL&_zKMOȬlk` )"dwUA_k!L%P8 e.Y-SIKrz'}xZy+Vt#mr=,[֒ rW[cHQw@pJFYE' b 0qP0QԹWڬfU4R_òjUXF Q_jbT=aP /mC ǛÌz{]G#~Gr t(Q> U@iS6zW b =9kԄBxA[TL^6d4 #FXa!Bd3ϣ`F(42_^VvPNvu I ]nsHU7ITm2囊(W}qD#f%6@sfO̎&UNJt䐧 lQ ClM~t @nmrkKU5YW(2z^&ٓhYuNuE`jc«_CK8KI0pbd ߥ7^5_yoy $ݦxE4Nb![nYC ~oP Dfw1996?TZ &.Dha%a~՞餰c$$O-* 17ՆA2n<v{@ZOoD՗% RU?(;̞W"oFЂ;J@TNhgLƓFx퓻iUHgYEscG0WcSN~f*ǜlH}YHpqrH. k{'o.IK1>:\-K[rf UUzU$O; 0d_ȧ7d$@ P\T'.H\{m:D/\5D.Ag|=G"rm@m䙞Z:R~Qxm㐤:>NZYeNbWYOs/dDPٹt@x LTE,ٰˢ|fvc1Dpp#>& uS[VjJ ᯖTqO_.4j4J:ZaAdȜօ.<~Ch_ ee6>/$Vz%xvq0{'ڟkh Ւϡ4&64f3'$=7 yiNfU! fI@T?:#XoO yNɆ6C_^ C0=GKʜEQbȏܿߠb} =23[~ sr+w_tDVt$I޺~js2+ THTv zJFvZ{;R~gZ8 0m/hXN`g`fe6Ȕ,#`FLKf@n|v♽cċfyYw*aHpbqw5OJ̗ۅ%2%؁(ի-N+w(F7IQZKgAd])Mx7J&C8ӟG &/|+@,$;270d{8$BJ,2ht5/BC 'PI\Vg% aj"RgpKj BJdu:sn!4uUDps~Z<(m`3Ly# g1d4+qvk\dl L5 ppgGQiKi?p0nMW <YDN LLalB8H@ǡTvV&؍HDE)IXفT1^Bh5>^p}$1/(đP$&#c6 5s\abHGhw <2&wE3BR 3ޜ_0[$טBk6TPh::lٚcfHzЁ6Ox^ e\[ǒsBU|G;Ε dK]P62;O߆#ȳz?`ϾGFe  #}`I)'מAHKKr5lk=9|K_!̝黿>~o e!Y" tNG}0ьΒo[+b'M Bgddh9~}a>մ/۹m#5%&!wp~@=6a9@ >/"hw {)=Ä-X-CDs[XN';tǽёpe 8DzC{Vq@:L0NeM QsGD̟,]Xyk,>"R }t&pIc/QCS\J#6y1=;aR[FN$ƃW\_VOL}Aok7-JR׹<xɟ"i!- C@*b|R& 4z޻^2%A9갚jsH@x(C,_p @ .l5#:ǡ`]r E)e $T {RIj͹qj@7*Gp>7N(]2Dwz@VyN'~{bB#AZW::WQ & EBe0| M\(R>P2هJ@#x"m5' 1Du}EL&>Ӿ[|ZS/} LPfd{{1?1@a= OB"(;=Qèo륖$2DC.$ԱD)t^DIpw\!۝))4FQx¿l80p"ۀ"_vJb90BE ":{?dg$ڇC!bo@(Ĉ:C'%Ua(9ąttn$Q՜Z {Hjj#/.b2L۠#YE/Š#9ro$PЇq*M);ޢ!}uOOw;ǰa8)ɏ.8ÁǍNaoݕG4CH6Խ PJnFo,Ja}&٭K2µe^\pPbu2gvo0sUo:E JG+ H9تZ @#Y2*6xcvXK!"qpWu+/' Kdq]9X^u!Qz3Щ(XʢNkv9H$]\^{^w뎇&E P(L.PgĪ܂I~n]`Ce,8{'4^dRU`^m͢^Ɩe9h)hy_I`Ila漕rn)+Q}/3מߘyE&eڢK>i&|@oSG܆(ʌR@UE.G[4QB58|[UXy]mBlH4My;Г4GNRwjx$PBNHъI+sRs%eMx :'t |mRHk~Tvnp6cftq9E==BiU!p*㎿Uς`'3bMVnbxtw)>J\Ü} VAi0K̗ĿObMN`wv~Sz-!'i.rr6,Yf8PP$1$aˊmMfy(pq'ش K(A? 3<DZX٬1%`A+Ԣ]XdE֪WhH,gӹrl)(XQkY%alH*6Pڦ!1B&T,y-#Uw̡IRECȂHc$W\[tVdwv+$T?eП@lسu¢N:13'6X 4IۙsT_-zp6[}LRrj㍵Duz>.}3(a{_&gqЅc7BpXmړ8HY!e,0TRŝ4sETh賗-Dp Mr$J䮡R@9[@ߐ.c525j bq83IPY$F#F W5L<*2x;ԀhOiXD kV'9L<5>glψr8Gޓ=ZZ<'K∳Ӵңynl} }dRЉI'ī*\WA՘KO:@t<®w "PFU , ̂Q̐ E3MWijƜFUIҵps'#VBu466}řCuL'1QXdjKҶ2vte6gV5#y(H9]hνQ,r1)myĜ'C`=hĢg3̐&Oaۥi;@mSW}Vy /j>Bu|ԙ& Ebvn7w~m=$1m~߄4(oL }zӥ2?|BV 1wF{֔:LٴW&-*^\|aZJvהg7u@痄hjv[W4X9za%l_UWqK·`g6ˇyx S+#wG}v8W7vYephIIclOV+أ~s=Z r Š(rȊezZl}&*;,$QY,l2!۩·u͉~eLƶ  {o_,q$KfLC^O *CCctjf_qi5C::' $xqF3׺! ^ŏ f0d,lGVT|rUdyt`k}u)u!+oȻ-5PO9!&Qi01.;ݸZRܶEy^_h[thH۱Šӡ -Gb}EXC(Xat㦺HםG굯>t$.So˵sI{돾%E>` NTk^+Oꀍ\ܦsY)G6>YIv ި`L KDչg?ŸT29M/\ Z9D'/ 4 '!& UoQU2dR&PVsAґS@5`bUhVTN9(1Ho m YM|?Hq,T$᭙0gf-~VVꮗ E>9ut,#aJ^^M_z=t23b⹠e5>)7)Y6F\&R7n:lÞٷP7}hV#9{x1TpUh!\,U=JFq4p,7BA<8B @4kb6^PM1@Wɏ56vOLe.w5+y󾆷*QՅ]rVBW 0pWV9,'GGü :4%۠J Tb$?-_4FNWPLi0t߸AQRCƹp|Y"%56/rOoR|M_R1n3Y♂a bqҫThGPf^&eC 5Av>u5fhT @U^ۇLX[eVM'^23nOzRF6;g0Wot1NqPVO-ˆ3BD$#'Y]AW/d@Ĝ'-wB{%ݼt:K)%&vo}0ED6/j?d?WrXXY++6jGVbBBɧF;J]UGeS]: }睐!&jK4Z 'OF ٴ:f4ѕ9g@gT:u~Z|"QC!v"S=v¤.Hk/[tY =|`Cbjj盾Ε89_H;P*Nإv/ #:>g5u,G *A9 TDVZ;~'QOTw9YmF- ]:6(QDO;,켤ږP{ dl]RUWt!IŰ_GE3] i 5ȌYKP T1rf=N!H8ԃtlZ * \BKXpTS F{TW?"ޥvoh/:)%Z"mFkCfӴ*y>su<O_yPk^5*&c{ǵ]3weɷeᵹy%!ruRN ! lV5ڊjCq1$.!s cxգ>)MAk\ӎ(BNU^䍋O\!l>L?a M4d€uϮWEAoHɄ!'_zj.ވ%oFuo PSw$ 財_P^ƠR(HJƟbUA͘P}Q(QghbueCDJƆt}aGŔAqJGrV/r&;TVbjj!!C ‡j ~=i@V\1OsKVHC> Hޏ‚r#=9p[ CCO1_Ed;6 pK?r@`Ow떯Y  b 7ΐٌItxLɊe˾VGY KNCs[؊΋DMLAu?iX~ږv .kD+E,C Q7qOh"\9eŸ/9cUi;,) 'OJdvɽ\Yծ5ۛ~ ~.1u 3nՎ}o/c{]ѡ֯KTe=6-,up>(gvrHV 3G&-煉 }$8![OFp-Pk\O#0ے l{ H'Ҁ 2 4)tPkв:a}!4~5V'24=K ڏ[A7 B̦(ጘ1$2BɶCƈ-jqh'UQ-\ WhHt"]'كБ:4nFQ'rxp'J P=@(@S fsO{7 EAΑm ?S6@HvwѴu{-P)KUXRg FNTH!ER+SeIiXٱv=1+WeZo!1]4ѻPe2!*P; S|A "1W"dQ ;`b&Z߹  ʼ=,sT,do`Jyo<;!"tieF`)"'iif@dk6p J0Gz0}A&-:Eagt(n)$AƓO >Z6G .ov 62pMz^Չ_)Z Lx)\ROs&JOoTM Rv4`URnڒ:݈ok]**4Xoz'>a@4"^g~kh kRYD:Q4Ý^܆H%P bxC9|{iB0ݩ|z^t9+v0mz7k$э/x^Pb:UhŹlJފR餸8B=/9"3)iaVOAPMk"d;>*: wf`eOOi^cif3%_QޅV9$$Ji|`DBDNM2 2 )m+{ 0vTZwj*A!Ǹ#q(/bs'ٝ*l|BEZuqt ^rwJ"ܚO*tM{cOBk2L'ya{]UC|Y0n"*: MRH2p'ۀ&;ե˽$`\N>ɝ _4V~(3O'픀O`Pygwi<{wj}ݏEA "=jP>uQg٥kp@?Gu3'lzeL*.R1:-p>aRӪF1zy\2c> 9V6IN5Eࡦט Z(sZ?!3rlzfu($+nC}:9f__]{ mh } #A3NV(u)OBp۽ҏe~=iTԕns4?WD4N2d "MfX^3!z;Q nŰ*Et@HqxNIs"(ZbСg6謰5fнcQ^t d3g~N?NIo>φYeѥiʼnOnk' B#[{rk(.9qʒmۣq[A1٩ d|˼&j]vxkfʄ[#-'ٜ(]*4C&mRkkZ({Q_:ařgˉ6IŲ,7|P]깉=+`iD6}.Na6dKU"dP]c( /1dTKȸq%.Ԗ?V#qRg3z__Z;2䴖 7[{/ylD ړQ^L aCײ_%"!<Q!YH|R~GsiH>fe^ḑi b3 :=IpOJbO*K0v~=8%m1~=6nTU}p GAQMrO:ofi)(t3(%Ցr|jT94q-2=$aafP z]*%z!YGջCC%L!'rz}Uk.E\~ity|vN,qޢ(+hD-خ;${:RqrϸY/;w)Px,iyT%#H}08?ʍq4RF8_+LJ]5ON,N >m܁eBӠԳ(.$fhdl?O yo\A+S,cɶ0-`019ͷ(@rBB< jd *.(dr5\X&vĀ&/}9U 'kfxXh㤽s7:SʜبlfȏAJw$?.I(d6YzІrE |+GtGR;M6cm y!|%{<@FKoL}誑 A,&/0B+lBDF¥A%"`o+F*.7H\WNabUCk= 9VD4:*wO^8 3l铅x.؇8]N"J$0ЬRQV@a|*9MIS:v9x5,[&ȵͫ':[ !D <8O$v"r3cIR1ԂWr;j^G9nlG q9$J\M˕masȏ&+f_gW߂iwL u.KEJ}T$eVgN .X-(vuJ:\|@䜷zׁƵ^WF^ktW0nZ/(AdZKAЗ $jI8q-Ƙܙm򑳾&@T$sGb‰MlMȎ AQ.N5`ZpE᫒cKiMehҐ@w2ӛKOkIHjWQ#hgcԕ4GC6{]Cs| {dHFUH=TI:q:e=Ja:kpea^/U:p9 %<Hؽ((8!=~ goإ,>Au 5k PQqǕ|y{lcFpc띌i0 pқZc\kh!*Xۧ ,Z@h2*EFH|x⩑#J_A p1K# 92Fy:;zq6/&%ͤ{È[8nsOÕ+|'}dk8e&Xr:PZhfqWp ZvzV!kFȚ{YW5qO2` |6 F_3Y6CﺫH _~L{~7l C1q(O5d4xKHw SyE[DV[iB?Z D̆lj k3iR$dnI*CYS3臭&?By';DvbWF2MT!afB^kF w+*fϞ zAAASztA4ꂩctiDlqQgAU oK0DІ8j+ؚ`p%R"H̞2 \PTgsc^9p@p]jЕfptfpH?+ aF}6K Bzr [. )f#* gL 'xn.FlW KyTqBP>G?ڈnoٍw㒭)v^R'' 'zCKɨR˸>7/ն_m̝eXuOĝ-yqq[A\[,=}>)AT5</j/&(HV'0 `N%d˒H,6`oP*Lopc`̩Z3:oj L!c{oegv,3N"~K7jѳ6/&p2fhZv1: b+*ˑ7@ve&{,ktNJ8* vn Ԕ-B|4_9P/|hCCY:<5̻98Oġ ”9:tϘ|0]Oo9[K}.]KIlߞ~qJ-,?@ ֜NtVA,AOK(rꎆJxwѱzw@hv"abJ9PIDgyTȱ.P]7C<~ak&(mH=>)oպ3q=X%Y8!JӜ QwUo2K/ $!?v5qs :P /-4ؔq;wE~.N(xt#!&*kd-:lxux [>n MrJrRgRñ@j "9 ?qD-ͫjHbtd,y0|iQ`Ͽܚ'h|,SwT .D{$, @H x"h;1:;.lEU^44 W&#+>_ݛxCP=4/mkX8,3Ѐ,&&MJGy&W5m+y[4+%xb<- -,fM Wsk"1=@22qʬJjd^e|It) nV +*C]\R2W]GoX\yh~OGrHy6:L >AM/")XL4r|0FdBlp))COB_GRVAi-,ӳ ==;GQqO}0MWX|eZ9$iS'saQ%ase?9fI)f|U+p|_e3cL/Ӈy̲ݮS@qg-+*K oaf)}7l3A;.O ,]nqS$.(+Jf<b q2rKZ/3Ū0lLo&p؃PvV0?X&[ȸ&:ۧep.$K)4{7?LmUn*䗁孇 #!f9lyK 8Jl?{ڑ]^J◇YrPC7`f%QS}&fk%1c zwjf,>hN>5g ZЪOJ=AkY6*U- Ɗ\օe\(|Mƺ-%?LvOvy"^Ǜ]/֪P,(@ S؁jמCoΪGa?niG]]묣P ǴO 1[,^K?e.SnS00 :z- 8ÅEE?+5MČ7HJeȔbZzL"Xx6&, h\ O]M=U8Q0׃4 ,&K6 y٢sѴ洐o݈vkRL;{ {_V\ףȆ>p7Q>K$?"9' At85'zzM*] w85 k2ة4Sc"+َc5Wi5oK[TT?ntt"5bH9҇G84R#*q[Z,-Ⱥ-VӝK4 gtQ=I2>!#g%n}G_6}LK[scݣ?ƿ_L0/åΖdgK &*ɸ65عByp [䇄Fjwm_ZPNW\P[ h$x޽޺HI3WW~f:?L#7PS)L~Ti̱Z1 AfH9lpr&dҝH^$`Y$,9\9q8sU5h@!!UVfUˏ}I9p A6zwQӻi2(Ztr!]ሀs5$=DU5Ro{l=It264@)M }#^|vx$UV#jF[qMN\em\cAw)ύ! 4X82=LBPmt:@%DɄ=.8VTwA,L w?\( W<̢.ucC~Bt}Ҟ.&;nd m8A 9ٳHx(8Irw*JAg5^&1!hppr:{4*=XZE +eڨqP))#Mp 9@0:_b!>@|a A;v[=+b!nFwM; ÔM2_)GZW(Q]AOWD_&뢝q)&-B!2d*\Rq:+{G)&Js[Y(w$M$F]ښ?A:>Q8&FhPT;,~n yT۵ѯgYC*5i6.=fQ{1$_abSB!y來ycѻ0S˔tc؁{ok[zNi ^of@k˷*#親5n5@bUGFc*܇T|@?Um߅\!l K3<$6m7(~砲w`.R(vEi!ͪ9*qez?"w+vl?maC։Arū -5kdP0ynp MKLŽ|yÄd"tWbVLzyB.%=K;0HYpnl`H3_ؔJS.d=wJ֫Y>8ų*N6xfJQ%ɞ4QAt}B-$ś8nۋbqÆqhNS[Rǹ
@̓xPet^̃D}d\8 ≲H,z{3ý(S㶥7)&Q~$8L'DNc錔FB1QŽ-Xsg;bm⏘Hǁ[lUj &p^*šcG%_Xҍ:/WqmW^p ()>pfG BlGcbwuؙ,axSOlO@Q %Tij,\!Z54z 85K>apiE)nIZ=>8}=kLp]TU!, Hm'#WsDAY؈8 ao9NU;ua\gcF8d6ie]sW䔎gmܟXԹ诸H/ HKm??A+"m&T cp.т29=iPFjcQ"C[D/_ F9 (mCTw<59ȁamdEKc5XuJgYN<]RHZ-f<&:[/FoY^yYK(rGr{ o: g )%!`VӦ}l=©9K0F~){GXI|H5!4F7C2sX.T֔-"acl infԔ_UWS㵣4?'ўvuv 1-'^R3QP!܏yu( }0|^`kXkº:u|VUt%򩙦A4p]fs7 ~T|ܩ>qKĸ۹ǫLr:H1EI@tlz/qJJ5A`"y-+@ }ZG4ScJE~a5DRs2,Z/\%4 E=վLw ۶I32ڹ ˧(? $/l{u0"'a% XgWֵUD.Rܻt%xQJG"ߐ~_̕#)a0Fΐij 2^P?=:_VB@jK$tAò'ݙ ºgc V 4Ͼ/(v:'4P65 NU/b8uzF*ᡡen_{\O ZnTЙJJZ?0'aޢףLtN&ÁONߖf#gAE4uPq%m9̿%f!,d/?>1no BR>_+1?ny".x6Xxf/ԟ>>1_7Z<,+u1Ojlqz9\Z(#F:H>:`ZcQ ۋqgЦSXfru 㷷zd{3A 2< vQz%-͏AR{$KZGH=P .Mn߭ 3v(N$CfǫL;JuH$l'-=3~Kzu8@gl sw!;az'9Ki;_sJJy4"8?K}zP8e#'O-5p: |n@Mic n& $g*U%,#r>9PIȸ̡ezo&Qt12S=~Ӿ3]7O绱`n)R*ϹǪImZcrlϸ&dWij[`m.0Ki } 6S XDKρaA8a/BSg"ԕ8w٠PF3)>w1c |:h["mJ/T~W #tYyA}x(kn EzsݼjX ~=OmcnݟYtG9ƑZXQ/}8YEU"Z 䜡g7;[ˡ%U#)<65:tZ2x(|n[Kxn ĮkĥU6e'M`e%F{lP᫭;8ugЌ NSq16K u)xPMq5\sV*Fܚ=6_ 0?n=[SJp!{L<e;=zy wq],>q`fJ&ħ!!k*KSv'ЧBkYC){)PnW.ep\Sf{ΨLѸcJ$?Z |WCV;е`\kϦ'ԺqQH@-˝ \wZXOc^D‰r`D`d,7YyC Rދ-~99 ` 9hjxb3sGb"7VEpƤU󥜥}2iP$cNF֏MXswNʭ14$ߚΣ{ABo{ݔ>R6YAwV71 L*'lq:iYE kY #@i M04>p&UջK>0ɥڌ񉅵CV*\ ΖEo-kC[K J`fvjXPS_.vH`wGGX'N*[Џ^NJRl`km}? 4 ,2[o]Gk73)4h#bzRwI_ @uT=𬅆Ƀܧ|tpÎ|N,Жb{nRT6p2?9:A-Ģo{QOY1ӁԂ$3e,@Z\ށ8} #/63{]u\$S+.RZiBVVٮrTIʎsAHg+Ww{ݳ2H/>{YC'?eצGmU"#`‰x}s[$qz vA0 ȸgyfZ3"TKq7X` 10)7>H}l2!ZqgԯP0M0|+W9vsC68Hrv !yFz,4/)<3Lo6iQ8q]Op6KC͐'q`ݱ!F J|Z_rtKsUcP7|q֎[GTH y`oH7@r/ș?=7Ð7riD<` &[z{M x05e^!6#P*L"3b uX GW-^D<^FTKg>|,t]CJβ ;"S͟N ͜g|QׯLBP>Z y> w^se"xt'@œIhR;RM(O<窖C^4g &2cl,pFD*NWȟ9--9:v*M}2G!B"7}e~,>p.A\6bioP;)k5yמKXW LY,CM(H9FBTZ~`8퍰[ dtJ2 x;#Hɶ`Q(~S\sgON#TVA~X~b0?rݟe<NQ.>b"疮1^d;IB <- R_d}Y~ &'\a+&1Hm8u\Zi<o+4;ҙQnz%y x 9ʋ:;qB[-9~_jW#@9ymv^B0hKbgv%yZebG'AK]%ȠkvY$zvYDf 1}`v! 0qBi\i١Ku=]8C_>ov`m0ٹNymnNL]illp0͓s9_P$rhzs7<8c-i+v9*Bc{dw G/4EUJWoxNl{ &i^cI.գpYqC;͑Sʔʹ]ԀP<&ӫO #%E6ZR$2fi?AP6y>]9֋ +ÙkwLRp_; w#|gXARʡs:HC|Gekw(oSU X Qd :tgneHOa['+=`$ë=xKVs+ DnBhA'OM ~Cӏg?('>lƞkbq)D3r->AɷwLGh{&Nt1hB4XjC+>OlxqT C, uQiBVA|$(H_ܶ)}.ޓ+4-`qyv ,H4QK{^jj;J;ՃU'×_$t]TcU)2J`Ҩf}h׆Ț{&%9D$4h؆=xTm̰sw 46k"N.gf\vת٠p1%vś A(px lcMz}גDH >i,pō⚅z b5z+ WNsv0r5׼XEC {l,a݀g1" MHh볖094*_5 `N{1$>,֩C9JT7G٨)>[hhnHCikJ\bΫW"ɄpCﻭ#8ߙ]fy!@zSW<6ZaF\m% ܢhE=du/=9#2/hT"-n]y\[=ސK1(y<>Y =A gꩍ. ZNQ\'sxceꫤ ;qʓ"J}715j}͍f̉^Nӱ/.B# Bc½ -iT;bmw vy/ݰ)6 wS!uhpw *j?qI3`TfߧͲ")ᦶ >3I_GtvdU[`^g9IŁHx%yꙈu: bK삡(  [Mf\ĄU?6:yNlUpӢp9 1 ܖ98QmoFENe ۸㬥OI0[Y ]~֠^5P{ .Xێl&ft[Μg m mgfHK|K6;APHawgO-F7+oFDByWb%Ȃ5p 8NL+C"IFsuCDX7TV.5)cUiEƸC6ح',11i{G9ͺr S-@G,,D[ !T:_6٬!I uB!"BKfʆ-5jKꚡ~VoCpVU7%n+϶_uG 0v+fnC?XfCdcjwUTB-pT>EȺX/h9r:hEGVTNy;PNFH q{`/Krp{3eGyɛI3 #'=t Ohh].o{j^ќ@L*ws͢{?e X'#O'I99s*L6EͪYox\~\Lf;&j{{N"ְR7v3G:EE@)R@@w>S ԍȅM>~a{uRd&P !MGk`+$]|f`E2 1SU@m5Ƽ;&r2"}TtZQ;o 0NLD:촅 ﮴G-X < k |~_ǬeG'9+k#/ S٥ 8Oǔo'Dh_y:8h\n/J rhE?Bni=|1aHh*{-zu<&]5=P yGUlQ&YB5ZNHDcɃ_\9WGNyr) +>(C' kIM>?I|3Jyu6uzyҏ؈Uo|mEw>HOeUBri,ȚZ]8u /ouK~̪<o&=SXc>T8S!'C5owP_ N!y֛\ &fԵP*6MY_vy5-@xWc*8qgwtm/x[>DMKG\;~H}o=H Aڸp 4SIoN7_1SHfM5A爾ޣ_긕9sؤ-jW Uі#}&h:hApWDz%Ṉw@OlEՙE+IY;D.XziJVrz>&PGvbphTQGMql@ɚ1,?+'C.dLlS.Bdd{*vI1 Z8/ #/9j$%EΈ잻[j8*m`o:YӘ>ݩF$[Oͯ`Ͱs-3 Y^R|b_)ftD=hX2o;Mm ' tm9Qa+QHC5GC{̙UYMJ£ dgvB⢗PU2~҆> dp95ӆ$cQSk8r/{Fe7 >@L!%c,ܮDBtaaɜ_,j vHz"PCB|JTQy*_+@j Y58JSwr3Eئ9Ou?M_(FC X΃j!JX-``}.զ߄$2`bJnVsT*IZ3%p?yxǬ :G}..ZX!7ZD~@┝=x֎Ac_ g*M@5;rD4XlS!F4w\_q=v3w8UY8!$!E>ߖ=s\.6lQqEQ%֣MQu7vGI٣2r3<뭐ƕgʻGaN2 |C@Ԃ ٩GGZɓ]msn^z9 n׼wD(AR4kA!hB85% 9PvXVK4m?b.]=z] 0X="i8 v{/NWƭbyz(胊i\Q3XRH}2TS*mVWx_U On hmu9j>oegxiL719p|/<7{2׃#G> `JOXdؖ~+%'7&=E w Ms fIV6"*lrxQX HZ+ KAJ! ȀҲJ+a99 1IPtr.0Qxݍ> vu|hI'(up4N Z|Fف֝2R&Lݍ?qy_4:C\\LnuC5H8 X15^0Cоw$F-Iy,(F_v<Ѫ`,7;E7~Zdf\^a"A!ל :5Yx)'1Mj[Db(KVOف鯘u .,g让)ى ~˨dٖ*|⴮T)A+G-vdw|1 Oguپ;1<>czOJdK kZzǐB RwJi{?㚗3 93 ?Eߜ*~AqI"m^Ml 𢈟InazA)l-&/̯7V*4)oʵ@zT1[>?d"Uz,מܞ^ -5 0su;nEFeN"엏7~7Frq~/KVaqNd ODGF=h0/M Q 3wg@s.H lgR2?hv$V@vܑMYʲM0Dڴ 7` 3ƹ* E5<@blsd 5_+! R:"q4ClO C +eLBc5TRX/r@lg'sBX8´XSdwY/ j:K/dgv:0ġ~"_MNGqjW1GXMS OX۸qN&.N{yLOU#~"y.')U]zRzhXڧ-iiQ- \ʞȞ{GYLQ$`/Cs{hylpsJ2ko»:!XjlR(kR UWc}p٫W>]W/2U_-ItnRArꬣ oTɜf,;g1V C 1(\b,g1a+ =2!F8$MM):*fbvg>h?].sSa3/&oC)Bc4+&ة˥hX| }ό3/uzdqv8 auCTp'loi>c%e׭)mmN) i-DMiG)~(#w#mZ IZSyڂdhKRg`ʫ٭HU$ }*G6~ƚܥ46&t5* P^U֎jڐ5C'*,x&xw51 n} p QxۙKu|P)9 w?՘rX}R9X:0D օG& u@WˏI`M}V0;FIr.oQЖGcɳ]:;͋Y][zqAA {FV:(F&fAޮ+*GӥD>nEcEYqC¥?jd5fOF&"ƃ)A$E9ȸ$_d,}t+f-5rH2c/yj]@ 1)]{ I25*7;|{+ OӼB ld~S=c'ombP%zo6dE9Ut<ĨZGjWss< PE(uɢM0!JL}Bt.;Aat< eِˣѪj UmuXQLXwXM^~̛AI~cX ca-2 s/|Y FL3n>2eڥu4D'*MKqV+ Y{;j}f7.aiBfFXqkw*o"FPM%^2A4, :nneJ!gX{ XfM̓K[@VT4WWJ&h^D=tR2ZT i:mU#qw=0.1轎{ŎC`d,p a3J]0 UB%T͸Ϙ?QOO,պ dn~JGxCetu kSXwms?,FQàgO])_ @[C5fEF[.x"T jBNn&>*#,?rR''m#y}^vً eͫyQ*\E}p' CE6gVeSk]W S}b08ov5Qk)J% WxY NG6)@'큁Du {x9['CnX~b- bB?LD^#6f!RJUpG7Cqb-)9m~paUK2J4v`>q3xp}h?Zfי^ [>\T؉q]r1$A#jfue܉"ѳ5$'·[ 8~ʩ죆M*P`zHJ$ko Xc-ND5yW7]u!,oٸ/|$=OWKv/XIAk$.A?,#JE1 K"&ML9h?*eΠ2؜^0.0D~k*ozti{Jy俩xswkJ-go1?"iS|f}[T#<_g'n20ֻ ׾pv99UȔ&?mXL|,${[)pJN]MA- 5ՊSEIXURq-3fI4+6b_{Axǹߏ3S䧶Ņ0i"d-Ă~Lk$0/YqH 11&ܝGzvS|#1@lJ6:N6cGSs`5;kcGdtYb 1KKj4hW:k ilede=3aa~g)b_W<^;$ U Ӊ(94]P>J盱pw!}35EinэDCx[}Zbw1>/偁j?Sp&@VqQGHxQP8`⬔˭pL duQ;aI ~P6&Crų6H+o'-^r^đEV F3 NﺟGl< 8\/ }"25QU3dg.[n 3q.4y(5o%kf%.,PL<$ﲖwO<=t 2񉾭7z ~!ﬨnou01 h%&7Ve16TZ.m'#ٸR5ݬ V8Hjy$8nDʎwpUG S(j\MfV\*>(" n V͋ e.A?toy 䵯/zxȕDuspQEK{9j9$ܒ=# z7Q2uYH` X/>Y2ל^\;7~J7`F{QF-= $Ζ9\7{ٷOu6̵27Ww2bkRHj9oVt]I+d6q DKLVf9H?| :nϙ -DZK׮3*"I S4z&XzUtYFÈsΩ<CpmZCw?ǠSbC ] ̢ڊ]ĀI)lj})/ ࠻#MbZl~*0$~6,f$1,F,pMh3X> ,*tU7;a0咽JDH1N1ihh)OO7#E\(-c1ptCۮʾ 0&y1!U|(qMqETU52P<Ӹ:T a+_iݡ\·~mvh4w)ܞ?赃eV='j3PbWsc8ŧtF uP jG2Hsy0M:2@7mg軥ovͮF->h̍xxSJ[~93;ftT 9FAAoyrQ]=dU~H`LpVqG19WJS^'<Ƨ~/Véz3B kkOG+;a0? ^%6 mrx|2PB*vG(, +>A4>~)!iDaPa(+$Ψ]@j ~ŗ$^KO'acDx'T%LoFꪃη]8,cy=9 $)c1ـ@@lYW5i%Bkˋ|wY] /,Y\mOU`hlY; ϳ8,b/@ s9Bk󋓬BVKu-e8x.=א@n 12Xb&Gik4;Oͧ/FDс> E|FV r-X)ZGm{%%pC \gEDm9)ӂɽlK͐1 /} r&H2*g;jkeγup"Й@zq䅍^5:BiuADjI\bzFg?xɑsjzݣKT3UΎ%6/rX{"I0!?sUOGMw5׈i;㲙`?s@=@3丷 m|nP W(R)"CA,3|ɨ/ =x^ 3]JUS+&& ׷fZ\nN1ohԫ;Hs=lh>[Eﺡܖgmn~<'yOw{1s~ӔF3cj aX+'HJ# (|ı:E!8 A*\ ̡ʋAuMޣ_]88FL{#aQ֑^f9b*_آ+@_Vh?d-K@Ab+(G͍2l˓3 ,O2N~N TN쏿<n3F ۑ(\6F ,yz "d[A~xs% s˵FAX .h SHJx&Z ȉ5[IűCJu_Лq'D*Beߦ. `#,dh*6S6я!Jm gj,߳Fr@C9W!A'ذ ii 2o1K @<^ߤg!s{>c `J4b%f0eNHǸdol@fnZ\6ZRq$>8gL \ vgۭ{kb}cdCpV"O NClʩF7_n,q25@W^0~ ʗ!$Չz/:E'ijX敏1YP/\)Bh)kJe,( E;z(\3%W~k`\9Zx~Qs4@c@ uqrفYKCv&tv?iQe~79K/cQ\N@{J"./os80Aּ_'DʴaZedQT R1b-{bgS=0\^C}tPT-ܒڏ@DN "]l 1p8KCppPhLڜN򝟈0_LZ9]:ő< P 1'ƉM8lU mօ%0hDžcF-ݕ(;=3֣5]8RuVdKlU2ᥨṁ)/~ҝ[ Har*6^095/ ˶VBJD_R1}vi*0=FgD$O3L6h]'r&B1f:@u$k+[$ڧI2M`SOx@7c,vBk0zo^’bwJï <~1JGԁ7rjOeRd:ذc;04rf؟M8C<˲$Qȓc7%kpV8_sڼN R E VnJG= B9D^=Q߫^ʙsPpWr~q0ͻt/e](bQYhnzwkV5m.K>ܫc{!Α`SpbtU)Gz\L kD7IWt$;7&_l>dZ1^O96<]7YJ%H"scfEiY8sFKq ǭ(Lhbx~?Oq~_j|$ڐވV*>Dsl Km>z]-He찆y>uA3ȊoC(NNuIliU06SӄBRM~2y5Dx)0N=X=?>I֧FNtAs>Sg9ir_ ~Hn\OXwD5t{GAE_=F{Owo$~.ZS|.߻2ĥGL0r %9-6ChR ÿR} ɣ81] ˏ(Ng "F2kn7Yu#);Ot\o\-$6br֣?,mV>y tG4Xag t0Ny=BX%-(gOJ"O^Ku%SaxNI\%!`a< %H܂*(Bm/Xmʹ%<#hS,uHﲂS26妅% e+p JwTDVCqm;uGZWI><|6QPoO*N+Ćs5\@y Kvoqr . Gu6Ŗa~i* \B92繧CέrvuO&!]ᐐ%G^k"yHIoDNqk\Y=e䦺A˫/LDPGĽrYBSiKڴ|,{Eo\vOX%Jv"[%@{.-QxjwG(r@L!V D͡nIPFޡr7cM8PE %w[^zYSa6~BJAAG0hbޮwҐA%BQݶ&tRr)A 5u`s!Ki) z O.i~dAҭ.yt]^2I WV3 "(nR Y#̤#K$N*b~< /€7Pcߖ&A-jКC51%Z'WMy8vKUJ4LH] ]Ÿz;QC2Bsr >L]mm=Sfٳw((lS4ISDtQ,擥p)`82l69) ⊩qͥ尩әj$0I bw|jT~QIsf HCk 0n4^oJ ܱYN9LLy7%FK3zp]bF-KJ(]XcFFM16nN秩'Pi,q`FҶHٮ4m$txz.k~GSGoPXaփ_CQLx]f8jO( RƻtXMm |¢=QVpo dlEHg'G$Ghf ֩Wm1"`r 2.T-V=d`{]n`u4!:LiTHj֟;{\QiOm.+3qr,TL|@C4ّ xT¡SYkQ*?:.w@zDhI+\ #\3yd7Zя~͑aA 'IZ1j0gCպ,=Z،gzHm$.e㙠\wB_:̬ 3n,I``CJػ ,Oٱ]G@IBۢxY` mkJuڛAɟQ rfyNm$W3Z5χ/bb~ccE9d33X ԥWZ [|,Yz4mkޘBV ~;;H TS7[:#c4kNκ^R:Cٮ *iL`B_YeYi N)$@!OA]ډ3,,;5C1#\-=ZHf R9˼Ӑ<˚%-#gDTo\ +.RS'HQ첇m J !'a)[]P!iIV[cSqդd'Tt،EӰxOtJfFĤ##n$cfцLZb-d*Ic# 0dzrTG5 DA}XionmyYY+vuoKybx*7v6''NSnxu6T|Tu-[*JC ꔳ5#kV$mnEm= ۶-'wlzMғZ'XvU1눡b(gR2-,fx'{CD'F3x:xղe^Ws];+$ CJS_K_9(t4,Ft[i Җ#?>)4Nn++1|r߽ZBj叕̯L2kvL GQSZKϦ?r5SX}2:CH /5zRw=$?@D$JBpkxJ_)l(jhõaX<\N2i,::)]@7u\ *fB΢X'UHӇw Үo  ѩCX̓jЁLG"LPW+ ?r#Iڳl?KWC<Jnωjcql}"%;9lb%~DuY-nbmp1V4DD+a |3RZ0ԕU")L[{1~Ų 8~UQѼr[ 'ow >E Vw]B$tguITPAݐt {7 \7b3Y+~H:Bp%~@PF1CP#ZkB}Z0J)TA+g.N76NqRT-5Qʌs}t~*ƫaܮZ"r[tPۥ(+R0[$nēET! @:k`‰nSlBݪy@ٳATEtHLh?o Mb`%/RQ_z0.fOrm 0_Vj DJ9^%ZEH'Ne_ް%.5Ӝ[0a'Ӧ3x%t\kpr:z5%~Ąxg9ȨbƲ';7&H6X`2hЩjЄKw|xBC;lF,H|R1_g|HW|c@Ǿaؘʡf9pȟ&DL DD` Kv^ه`J%+UloRЬ0`)>3[!jhBh'#(>6mha K`rJSFu_@׳lJ1DaAXKDf[uOg~*`° 숫7n -u?VhCwiA?WOlC|~lgKpt\=m$eIJŋ B"~\3['5Jք*CSJN2=3bu>wO@T-!bSs;_Z ֯^ 'y2RH?DdSv*q`{o!wȥ 9cN~#@ UNkx 4Xgvq4xjO{N3bdnwtX tԉIo NQ/i|G72jӬmƾ3 wHT#J-!ԒP֑ FS X,Ԛ>v|øvAUrz'< 7#j[xW2\yn('>fY |5LoD_3Z@,ϡo ˖_Q ctH#{@fB-8U]H_ctKJ|2 E&(q  5͑@!8 ۮ&>TDNWz)Gh9z hFR$\dxc%u*!&Vk/_/*$rv@hxſwM;,>}8F:& oÏ&WЁR,ߥ ;scpAcq|vei4džcQA+)Yf(|)@Cbx XS>G%q ÀKRV]J9頹P&P&SqkUߙ>8.}zK|6tˋ'vA4F7m ,ZX2Pl17Dm R/FzY#ONX0G~ ,"ղCVG U8,e|~a%' J(dBYq3"е6#PT +3v%1By-I(fKBc- ~-OmIMEɊ1|2/̉| @Lã?,?[NϙHWM\:>N5|ks;$OAn%Ȃd \>8SJ;0CHf}Ѝ :(.x`F3uT `Z  uIFh280ih*`ę7lF.K/ƐJ\ζ)adnַQ&W*!L 6ի,㴯›e?-ޢAVW# Db8V5(dۣjU_y8 uJ }KAdYvdnc(fuLUŪtw%LQ![f5lWTV}Nm.7/ɹ< W0O=Qk0ř 5ZRhbXH*m ;P/C-E"xwY fspהTW]帡o amrͺi`D }Ilk¶AJB#ΨZuͥ%3|r3;Q'ZdLx:vn^YJio&I IfIz:|p-TaəJ?k"޽exlĔIw+dߓjd[gB+bz>ASEيW O> wxʸ2&=Jr[˛o. p7스L*=.OW2YDQ@X(DIxmZ4mlv́cPc9EDWd(%p enA=8SCbCJesq榭x] Ծ!<@m jwEVjGl{ˡ`_g}]軣H3 JLw`H'`sБ#KLwБ1إ/gA 3j.ve#yx  sF+Q }B]ʱp,i;SMV,&:4@' :*NG+WG,סjm2L4v&#PW [u@ʱM# -uПqgI7lXa@T Z`$f$ݛ{XjM5CgZM|Rhl{|u|w^b[ Mw-\W&&6D*[9 \'(PA KVji 炛 \orn4yt 52Av38' 0dk-]7EIfCadRV.!gCӯvvT(s5C (JHhp8+^P 1Q'[dKlI^2/h`]`O52_3O@씯ӻVab0E5ot" W"DdRLu@B0.n'-Znt`_У&]R`)Cja#Í̋;KszJ-]yP r~|YtɜZsjo^"V+ۘFͅoeq!Ld:-]@r+sg'"bb<]U]#MGi䯱QC?B-8;9fll͌}DOW2ҧyCO-Е3=x&$,hz<|󛤍lFHPÏZ2+rvȑL$”& C@0%u'Tpvq ;*"U͞^6x֍`i!jSwP3(ao Wܭ KKϟt?ORUâ' i].ۺ ?lݹnziSqL79[mRj"^B(ypRѲX|d.x:&w!Um4G0ਥ^f#yOˊhcwHy Ɔ&W"ăXAIW> 3lGᖠ-Ja~BJ;-m;ZxX:,ZMҒ@& Z"0{;aC @~x(SD" HJ@9B4U3x,%O:y 4\}I~S.k ӺjRk:Ή^ jVRRyF7`RBo%bd7KZ^HymBIfgyDuP}bF 0&|nH΀Hʀ|~J51|t0\,xjJ}ᔻ'ܲzΗ=9瑢Qj*caKBr>B?  Ŀ~?j39g$!jUoʤia'bY%$T:_tTj6໡ LyN}wTQGD [%feXa_(JڒhQ\@g4]);qdL%WۜƸ^ŤHk{X]HnE Ġe_zSᙋ߭)8Bz-ir~qw‚?=荄k =+H[qvwz2~f.UL-J_`Xk?1#X"\ŜfұhcDOG͟.c)[RwT(U qu(pP=Za JZ #4Lw oɌqR!G jve*qRm2uєzDPA:wGI:JM%}}!O!Yw6219Nl2u場!nCۋ3Jgzi? aVR'3^^M [ ٮ/}fc#Uxnl#<f& &IS5AC610Y^窏T}wsx z'[h4/Q?X}_b 4f(eQ>> P -mL!麿y>o+ 豨_HAm_X=j+݉z$+~ڤr/e2mh kӕ|xUWM?aNQ{<M .i/.A+SԌ}ނku C4A+C br'dw ߛuu[S±nL,br>sP$ǎ!2Ta 7d͑0jmLKt`ܩ}YxjhXA*2l3nW.הE.mg7o2%8*'犳1k]R9hbĢ@^PdFATϤEd^)$daE.gj{P Ժ!1 ]"7SF3$#Z'ASxzJdnDD iT kULvԔD0嬛4_n_ 4m%f#5"vFq +&]wlɸgrzkU(ɧֆ=q R&XFȠJ=䟝~*3*!k92KU(NehKL{;jd/y|$s-G-& P /?Vady.`C?cZt{Sb"{Jr Bď x׸}Аb~Npk{${Pe[ςvX8R<gd'Kɵτ %BSK{_ZKᓟk]=ϐV"?#nqLډM2oC/3۠)aҁS6me H FSkSe9F{&HLXOׁLWl$V"^, b&rEbЦu˗!#GTkIFAF8cAӑ]˺cc Ŗт>62,u?\yre|0rDvI{X|ip3sœV ˀ4@-UYΫJU결,QŕYJ%PAYij Z)='PX>h̵BJO5(! +'ء)RvpOZ{ƃzܝe ?`B;zinxNWj>A$;MLڱ Β.(5#V[pMTQѰͩl%t8w9yU.ǹ!o-ZEע!1׸L$(SuԊqi}oN撅- ϹV]Κ .>S䛣C@oBBi/ -2.%0G[ʭheZbOQ'^,*̜2z{/{NFԈq(%NXWU诘{STυInYh>ʃ/>}yvSGOkW1m_]mpbF8&h^X+ 䢝MwZ_9c%q*r8=O_9#KjVrC^09>^Y?Ɋg2pȡAskH&c>vW01GJÌ!MP Pgx,|נ-ruU/l-ZEhB$ mG]d\<%xlS`BhIh}4șT -IJSasTʈ>QG8zlU. zuU0őRXmeGJyţ fozyC OlFK^y7Yմn cMKg+ ށ,e|N AgJlI%k"_%.'zl~-U ]!k+9=0Ua(@U0elpVhĊNDs ;WΜXfuMC3,2J3!zz=}nnI|bcIyF,DGΒ.?s"$x5i;< /pDJwovFz9({o DYEdEEL-~>[=B2~˵cwbnX‹+*St(t{hԾ }>1K׍@ p)x74:jUs[ogjqP1y hNLYZ^85uث,1׌1R4թqfI1KaaǾAȘYUoNq\UގXYzaY]R:\OZAR?D_$CEXmp(S%5!S[5Kc9;גF~e~hG氒!"-WhsmnhP6l#8᩻I؈M;qՄG`(^F uެ T֜c2 _tJ1r6[uS*V.UxYW}"ͻ#"84ۮ2Xh#K;5Qjڲ"ΞxYER^oaQLBY?*QpgsRn2Hg@gP ~IB}{o~lx\VM . I' )=xY≯ WUG |:zdewyΩҏ;4,cU6=YelJS";_K;N9إzӹCԟLw7VXnA.5w .el1"f<?/k([2 L?zsLd(s!rݡr63{~G~A-wޖFmv2 R3jDDi=͸ ;m{PK'Jsk'KU/KՊuC-wRe i}R!Cldžw9m fQk bGZMbnt (4;2Þ@ڂhfv>?.+c՛ ANί5:a"9v:Lz:CڨzoBnC1+ 3 o3J[xb@H.TGt-Z?mhO>ưVF_r<pD|^YBݽ2 38ΣNز}d݉lT4i/.HtQ }qzT#P,UX1c2"&Yw>쾤D4h`a"jeSh*?;۱6 $B`Ӆ8l^J/CrȔxx`$i|&_5-w 'q{ ~ևC]AYT;^>bEu=;ۛW%CI)& eӐ6?鄫+[ԝR^8is2`z֮BYt{WmsUEpוSI)_Kt oYȠ>#n3JT7Mz_AJv"l ѡW':8v)A R`*j5#pk VkAT@R4[J [$MSweEyv1~L4惫uo2Du/9p4!/jٰ A7&TG8UhA:-A{K^WRZ= `30h0(?3?=-EAp } p`αť0E\NJ?lY퐨{S|7G`fZd[6(:"8OCw(5 .SɁiuIg8Uh+/`a]y:ÝP֎e%i꫽lL՗̓a(|yPTiy?0GWiNPJYn*YqQ9@{ wHB0BK0J-u4bK 1Zw0K*=֛,E*0HL\Ѥlohp<;_0a8a}Eɱ4Uٞ@:GG⥼'ЭP.E]eN\[Tot#ih^0=Cݓ&ɼ ||5Pfs)ޮ79.<˛-0F+D*O)p>Z rF+-IKzΫ#ڃO=g4*z0}+^ * +3^IN'VΒx^cDV:ްqPcS TRmQOz&P璣'k6 =H-ň)*T@RfE>A??TOkܙC?gki:6,|;}tfyYMsOIkI4¨qĥ-ɨ|n{A-7"bﰥ'15K^!Z^iX]9rvTo_6me ovr';O)eF!JUHN̷֝~30/Y^ʪؽ01v8+}ā W+/g/ҟlGIд\CP}7z;& ޖ2o;-DShPMM<ˬm2L܄< :&9݅ϙv䓒K/Vg4 TH֝&cRT*B[UܥuL0ѭrvU !6<))|6Ic,3's{{(Ӳ(|S@{h"iNh,4Lj*,S`Sò_ Cb5Ό!+@ܥWK_I 5Kpg{K ^@)k° [<кYznAbC IS+rP6>bIy'K)E{ʤ4c#mdMU544Ʉ#ɺ_7!'>;aZߖ<pA%~zM1r@U@~KQ䱱]S7ݣ<0-r(cY7iJt-m(,q_x{'R3fƶ@wjqpkH<$ՠ$Osi2t&;X‰@Xtd~ld>ff`Gb!*d y ni@jR5Gjaho{#j-q'#N R@Y"gu2CJR^7e\^.X8 xQU=[^*gܹ _45' Rٺ2I{qt//OΤ(UXxz.] Ew_88 #b+` %M_ \OʧGsmuvq<xP-jt }ŸW'~ h]. gm>ݢLS~5K(q<- 2>m_\B)rG6KR'4[ l%;*>Z)/%:=OOJژng #剄_ؿ;;d.~i`i8&1>0U!×HՁLL!C3OlP(O<6hKH3΂eDQ K$eW8[ B눖k`WLCx&J\B.Ѩ nP=( ϦLę/CpqE󑿼>OH,râi/m' 8{kَtΪr5ZM݉< }C ݿ:ȃ$B[< KiٝR(?K{?}HG gc9ߤϐK\~-c; 9e<^\ ;?[=eY0ZeTsXo[ ;nI!Co1SCo,1Vp"GH5ų Y*!1 D&Me|ݹj,9_`t7J[-0yvIXI[RlVr$C]ŽTl-Y%s+1Pe]*}~?F=m[^Ȯ1`vķ{f^_PU,ߖH_|+_Oz./LWLxGZkbgnZ)Je6@a37V2LK+s`M&=$nc#DdEFpwU=BpW|s094vP80>h_;fސ\A;]M[83C=2(1~f /a?;e"^r<]nBy;Gi:V^U_U] ~Vl~iP>;*g M7ܒUcEi_ᅚ,GFa R qUޏ/ah7DȏDF2Du}KU&mL0B R#js o~\}ƽ3 J8DrYX^Kw_RگLt͉: <]RS_-0Y\L)2:%9\ QdwO;5 %H4@W 1]r$,LJbiyybj H2.';TÎCũa7 vv{v_i @Ϥnk˼ԅ鴹DcSM&*{feB" CFT 6w=].L%[IXIƈȑ/3gOͻa(ldb,#"jd^DJT4q?ln%X-ЧyݻtbSc9?fSeƟ~^5+0_V67Tԏ,43Ԯ|οJ^J#.N):(N)4I| I/H:@*A5Bl#Xy6%9VWdzKWW)E~| lҍ0}I_cq60^\g Βt_mmPiy,PnÌ~4Xq7rJ*M(A}Q*w@)ŠRX][qK۠E.ܢogM]<_JEdy ~$|ja)!&rf%?磚40抉;ӜWA ٤8Yւwu*U;)`|_һՔ6gU3_Yᗸ3rC]ZkW_*~q둶vYP$.~*/,/r\wYҢcu)"‚?̕iY`r_'S4З:`(dL*rw-ԟꤻ)jFŃxc_hR f)-n5fkFC`$}jz1שE3VXg$I0iH˵'۽18"uNM[*/E6KZWS_L36*w@e:5 FG`[`Q  ~6?fWz! 4z2ȌYO!cXndXaG׼a0D wnȮp$U1Yq:L&a&i<4BCU"5 jW'ݢDZ >"uԁB& J~|mu+= A+QN$9ܺp;狚\_a?qƏq SkԠ $Ȯ~!>D6u_`I?`!AlF"dORBW%Q'YK̡+fYhPdDF67Ʀ^O.r K+4=;]-+-=U>Ү#:C54>DaOwPx@eZpcD^/jͫtwb!DHQk_eVu.P9fG F{y~z0%||zt2ӣ;KWVֶ,#ˇ` :7a4jbJx 1f'ouۺg{? Mrȗ4 2%m/LYP}3E$')ݷ/C$=CI`%ne_!*er(LXZZD/Lc^U5RHw0e% t.KȔ?jnFrHTu9dV:0Iǫy P({v9j4İsX uvAEc:[|QS}ȴB$+ 4Ӏ u {0СpQq׃3*ac.<&>g u/1"32l_Aڒ+GjPk(\iOV87[V I'ۑq{`ūHF_h3g/ߍ6EM-g: kѱ4Pk|t^ޯeOOfPH55ٴ]([ Uc9u:/Zy&Jy1ʰ]qW#3n |J.y@ƃpI@HT~ƷٰmdP^ڣbݡvUWq!c N' B\`>,Gyef%?Hk垤][`fN`еrMR: [.ypRؘt ;j==3C!+ҠŻK@ >BWùupV?)ɊvAr"\;ApNߗh 0О;Ob΢2;txco%=50w.kv`DIXmN_sForaRC@ ]:WN5SbyYB o*Doa}˼>YsY\0泻^uѴwb[8VwEP(7'FVzg7r$PzNT#бW`8 cZF&G Y?hS׵wq8Z9;ą 2n*3:y"(,Hv٣[D3#uNtjOrt%Z:C?Foc4ɑ2j¡b*p#^|`k _5*M226敾IXr&z=&g:8(/p×ewK*bwuj$}|l{laVQ!5![HPe[b3*C3AB^>NnwڍI6e.BTTe*ƊPZl!cr8 n&R)Lxo7AvV˲CaQ lTNav3i 9y#/GW#ZG245}0S$r4RؿopRCmYzyr3b<嫓 {㽣UgIN28 _،h"7˵ Z3F)H1#~ gac̋t{K<_!"ZQ gMc1Ew Nn%2 ^$+|K7 >F:=R#*faoύY=ִR |*pB;|&X`_8%J8;gN?ra@0j|8/X݁m4OKo2ͻQ'sXzd"SLӸo8YS\yhB9ٝmLLW |RD_"li 4kَpTn [/95q.p 7A $ȱ>ʮ1 Ƴ/wSBFS|/V=cɩ`~]D>ō9.4 90Z/xl =`:{[+TOKZ0 "z&2VM$PFMJrdL*ue&j똍FYmkѰ%1_;<ξԄwB>XӍpw:o x5GMO,[!lqMau)>!mf wn.'oT"6?"w =Dnl4=mɈ]!O%ӷp#mYqU&EpZuJFt_~^S0blth /.{T4Or(ei!gюJ`]) we h"Sv}%<%n>Q{k] 2jn2SRxLN d~Psl~>7@}"ba*YMfSo4!E~2j,,=ĵ#Q]"&r_tE\dUF[hY TZq2B9AS)F7S#fІ̀[.GB33i !r7x/xƪPNŷ_Y*q{oeNg ɱ~nKDֺce`|N:¯;/56ǃ(Xg!x$ UR^FEf!MTTu~4SHl\ 1TΘ鵡;E-nZYn2J|Υ?# ԹdyKmpO.Qyl}[mec*W€1i,BX<|xaJ t흻ms70e,LצMPmYlխ$ =#ԧdnCM# KQ,m6('&v;`Mjg :脊 ǗSpۏW-V-M".-K}Ok L<D 09v;Mφ>WNaDC v֞Ý5/8w7CJ6f^Zȅ{&,wO wfԵ!\"%mXvR3‰"u :"=Y)N!^t'S=Ȥ/e]‘37ħ;^EL!6J˒W peH'bgpM;@tŒkeAfbuWa8ɘf X [^pr˓v _V'+Q Az5xIp̷ESCe BXnjK9΃ enM\WY+OS/pdܺt(e [={eRL9RŃ.JO{[g,C$ϽK_Jۈuӭ v >Ex#&98lOJvW+gY=|Uyga` R8e-=G069H]Z4}#cmwKt?$Iue4)ՏO$:M\Svͳw|.BI` iY bwXeUnovںRg`1n S"ʁ,0Y_lavSgYI43l&fʱl#gHIbo >DiD2 %N-*A~-qb?đӡ+e4blzg $O`h!UB@&djmd aTV#A'c ~_ a\iOCe]dd.uW{.O\uT8{X6//%­FU!?_'eHwZ{d iD[{Cl!}o\~ͷH(z; j;WIU6/ Ϧb1cI&1B#׻^DABῷ~%.`yQ0D4[ɐsܱc}y:dNA'4J&۔=ǫ儞Z)[U#W.1}WXjd b{]a{e}㡬N}[mZB^\QhW;٩6 7-CIPa` :򒓀?{vEUyH'{HqƊ<4{XϚ H$rثߥ܄aBwЙ&uũ@mKʘ{Z>BK% -YC0ў$t{|3 7Q$ME|ڀ|bmws)v7 7k-YAE9#Y~Z3+wKӿɁ! {.]~a ~m&m>ϳk ʩ#n͒(cҐ́P}&/k2*)&>ZUlsWbNdw5Hד販5+8-)v_ۅӜ&_."h? Z̈v( ^)8F3ekړa4 g3rBePkbW읪 [9ɼ1V(ޑ5GP<#W3pr~MtEmى0h4xdFmlMp[S6YNgd YY}Dտ^uݘT 'ZQS.\t:`5Ԩ@!DrdlիypLa=a9~r}e¨br¼x|F>O"d hH-^W~@nQ\1 ^m;>[C\oEHw8Sr_ƴeeXR{XcB-xŬ(Xܛ.R *0L*4B F-%>8Ct F67%򂥁$rTm?c8sNzT=_OJQ_y/iƄ!۾ǃuzb_[FX{UXc D}֧Nd:`GT(euOY B:ʷg/uUZtk5y2ҟzK9y勥uUSimP+k9\$x 2Pm40?|1`~Pі=ukve"3> CRώ-S, :`|:>'ŠΧ/o롓=w6TԯLУ ?(z}md`2{O֗ZcB=AfU~n( 娑a&Iw3;¾1ێq`0UرL^sR#~>A ?phk?p~ʋ{'9t~Vr+FڄI7is|w{tm #Z#aNty2)BƢp_7B/Ax*| ny J.S3hs/Fp!81Sm.GsN'u>Tg^lJD1|ݺ#G:wĄHa\ғ0V`2Gb\a.i~qږ|ejVU痸Lai[M coFɛH5bY.)ldb{l:K&Ե~6qc0e6;fq7= zԾV \IsajK\Sc& -^e=\ݕ<}Hт$BDA1Fu~8ގwoy==vec=f=f/ѵ$Ϋ9sE-1:mZ*|RF22YS)`6jZH?B<r l'7}e޽'!JslUZu(29'‡JzD%yTh͗8L\FPFLGWٳz4KW34m?bdزD/I֊1x ә‘ױ KdAZ3@GoxZ1[2j(vLe5^`PW!W}|:Ɓ'-$`BsGE2j~ecZY=a9$zDΥ*yKo}N5X /7#<@NJħ&xx16F>X8 )/QѳEq-?6dAL-s7K/,wv͏8i|)>GDD`X}GFj WFIJQk"Σ)`-Cv. o~eUtMK0galSςK_ظ6H13TO~sLt4^;#U !*rʰ41Zr  ڲӥLpZ >nzX!Sbىvb,O<:[Ý<mtP֥ hx0Pψڴk]FiFM-Y;!n8{d.)|e 9߱.X֐e+$ԤY5(/>Z~7ݒef͈M,s:~҇1=W'4~i9o918TbpXhpT.ngx7:,iڨ/+xX1) rVK;:.}㉵Ҟ_k;}CY\ؔVygU:*6,8$5pT`7ݞ 0e.QW&"Hq@N; a\,%GD^=c<'`@TΈ_:O[l,b }\;PC, 59^萋7>1Ϻ~c Hڴ뛛"<ol0N$)yS ^<^PR!BHdg1dG`Yn犡j.y~#ViF>HUf/'0r߬/0{F?N.A W4 H/E2䲦LeLȧ1JIĴj8@+׹!>Dݵm [#-{s/5"\ǿZ=,a%gE$yGϸcq:q/[rDž} }$NBF߈K4ץo3X5h$hG6MK=eo\rJC0@4i`n»KQu'oOei A4@џz=x^Ap  /,AhW ?(2 3]hpOkpC`/+^ARn/<(3A qOK7]?kz&n/k(keaȤBo871A Y@ qX&R:cFs4dr3Vxyf;J4̶lzZN -Ze\OuC=e-*&֨D7?d!TqhzToe? S:`MrJ?RO9뜤3i8,Ĕ!g E@UNYdWVlJ^pVpקٻhL2?egnuXi82lY]R-3AZFRgXTR2j zֈєo_t]4:$NjcJ"DF9#@8egQgKPI\I}d3O yHΔD7h{4Wy̋K]O·v擃kQ+48&E{%>&rPXN)~!gOte@oOCӶ@vmꃻ } #ي$JQ"u`։v$0'tkk*S8j*V/{f͕k8/<i8*ǥ0{| rnIaE5,~{i9gY:oď_s0x~:[ػ+M0V>^ P ځ.)vZ֣j+*zO~,/Xrϴ+zY ܃=oY\"r_*Wv>Dрf`4)fO YÞ?L=C-Ք먭UmueWh翙L%@R<`2߿b }0:53{}+Д01BHIcwCqY!QkΨ36Ȑm Bv_Nw]r%}X,LǮHvi{U|8q}aY* y4k|`2D|330k8.*%蕃\ƞXnG%!;K4*^9Lӱay~~k(a.V}G(clJWݤ_-oW^! P.LKkaš2"S}t _M̆iPl_va^u۩ XbZ9af,(S$]ϋV~P;] (1ESoS{7Vnin v}lᠸq&őXa3~s}#..#<Ù}ڴ@;|ƌ̺i23:4EQsT ϴRfV3p~YlqNOzS Ls.E"rx[hYUK6[e J ޸t0ȕ\|]1y=4maE4ϵNj BHvlm}E`#C#\z:#`26Ÿq^$ Q+(SقgY-m /B O%@|K/#O M3 7-b^~ \U":j)SY˼VR+1oh[Q)MhNfpAV̇m0쵌`H* QDˌ:w^`_;̆5%ج~w#0+!%BA"@=F*aT.6uҞtVf0;W~3q#K٣Xლ QyƂU4- SE\5:4>:ᮨΣ(b~#V0 5=hɂFFj?Ip 8/g[+\dù5uG)Co 5im1 :qJsˆr¤tV)| ǻ8$3[i}BCL;Z|LTfpE5J|ɉd#PK3p でmZOJ*nf'䲓=GKpj=Uq]¥]ZEHOr惍zAjfVaښRxRvmqȄwP?k-^@p =W5o)[3WGy+03&qLva6ջeZW?{؂goL^}sOČ(4I#,H MO.IJMԬ3>h3ux Wr`?E4`ܗqW*xawřxƽ鶝(rQg @] rM/Rk|*VA'ϚcDSs3ˎcF&؎$dn|+w1zHx*gX%YтrJȱZpMwOUm!s}ص tt^(ROաKs.zD~bکYW-Yur_6^qP7"縉y?^dѪњz[PՂ1;E (s~:i VoQI+o\%V/(M,^ E 6?Ԏ[/r-4c9OZ u}<쁑15:aă*y=X/ׇێpt$=FiD}aUp1{̾Hte:JiL0@dДwNRN\l/)7L`_"7 ЂWR<=L+;=@wWX}ح?5VIdG)'3g}!giJ'ط9ipg=ɩ MO'.^^__1ڄf<l] _~Hi X&a58.)CZ GkۆL.{k#ic߉US}/09U$yTNYs@[{}W; #uE>a^Dj3.SHx4Ҩhٹ<<anΟT̃Y:.QDQ~F3`ōK4VF;9NϛH!ɉ%Zq+S-S~1,pQց>=Ys 13vZwVuf!a Zynlꩠ)IWQMpڼiSdX%Q0P{R-(VHz|RJDI+sjn@@q^Z:&0S"d2O}5{GG^sָJN 6w\/q#ueGGtڌ?Vmz9ך7,Bfφ֙jReZnj|󉎞S:r7`G؀(,b1gdAXBxBȭ Rf]nW8gN}Ѵ#K達4yuSǗgy{h{%sXǩ(A2)@5;(a'WNfoӨ&.@tD:ʼn6 0kn{Yr.*>X՜/yE!`Y1tCODT:+O`;E8jv6C^CgJ# XF6FiXdj|s]_6n#Nj7>?[Uoݍ j-guGE4KShPu.2!W%VDKIH" h56e0JL@b1ۈ *gQUQvLmOovUoZ}_p- a-Ybop:؍eyL?\O> ` Ö_VIdxsLĕTքzy+ &PąLe,y\杖q-iL–N1vM'kk}!Q&uw0g.fA@7rQҖlcEy/i o]w mPl"6Z_G[]{dgMDeGJ*VFyr懯vGg;"'z]f4~95SvVi2MEђ:JdlS 0BuK v@XH8T &̞[Jic] fn bʘ^)Mq,x?wpKAfSrpl?V7V.ePlktԈԤjvv )0WH`(+Q0NU ]x:i[(벟f\BTH@'OD)J{A} yd2ۺ%Nد\{pJYjbzLh%r _GIG͸Qe.hc5C>`6@ cuA1ޭ{<1И蔞 t*^PySLDSf;ЁY`cSY['%b+䔗I:r7Lj6I}FXNz}GaI=0qEf+&kit=#_2gңٽ)j֋sPeЦ@)&[)1 jbj> Y51¸!qR۪#F1hYܸ&LS(_8.;0}O] NjG7p[*  {sݒ{;dUӷ+ǁ+kW[4=,8VV}fwJٽ)&"]Xɀ@R ZzXسhzٹOnM?er%m/|:~DJ,_MAwF|b =7E)A*yGnqqv٠{EY-{FYV_c`6Ʉ@3 Q U;*f'@~SML奫(=Hl'SNJ& >a_.v&b>vI|2U^FmG:vQF!h/V_6(SVeԿD?ђ.6/ kt7tijJqzusĽÒ1~o)%+ As+mZ$sc= İc'qe |Oo ul{qIKpa7@|,c`O=A>'\DƑ#hA zjbH!ij<#Uؔʱ6LaMX+8n%[+'(@| p8k]g EI3|{Œ$\|ԡdOUS?1P(޷]j?Ժ^#M!   Llu(IWqI~L %N@ z<@^df`%d @df  D7_|Sp~)ʒ/מoK>1+CcB/?-(3]' _bY/N,_@5cqPbs]ipR˜H]995oWA=R@!J.YD: ST)W@-[S; (̛ xLfvLYd-誀n7@ +F}v0j$&^Ib@HɅUI 7@ QqbTR5ŧT{pLSR;V^% r ggByGoH_xsUD-0& 59j,WEO$r^pDݨ:.",'q0J soTMCEݕb͉CBq![?#d;p[23%ndUk^ b<)s#CH1EfT8cGBw,9fFc(*d$tp| V< #/f~xPw~9G+ڤ>GHhcf%0 ]ӖXTb2Sj*/"RT\*- :;fSIx_cztrU 4ge5=Y: PeE.: "QnX&SHɾ5܉/LoBG)N(.KyiՔxeizFk~l™s߃U@0nc_x+L%䚇 2lsmZհ4jp:bW/ޙ +)f"-i}N|9x8}vO֢V*,p=;6<=0K(Bh.؉a;bk*x_  w+Њ m X@]inZD9?yO~жʉat9iGK<թsDu̦G.ONoǧ#TAgqӄEJ GzzkAءgBo ji=TT1!vb@g$.BYMIbgA`E+4@ptLx4lGM96z.]"ؚQ,WvrnGkYQG+gYTvr^bw OHj,, v51dUNta~0OaG_9Wd419>'wN1ۯJ@Jx![e2o,gy3"٧ 5M< k~9H9Zo~~Jl&.lvhk: "Crʩ@5{8.1J򕘇llL(/g0\wPmBH.qF#熂iѳTu ЭmrS W1Ic6opF{2z3d5[wi]G\iЭ&F]y;"`'@%QԹ&M]D\"gم?pjY6Hyֵγoy&=V Cb7}rlj>]u~*;)h`Wby"ca}L0S [WViK!j_oW ʘ`+KOtVi x-FgJr5|-m \.[CzN@^];S"GX8b.O~q4~$i>NV ^h6Mz T"5y: ͠9Y!O}=5=C-GbnSVN}67S?ׅ._&gn. 4m,x`V KxC!~N15a`eM ~ƮKݝ 1Swu,>' L]vPצK6X=%؁$o_5qZ i=x+G踼0Bvoqi!ݝǑш_:Mї,a nu1TFfXg:=d*EUA: 50_汃9h;}<۫@/Mi5. Ȅu^^<\e߈bHJI; ltkaFZF;&' xzF@WGֻK$4'eQPXIj(QGpe -e `'Ynmq](֭;sB o?fc?a6"_`: Z`я E.|dS]8 [z$NKi8c)}/h& )ĬMWѷ5=d['=<|'ʈB|+jь4`uY<*x̓|]p;Sțv EcEMdSߐ6B^GQ̨2[e A{;w;=,2d^3[/<co*^ԃΘ!>c& RT~`s`d ϓʔlIg6cV"y5dokh ts+c]*рa"9),au%h d{$vfwzde&$m ǟulK`-chZ|z_;x > SfBPdBb U<`ĩ?{:o"#hm|E YQRP$YӬ-FXդq sLq]Crwn-ʔofXnʹݲ4_gOnÜ:P\aVj<ԛ*$8dùgljt.is!yQoՄ2 גS+[G2 3KxTo86la'h^BJn Z[/O!;,C 1Wq>dcMLwC.t'"Ģb4ԁ ǿIDoUTUV!P8V(yqeu++!I@_7HuR+\@+ G'Ɏ"ULQǝZ^v~YQ( c aIJAi4.Z# ;ЭܑqD~Gי˨<iDp24slS*Sfqn/˯`5$&ֿկPjTAm}6H;&0TxV)um|\aPgR*K.\]V7n`gRUA i?E?@ͼQ6eO~t,fQ{lUD<4MZ3ߎ̖^Uj7DepQb鄆^ ` iܹ3 N Ou B8/p曧0YOҏfɅ+S dԝI[Vv_ JlwyP61jGiibiJkv>!avk ] U.cxXAig63 Z EvGx힥м8mxOMӉwTzycz a>h\tYer\p͟mԹtpN)ܷ2}'Vh9 ngx|U̸]. U% iy+(9tT^"dAs,M{NYq Z!86V(Bn(8dWq1kTlQn50=ec =- {K*-z'SaB?5JMaa[oĞ1N(/O:Z:u]%PL]*2o1r*Q~lcQ"(Kb=t Kϱ%}5I½M'zڔ L9b^e|Te鯟㋚[Yq+GUd;Va^-n'X'f~KAfujrPօa*Mlnjr0k8nJ])&Ԫ8AՉ.2@MMmI,8926[3a&uBew]8 Ni臌hhv#$][ZG>{4nh@{OODQcMUzE(ZVWB= 5y.U/|B[9h%ʱ.(>0d&Vt ḑ~_7S .XrI)FPCpc1\bceABhEMsۅXI ?D5u4n$m#@lzvOWqA}#WdFATaF`#6/_%UA~ 7JAV^H| g3h9&Zfiqۆ)RfKKAQ{9%W/\q709$ Q9L3(/',H\Yr`JqUJx߮Es^ս0*RN "6Džǖ| M #aS\r $j |D-݆e]MւK~yͥ+Z8 i?\b7<@{BF5'8v/S1(rPth]l'\"1W"̸ 6*>ًurND&h2Ո[ȥҴгHZnM攉sLē# h#uOtyx vX.t4פPa\fni1eqy/Ϯfˆկ<->C~?rEeY:&b 1%s#5`%zbTVT[7 ~s~:כe~TΡTJ8<\&8,ގYŴWF4|lfҎ'% >w 5/x"P h'̩HD6jKo)tVjZ~Tܶh 0*6P9&&>p 5(YoulLh$(b(t|@Pr_C+ʕeF^:"S~l:g VZ&NR\Ǿ n%z6!lfg1꺔!DŽItuh?|;@~ړHq,Ӌa`-Jijez0׉+iBs>$#b0NA}Zgޱ/Y'fN`֒ xlz&p-l&90fwaF&=1}젾@P[ a[ 9gq>),IW-(wݗEڻGM|pwn)tºrNkHۊ@)\^P-/L9M$ahb8%vN$݋ _|r׫b1 >JV:&j9 I7Un`5<6WhT4]02yNHNF+-q{HO ?7@J3h "ev^*d5RFO\0@UmX9K> jC3YiR7uMARl*:hI8 s~̥VN5 .kS?s{VaF'@%Z$0Wbi$Y)rd>Zg.蠗c7ImVu!#%xW :/ZAXj͒F'r,EW[=.dM4>CT1_&uŬ')ߒE]+ O6FAHV P>Ą7Дj@b_"ܺԙAi잡l#1 בpV=spБ+抓CRۅޖ$ >aһ+HB mʀx;[Z@qWض o~3ybלh;!ີz#(C:F\ 3$i4Fgkk;ڨ~^r,G;L_Rur銔aE!?0?P~T f=\evN<9`*2xHGKL[D|T_q%UXjYs.dק)gJζ=@]X[;=A5ϫ2: K}:CKΗ!D﬋cV`I9GL6ˡDS۰.7+d5TR3̋ƩK1tebB³SqI/vTI}k}y"⵬m:bP N-Iդ.:W25ʕW12.9.^^#lJ9fqY9ۘfژhPtix䝟p42/d~5lVPVwm#!z4&`ֳ š{JO't fNj)8{,rCT0ۥ,YD(Hx -y7yYڎ6J:`A[wqa!u ؇T={"V*uD[WL;fU(kK,ZydrMOg@>r`Pxc19 k: )2O]aMyxʦRM §$#7=(e3 > U8ˬz.Q!E\? ͛8'tZ \ 鿖W~Ry) fI|zcwX߬r_X;VN []rAGnV ,waӵK޽** a{VٮgAU'walf\"e 29%o|Nйnsbo7-U´QcsG* -e{uZ,/(EyqiPVjx$P%5s9 YJyG&8}_ ur,h8+#Iї67%}%`J[pc84Bν'YI F\|שa^,c|~1= Qfn4o3M[P@=\# O=Lz c|wIoOh T(t{dvV JZ\Y,|s(-J[=M:ʂϩ?+a֥/Ʒ%KD#ymZ+'C" T%v+m>wy!['#Ee& =q~13 .HS;5q|_=pljN=P6"J^n~Wߔ>M ac|\$)}Yo+ hl.oU`(_ 4mAJ0g`RG~(5z V>{\qv%dE/8Yy373)M71=1PrYDo(6}FkXB x# -oh-V+*~%Irn]z^0zť)/34*K5 Ώnb"ރH; 2opGhQnPʧj}SIDT溆3X  rH#%:'G~ %.OXSv4UzQdkap3cA+a]l9$[XN z6z[`>-HG4ODu=TA mg>O=OʸW8{ 5 X8Du\l2 ).n_8Ix$>HOZ{ٹ$gfP.ҳV[ Jn#o+EpP1d٬eH'O]֒cWtNn*􇯹Tp8Fmrg4Ҹ!-տo4IF>P5OVQz N"-W&0}qt*u v\yvr `ܻ<El%d3)i`=#n6YY_(l9Y)359]Ƭ'5sՈ(2Zgkr*zEB 2?nM䓍* di DOk)9yA晄gA(Q"v{qUsz'UdA'r%Mѻ"N[=/c> X#?rq\ͤw/V»6}1tZ3EIJE7OHp5G&u21хZvYc"08%h~']w+-γQ/3>?9w~92/RhkRl]Ŭ3)ZY*)GJ8u]c;EgEnZ>>mDa^ld&U)7x*xnysFsGc"kl 's%*r #!HT9DbY iڊo#g\|pcPs`DKbӡ68OfBIϧ)l>6ntRs^\ t\ b|j,_:ClAy" Ed|+@k 1`ȄW~/ ;VF(+2YԺ- uz]U}3Dڀsra6`6 #6թ[m]#)%[Rp`կ` AAE+pDtM-+Q:c1' Z0b"M`}PaY:9{o/ 61~U'o {pg!R8Y%$ "2f#s8)OFkZ5R:oSDҷZ}>TWoAמPmfI [;j1R|1?8) wԋ!tݜ,D91V۬f}1Z8@ AO$ ,21ILqbG+˔Xه:~O`L"obg(Jɤ"=6bHv0vȴI9)k[ܧ8,"9 =3$dp[Ď^.\FUbFPР͍@o7Ӣݟ>?W' k.7H(^cRD WvBq`ģuTz;b3p`Qf0 omZ#^ KK @pomdC JS}P ;,n CfMq\.P~F I֊XxaX@UgEO"I .m]{Fۻ2e28V3u;Om'?sH#VWW87(e/݅[")Ҟ yh g ~Ai,s*cvд*]!O+gޚ hfngE[ZJ{zr2wĪ[D j=2̦O1o5ҜYO FXT$]dwyA;ыʁ Ӷ2:2pk0!l͇ j^]8 ~`!)dtWUN4Uc@^/L#!E%PXMBJ>UU9w@%ņV- /mҩ-]՛-% BBFJEcYk tk K xtPܬGN?u& V/wπ٩u $.by(hGtsvɹB--RyW\nm"ݱZME)fmh&zTcϩrV4ԄhMXEgXs['QOE+tz:Ӎq® ?l':WCSL1݂;|rݷc0*5 'gYfVuB-`2/wǾ2 :]f5BS]󱵇`R %ZeL dӮ!ԕ= ]c7s2n k/NH~J|rq@cC2g:6 dDdtE]}"0~"`^ PhNg*naRPLF;vTvlTD H 25)7VgTO6(tMT=G2_D ! I f?I]N:IlLWx:@Zӿm'] ?L=fv=][i5d+MwC!e\r"B['jal^_^9Wg)xJEuvc㖱$ݼ*ۂF*lYqɦ=?sRN[oBt`.v{U +-ZQFjaߍ0}(R{=[}$BDŒkAB![=&{ h.>(Ap2CVA{eg_έ9Gp|זy PN_ƷT{@cveEڠٵ.VWˤY?S(t}ќ~²\o=-[qb!'buTᕮd :>h|x5I5WݨRgeH։TV `X'"4:^{amķY2f 5 KPESbVz 2V8I%~ }T1`B7]056?Ff`edzp2qšM1:\ďYE Y`&pvgfߦYl()0}qot1HCaW<2dK{=t|EcAB_ܶy8C鞊3RaT(A-ש t 񛀠tR"su-S 3~ik T 8+TJI" \s⢪ [yY{'n+s:P% C _J3pwz~2s޷J&BTm\E }{OUU-M}!'pWf"Q wӌJQeH0 ^CzRhC5ut~jFa[C tD_]:Mi im ~Dzw A%JO•٭wdwbnQ}Twʮ w'h0/3r # l@j2PQT!c5 JDu*"R̈LnBE5ء̋,R-:|}|0RݧۈW ܍ɐՀY4m+DC Z~CiBc_O;_8Xy썤i +9E!%6&TKq*0!w@K6wp;SO뱯S+xk ,{V}N41=3mm@VA귂x$^,"\$u3o\!Q NU:^,I;q,GY5(*EMxD}f\kyK"|`di3ЦY3zWԀOV=vŸ[7y_ʄ(2:v9TI‹<{ݑU-YUW(pt`s"sj AE*'jPYj;dX2:ITs_n|Y1̂-;`Ͳl5+Z,FѮw~P^-D#0 n :wEFYqX+Wlm|J~-*l/@%(' 7WKN[ @|ʥ tm~ >4r]b:T[YPR/Oz=IBBf"~ ď?Z=P4ԗ<ѭnZjPg#ȉ>9gmXo[o::Աc: ̛AF<&F8"dPTA02qdp=dF0]3C;!BLIB:v"Z )RWch3 q픦ػ߯`]7xrhZ[D\=A.%xqf1jn3JX-UgoEEV1C&6yտ/c L׶_I-: ^ܐkq4U.=Tff(ei'ZRH652-w]jf̑\/*4֢%Z8\baGU F |zLZP&# .e|w^s!ɤN\?XD7;B[댖㿟cĹHfj¬Uu6fB[ A+tҔ+W$RF: o(L)/sǛK:Vŕy>lw+vQ-%Kɋ'KPuo;7Q'Kۈs⃤KkaJ&䈳ED@1P&Zu޲9я &-^E; le\-Vr0{|bLߞ(@B^;cV~"Y n\n48wu ]AY;L!vhmG4 $+~`_;}Oተ,jEcS$ZgucvV3E@dY}Ux_:/%:ҟt<+c '+s: -,*OyXҸ.ͱUeD!^LcK1ɱ&=*]1+c숔9 "_e~PhISB4|RJ[\wskW@CxL[)EC~I밥V7 ji;E(ܨܼPQ qÈzFpQb eڜzSRurL]&s4LJaeCftTsAdV̺JnsǓw,kMm1]^CP0.s+z rrQMkάMn:-ܙۥ(-C iV0*Š$ݤ>0_ 'MH ji(92s˟ڑK3m1uRJdݕ\q.K`eK]dV]="k%[Я6bǺ-.#7\<Щ\UBz"HΓ ci.6¬Z%i08v}.ȾKpX]p̃XgY"H%-t,*s:R "OMQ <{[6v*SYHqFƸЦ)րs]KJ )תV-*f>;@-Ye9,RRpj {NymjI >{k-@dHĬDUh1E%\\ZD*tTsZQr D̢ڕ\YRo|d,9 `i__Sr(PLAN6@Hw) , lMEfX& 6rt#c_[?q#5:tbs{+q:<G=Wצ|h(ե.۵R>-q~iu@зXp8 <7Q>XnCqٖ}ycc+gʽn;l}7Lr]k~y$!>j c +$dK켭c'0H>MDK>l +D_4g *~:Y{R5-!8;dgM>r6gކNeZ9ӈpW7X#1~:<)t~vErfC-"cgtLb=ֶCLSg$|"|5y Kތ~?O+,6ԃ-@4P|NaB{9'Кy* ~Z&̀K`'Phd^"NC(:lQbw4QFhLer?|[s.XB8Cc GۏDks-6Tͳ-ĬtYPS@a0M+\R3[Q:R/7MH>>OHZlZ&a1+V/3mvO Ƨ lj3o'>@ ϡ,Upi'IN-WvADYLƵv&;Όt-o/|H7޶9|n %ùxr ʋ*`h@L_ro%@2}=W Oe%>6yh@IrN&J㽸D "!^)!2foۃÜkI]l9lm@yf#>fm,eSsA4k5s1]t ~y`r_8XL9MJ 0D'AvzN _K82.%_akRhJ^E-Y Ovbh[-X@7XuVXr|*]2!HXk0Qeξ [g H4%&0DB'F8/ Lvp*oAr6s+}2b⋊wN [<.W;u c}&@bCzC &] OUL?Jm+X[}ne I9KѷJbQFc1Uʼn95'*C͵T'!B*{[!i@>cpT ؀ʭ6S 3q[ӼMm *M hx&ϒwa?_y/=N^YMަU.Q^&6v9A;&K7%IO`N[mS7=k!o|g9L_%l9OR$3ٓ; F}3Jg Y?:,nj2Du cHwؿP70𫫊(/&iIY l l6>]c0M!\_DWvyvf?tW=G(bv< l7ܗQx)܏p/;.Dj^Г M`(g@zY}JmΆ3b?Hބqߤ5MqKƿF%|d3KCom`O& P^ OO/ezg0ܢ7V,'dHJ{K6 ~x8872,"ptjj~2!(}O[ $3E;:xF f'7Z(,}:W.6d/ef 2H7E-씘c d&>ՅVqTؠf 14>{wg=jv· CɲD#Qbbj?cl! |9\K;ڽ/"~4z;h2Mt5%>tO6[uL:L_:#2! ܌f!LŚ0, zzS l# ʘ 1Uf 4tv>DGB{@ Nz,RNyVIkR􃵼&=whqf^K dAC@'ʨe)cVzG7zB?o;[l0*  _ћۚ >kN~};אW pEt[) 9hu~[5޸lm@2x1'mYzZ_0 ee/ۏ8TO>!So?N q*1 4KrؼtPgjliūf5P㶖 gBjKe@Y@v%gndйwK2}S<@G똷AéIQlL7- wFQ>H'g{^-z_?<Nc`-G}Ll( 3(blJ2֭ < |_?)5dÚ͊7K Z- o*+_v<@IBo$B÷ъ#!fuPy1gd06qَzZu#ϏĝEk8fz71c<Imz'&^7BӀ%HcdᙵںtԻ\~m;%0m%flXW71K*QxAWE6Ā]b+ 2$No0B(G>M`2EUzC=9+"AJБmrؤ~$(QꭴxXA~~cuv|uϧ3"maJz&yK}N' AItS y΄B}Eq,-)1s-{Ϛf t"r߷2 Kg_&Gw|* dc6늈l_;z(t1p?HWoWG>|$'ɉMP(\KmDtqY?, ՠ1!NrZ4{G؆}QO:.:;kUA%x?ӿa/cm\T?l qe[+u %k FReJL,_&%P$.֔ޮጥqM ;b~ل)NsJ:%gijbbI_7@Ȱkꯎ}´9gczVhf c,PTUgC/Jh#_9_ Z6+^?CBYtUrN-waګzgvޔ׬uuq)|b#}տ*n7$ekb5.-.fw.5#&s*%b[űE爟Ĕ&nDo>X qt.&0tjTTxlVI" X$țɄ_K Fs(ˮǵp`LO15 Ҩ!ulTfm ֡([2w/ծAn݊"̇),@}*?~"2¾ak%L^CJi`E<!gU55:Uk&n F,ձHx_݇ F[u^=LZDNY밚#NAE+;2)1W8J'}MVp\*qG9e12l@'Ǜ7@x0S;# dJtpʍ@PM8mГAZ+‚-bu஬e %0)لhN&ԥΎ8%^2D(A$$ד|gG؃t-z@UwxAI!8 m O# :uHCOνiZ#+9^70mv]dP̤ (Q.U!y+1@& Gʦ ( 4rf:wR7 X#b64 ] 5 G. 4)&_8k am@4PԪ_`UH8|>/6^>j"W!&ǒ *g8&LGb &jcKx-dps4d_qyI^]%k]5`DWqQCi R-7yۙb+&&75T­ol>W $,LOkaԯOrP&Ñrs#o6ε{]SiO [ȡ@߄&p9(O]LU%9/YҴܘD$y~ 9֧b l!^ j ^R\O)qJVFbΤ4'рI'0ʴ2Y,eR Xb$xН 'WLŞۯʋ)$)q $d)7]DM3eXZa}LƲ]Y^ Wp!~d3J8'iEc^M٘$AY+]"Iձc>/%Z]'Y[KBa5%C># )slCq=mŒD_KhXvk #h*V>ҴlaeM2qkGu;_:Ш,pIe X$< *#wUӠbK2dquAs.N7 0zh9QËm6SJ'¡E<*5(u ai joݷTAD'^=KˀƖ: ;RݞFûpC$_x 9M`j pb(]|<+7YRDрk"e+4G'!bJ:쑮ϐAsS [xz;x *-ļ;5G?7^uR"5[A -xWh$h:_Gpl2FH_Us%,%/7ıeva$ZßHr]bb|࡫IƆl>hrƫӌkosFIe(9!hi [/]R @{v-,KF#R$2()P#EQm/{?n}Qh⤚{תJ:%Er+1ub>,/xvb}"*@?=[0 (c#_}NWr%L9BSH%OhKV:?15yj_ 'aMʓangBBxRy!d=k)L8૲;a'$I~z(!D⍫r{g:Q1^bxo#Ev0ˆE[nc; }0=|IAk2Ӻ$Cq qԒ|ʯ,*SC55CY1,`=-;M*Q[BhG"1a㈞Utdk.iBLeƲ.0QDF:"y&ߌw 37ɶlz잭s$39VA#~uBvBDZ76,!<"\qo!DX|e俏{ z:I~~gnpGVѧicȯoT߁ Nu:-8'a,1]arnAosam(S Pto,w, 6:S/PAOW|ZGʎ->uP "pTosef^ꈨ_j$t?LMeMi: kZ2(HZ\8|F` γ[YjTOg}#"IDCֆ^˅K 0{!?J34ŏ7Gfr/̗/xx,HǪit#D4 A_a<%e#u0M.xK3Z=U?[Ȥ;Kߣ[qdl{+^&R"j侗\68 u 5oiFhǿU8*fϿKB?Rz}řz-ZSz`,^t! h$vkAzU.-ņ›zѯ=2ˀW>66f, 򺰴V$'l^ʎ$)б`$.\?z e|E-߬^=_x~=l+QWKl.ap{C~}[5hŭɚu XobbMhiǃƠHm͏ ( gw$G~"GHQrc=~2b %iWWs'*zk^^{`Ev_9:5A )V9w(3?ȓB pJ%iܜ):/(~m{;۳#/) l Q`}Aˬ %Nmx0YN(`x֬2m1&ٜՂT[:"4eZ܍*}{_+'i7$2/u|e ӄ;"7g}2.JHa pgACHjˊ9!2٠ɛHC;NFƷf1uF OQ}b-i/V֜~%2i=5ۙt Qs)IJހjJ#U7d_w-3#1'm:>&>G\M!J+h$jiUo9ZcQV-g:ýωj~f``;`* $OAw!=V8y}hIzk]E:JKtg4S^h9{";G;#b2zUa4Y G7U3$ڦSi:Tyۆ\b^2( ]\ sS fZIAk1IY?,jS (5((Í&]3j ڽ{:O_Ōb2>]r5~NvpY0u4Mhܢm:<dmcf_d*ճ(0ۊbHrsDlUĕqhxK@3jƺ2J(%hŧX\6n0UObqsJh$ԋ{&PhWH0h%D*v Փnv/s!5xފ)*s5鰢'I-CT wWڒ?J숀u|=|y 2P-xP55d}QOBܽ{VoqUqo ،YHlHd$ED?+e=vWbOG|xP{t*$׶;EJ&7i֥$ߖO2[w35i 1*.Aos<ۡ9;&ω>{~Awl.!kR2ek( 0 _t-yeKFa3FC@5'pN]g8@p/8U>0NG]ܞ?{SV7N'{ҾΧLoᴑ5dČKPyWW9'5ڜQgUTqD'qhezE9f1ނA[MGPeFq0!FbyX*rj LBYExr#m]rus.'Htn#xIh6C"ʌMIOB8{'o+1* uYc[ݷT9\B ${Qs .kvzO]<S 斣MwPmsXzBdCR<)YAYli)u\!K o&t-DZ3%fRGŚyld2LLe.U A{]0϶1zB߫u/r[ST;F?k42GUBd_A^Mo7/+eCʹ aS}ԏ@ruQG nRHiA*q(^E%vV~Cko^}Op=t%.֑P K2FT'x~cWLfX*̕${%26:\ԠÌzf"(XQ&bV{nm\N i׀7Q={)8Ąt芿e84ox{xse FFӏ6]%*cNY+_( bxK>*|W]E1T?@#\a{*OEMx-lr&֋$09 dg]Ɇd(ktenM{S:tHN nD;zeLپ GAb }kJ>[00 kJKn}=-E>Z9X꒬FlHPxhrv -TK,a F*}^Ov/gΎ^ AQ<+q$l3[F;VcfQT\{)C^\0Xy׺~W:P`BJ;V8DPuP_pզyFA/11g~,{wB 8`/ sJg.,K*]q*??;?F>xi։µ[yr|8m)i<@wo ^$ofJ(84D~Wȱy/rAOn]Ln׬[A\B8څk0JC׽gʲvۘܫ㝁PH'4+Bj Cu(m78~:ڞjEs^*qD,ZPg;q'R ^Ja[碐FyhUѧ:/ 8ok7A_~ Yp w8isJԄ ;_#]F8ry%_㭣D-;Tl(_ ̢ԢyRgZVܨ%VoTe7Mq.U]&'Scn Ig*+<jΩ45*xDoU(25K&)_O<,֗xͼn綥ȗrݲaz킫Vn*3QⅨ`ȅ>s\))3:狽 Ĩ,>Pzo1g$H@}|1S(te8!iStP'1 CprfOsIBf{  ~2h8Y6,Aۓoy)ዦuD Yz8K4iѤ|(tpn47?}''!2w2c?9{x|DNɻ2GK?[=F}{VNLއLWxG;KW0Y/AIR;I?t@sR*nU@ЅjOmP6#'DzKZ`lWă{M\Y,g+Fhs}Ǎ[HFxȋ ۺ`.gp'SLNDc^g3X̚n?,&|jg7ZaPIX ug6\AuAW r ԘlQ鮤 ^MAc+\oK 5%yQkC̪ ,FX. _v꼫P-1t%TCIV$l Ր)a-B@R\Ixk&,{mq3;c@qH ^A QZfbD%2Ey2}v8Hp! |bTv%@Z^P.Gck8F9lYnEgד2Lixb )ʢLs~ \/wj+*~A #]TtS,*v/ *gW(ܦrXR a+sin6 FLvf>/wf '/Cmgbb=G{;=/m\.FȿI jɨPMvaMH <^ek rf u08(R:ad1( xL3ӣ&Â&_1)[N'[NOe0sMJ{_B[h"Q^bK眜"l/Њ8hW%rE>! 9 8fjY]gx"v `2lWvf%i2Dd[`xN3zW?wbpBa\@b)'[El!&F,A8PÖU5|5 ϴ8h+F@y"ni'Kwkjt\[ɾѰMdqρWXbVz }Pa}Tv9˾SW  QՕ]p bk7#nsV[3^b'01ҜeFgAћUkq0~lF<`1A0߂ALe[̐50|Wk:9 o$Dj$1EB13 c*پxgR86#r+$ w򤰋dgP#@ ͲEF˂qU5>{'6\G3Q; F'bju|EƁØ_漺=Us m)dڅDIEKΜ(X˗*iw}&g_R)(o[ Ly̥C@_v;فO[=d38u\e:t99( Ÿ,f&>\᪫2ې\l4ᨼU~,*,">l ;ς] W{{#v>O1S\gxZ%rFZNK2b!{1(DczrzjmSoՌ3;eA` ojꄦ>,"nz,Ϸn:LNah_IIOl|_So^[${x c_Jsvcw4 _)5Qy @ _(obXcLPrk aOr@E]ʷGބS& -YoEAQW |8(d$sHQacV+j@O˾OadRB\dw.2(}9vߗ2S#ݬOfHPEI֯ޕ5ɹbKæu:Y*cAƧ/15<#6{W * ~x3kIy>abmoo=*_cx QHİgg&r!'I/F}" EgxՆnIQoH_F <0c8IZ&bljo0AЮZn7T/6Ղ[<S*9k!rY@[E̠+JJohAkI#[ܰb\Z, ˑgA)ҁs1l@fƉ*]4!~Da0MdTreesO"«@7֩ KE0M؏H-[*$JQR|s!;SYD14J?/ &L`"|%Ae)I pP,hc;.r*'O(C iBvPsڜVdQkFW51MuzLX{d7@xgE/[ -'2:񉝧% *$ 9Ȼݶws3I+ɂ0\=l˩Jo8b`#lWc0\MEY*H{Q(:/EdGk2}]'; qmM^H*ďhƅwf8Xui' jQy-:$AKed^.cqV)chUmP@#=9b|..Aun91i͕OsͶ$XdiS̾7; <, r%NGvP A]Ą14 uZ0r_z N6|; _C P\jrgx|QܷNքG"~-ixT.5S`?&?W|w a@=V9RSiu 5bL&ߪdV?^~Z+,}lDՋ>Od0upF[6 {WgMv^|򞯠e1ؔHIt!ʵaq$$'+ٽs8Nu(L_f@h.^Eآ |t ^$Fc< d==xE g*}@[[: \'OɓA$ _&Uiz4XoeZv]-EjPJAfM4S`SoiU+QY*މN?1Hp5 u7iO*[N+uꂙDb<0A뤕 ʜ{eh.3tXp!AgY%vS`K踖'N|x6;v!WB n', Xi ΂E"h$T,6c39@8I"htj[z lëjGdDʼnȢZx/yB-+_=*TK3F6pM| l~* :j(DAiVxuMLsTT ov'G~_3RcT*W#\V]``D}O4Lĵ JDu4:/혶gsҀ:yO6jD*d掅@Sa&tu4dO O>Y)'"HB#D(F~%r[ݵh0"[C-qO; F:@PZ ^eֻ]kbɜpF-r"I$ʹ: ;\G3yqo)^7#z{mDtd5267V#Mڗ'ь]rBvD}ߕ@rܚk~0Pl8IKٶ.1e O{9SE}"ӂOQASM,wl+5=6]QFZM|LJ)鸟:7J4BعS7 1*S4>|#{n(_ H8w6w Qߙ]KPs3|ܸ4o[[uu9$;bORS8T _e3[XlgfK_ԺR{̀!bf! jpn~! ,vh%}%[Tv73w^"$c@^"M`<1w(㚗MTHg0dߩ]l&tcXE:6S}]!)YEħ[1b :Pϗ|4 Ⱦ$bQ}7]ûHyrEǥ*`NU7,_؂܏];S7Z+X}`MA'`kuߎ%21Gl$C!A-\hKSü^W"3IB 2O?-ciR=g,J=ȹ^qFɑl_O1s쀴2s3hai7z0Rӱ28J^6ሞJ7~jܞ)}m,d%3.zHKpMZ\zӿwרlČv5\OR1l J)p,-Glpb3yѰ+mpʼ{0AE,6#"(۶'*ab'[lu@I۷[#tG(+EcbwDE7ƯdlhI*@LJ): ,@s\`EV-$m1f`*f+ v,.@nW~ާ t&Ollz:%N%U]0qV!. "S&7?1~pHr"`X/0g7Zi 3nrk=~AҠIXłϻR1AJ Jt4(+,_Iּ gZ{ Lp=Hk6HRC,WQJF10xOŹKNm'Z#^my& 4k(-XwJ)?8kHY{LPpTUIԁfOeN[ o5keb:)8Y・ kGgqBKh!y~.Ug h.ՋŢ ,m  WzQP ̨Qr t-[RG$&om 5~ '`ƕ]?6XT^# $/o?tDčʨPdFzrBsǜ$u SCf H|>g1ⴋb (D( ˇ4MJqo2a'dQ ^xn+osyX0)Wn4D-_FqAK`(&wh6PD;bfawtVf@VDչ&k>`iKK(ND~&5.u4{g?;,>ye0 zч$Ë$B+PP Y(-.)eX ƌx$ςpC4oK)dGv2Sփ_*UH!YY8lgۘH.oiI C4q6-$~^i$_s~UfOXvd٠`[!YR:Ia(|91)~]`33֏*t&W$kH I*Y`kCUwE Z 3Wq 엪ט(E1 GF,K0FTgQIh{cL$_YF9Xo}g|ؑ+6)S]J+l'?Ժk?JjfLaZ6otOcջm$m:4 \᛾@a7j @̑RXKX6PBq*CzOA).*JW>\˹wnSO,QGK}!q* Lہy5o/lA!_佀KAXmkʔI>YμQYl.<.s !Ӑ1-iȮ/QMN,:,de<#ٯknGçmQ<@@gݸm=$-`޴>6d}8+H)q>,,onq(j mt犯.ahy3rF=ߑbN0=ykٓ~1;]1 YM׈od6C|[-ZTZb YlUL-Lhn01G>/-hrjAxHNEْ+c\,EfPpn:)`ȏ9D7hl.mt`[Vjy\o|G<~hfAB^uO>`j\ <.B}0TVf֎/Կje$A?%D聋9p*=L2Xߓ*>Rˏ{2C)д4 Xgsf?_N2_ F˛X }:w'aIpaDўW 7{aM'EYe`B7F = }M棌݄bS EyløMig fQx^LogD͞.UM{U5U\OJ)%hS OK@3as߂Z҄<2*7ۨPu,z^\8@'=w 3 :Y--_f 𽬤7%&w^(or.6sxlK{#QN(f/9tٕ3nyzɭ Ǫ+6LLɧ=S&/&H\:;] =U*g9Z#ecA-U y.LԷy/Һݦhtxݬ-* (ϋS~2%Ax$3*rp.~Un~JpG^$k-]ujwp``TvNjA}m 1'Ї0\2r̔58Bz@IIQd2]Ţ|$[~}k-lz򩨇Y×4Y$,s+3TTu[QfD葃ʈZvҧj]]^Y!^vaݛ9(P rKMDo^BS˜HHNFxKUUmCt(z^,\be(p Qy24HC;\2?p /#EN*^o;Y_S']teEE}1W8ц(o'^UnX) P?BnY:В0Ϭa 2[_0R);7. |$K%(b'f0#!@F¼ÿwExwb ˕Öxᔮ2gWβ$T&^^ "D 5:${sZP겝X ]ɔQ@ЊShENO4nŭ:& qfe.L]գqeI=1rkm䍉{ة+F, dҏoķ7Jtä ~':IH뀱\ÝvҖ"jrY.W wAO"f"/*wܷ#). # lVc_OB_";J13P9ԫX7 +^it"5ҁ b)Υ>) IwU1!1ݩk4>&_*Ģ6YZݸeG wBxG9eh9S=_b<s[].|m2Ln`00m^)"u܏{ cDFm ZU_XwʚOY`9#-R!ny)K0۬-t Ĺx@Ym@JJq 2K7w2IcZdhdz3<\`"TV,z|aI."#]oz} TrV0E}H(.*,׏zC#e>|*!{6 L]$1+v ̜{dߌ̱kKBELo; y8_,ҷa+|؅8l. )MiUp:{چjAv_S.yLu l"}!?BٹG8KGp0]ueвL ȯ_i"bŘ&Vh~gV;7 [RH >6ēocǸ\zL9;;k]LE;T:#l!G!-Ȳ6uu Asi䂴 p$b R=4/#TAC#|[n!HȈdT܊ q' J0ʪHɝ((=8^Eztvn|Z[0EKJJgZ,f(zz˕AjiS`DPݠGLրe>d7źxFG3 ;j{ƅY恊)|uV&`8dcHsdP߅'^)@p{Ϥq9>$ EMQȆ3NIն< <=+ !ZS:]j`u(5p~ 3]^*澧GT_&᫰b3:(Fbtłճ5-d[[A *BD@mQv 2XĠZMZK8V{G/esh]Hֲ7Xx{dq/6@U޸#ާ}?[hi^2bDаrRDy!Ppƴã*viԩ.èrLT'rqOBqX} ֮Bܩ6! SU-4;'2wk"fQeG},gr\g{k pؓl0y4 Z#y,:Qag;=^`shswQt= оCNrTۃECgh5v"q_$xZ\bOӛp `}tg:> r6T &`՚/8U8M+W$"U*I {(NAݪMmC+ޘiəW !2 Wz+랭WuV[z6f jTs0uAzZR=ٰ5uƯ̊* CN2ͽi*{PQkzNrȠtRM~u<7 S{0>mRBN _,DepAl-\#S'NuL-T#:ZG;hTqo#I7]=: 27Sj'<}7[0a6zrzĽOh8^a0X#PB$tkG-t;"QRh8xRVeV< %0|zo*Mo )0 .QȇjeĄNF HjZ oS/:%==n @.KrqcDxr<,h0?2&%f}a L؛:Hrhkh;]hYq[־Vnԡ&^dzxF\_1edK BdFP- KWByE'\*-a?q@я0f#k*4Z)Y-r):jhs218#4&O S-^]2/"G^0n< o/,WL$|"<:.J]伽UBb1\a |U&Q5c4=Q5g`O~zh\)H)곳BwT>M8c }=KldqZjH ]yKAdCZT`0T{06,v1iPIEǠKjR0yQcn( b_^ |oH7b/b iT>tGP֬uA E}l, e psi..ޓZloVM串q_^b[P d<[Aԃ=bo2KaQW=XD\)=@CxswC%i|0EX)ԗM0#*ۚR0]F ?Ha|=OBO67sy}c_^iX>ԇ!}`D]ZOLL9\xJ04෯_ty$ӂ KV!B8~I_]#&]tMn3žVi 9rOV ~|Z"}[W9y?#XݙG,kCG ut:QdO[1oDuzNf-Fi8G_Hp~v~ ba*0%nB``fPS1%kE2xQW\+]z7K)5cexBq$ªX ,@OoXG& O;ډJ:ooA^R `:` ؛U3080jzәl$㪝wpCsM)V*Q;"riEvQ<@FS\@Z9g)lrodNvh}t]BNW KC!zgfB4DWIx ~r>mO+&l3yW\l'z~3=5oO_6P@Jj.[2{?k/_/4rJzȨ-T(a=%`̌mFXq(6<9;k,G 4)ؓ>Km>,+%bke |'RE}yV $}c(!~6;;~n3{ư0`#ϲtT.u (1ʣu&sz~.M&0ЯlgJq;p!-(N*stO#: CtH1D[sޭ OoߋqB6f}Xhv= EU{U{<+!%LV)pǮr{: c!!{34Yb9JFжxi0[.ٗYj ֞lԕG0.~+!R껔,Kؖ#;ٮe,c,< l=^ȷtNJ 1°zIe*W7ҽSXxàSӕ;R '$@ WhD{aq} J"Sଗ`zݥdu1$i8*;e_%*aڊד RjRhMN;4? _#vCKlF@ 􎒞S J: =m|5 gk!/?%#,u ,+Huy1Kb_Jg9+Ku'5Vu+rJA\$|濍)r8D-Jֻ*Y^-w"(@q3znj4+Mj6nX)H;'E5f`q d:&~gHjfQaƘ THN05f>[&Wq Y!x4˪P&{><04./HUʫjEL4&C?0=톖+cuMsv?=T6DsVZ7.,GaO1a06_d࿖ڎHR"m41`USnG4K+e?t[oI!:7ݺn%f*lm V}O|@IIxRSH ½LƑ[JR\ -$ޱ`cy[0ӠfVbF8Unt/bgKo:P@#jpJwY@*p3 6v{ :wIN]l#ۀ;tllvcMK&p&EEyjj9.nʏv{, ~Ͻ<Ԗgu0F4ifA{֤\.pA*` JU(8z*;#!FCПޅjY.3.czqx fj`goff򥹳in09 Gx33e7 vr5nhǿDa)M`x;퀧k}o wlV\ibnQ#oqE &^NCR\X Z(S7xlf}r&721@an~­0U1UBÍhCt9xk SHUH6vVЀZ{{51i{gL&|i7gV}9-ĺ6F#Y ʛ6@.}AQ%(:1=z'V/DW陫auCSJE)1daDȞ3"p:B != 8̐b}S ҷu+ s @wO, [Z0ӀT餗2?c%'SfXsGl7:+]XUSه/ʄi!XFjm   h~g 9kx)Ag_^/7v 쇏kHވV~)Uzs4ˡ9Idtp]c:-SAꪎO5{M#s LUfQ>i-_yWGb-cs`V~'=˜@}.H;g%12p Q,@La^GX6s{> 6ThSz8B]QDѦWR$.s 0sS"*gbK5/M)5PR뤉8\ᕨBmLd_7v5o$$!DXdh)rY&D ˊם/`ҟ,tcsWalL?9R$n] h).Ay2t'o۟h r:'Nd_n$ 9Hm){Q; E#_{sSW\1~>BT,Fƃ_׍ӓc)7%S u T7m 0Yoؿy#KQy ^I3mjl\Tл+M,м%jSG(e x(SϑhLnWqUbٯ= P 9Y1Hƛy | >_mIߚ}'B_:|zNG>τgD^o-節0X{ޙhRe>;Ǯ0Z adZ8. a`4O7ݮ]%m[wN!9,MQz6p)F=ؕACFDnUB|ZM'u8k8>6{n~9\z5DmY7rߪ]2%-EІ#]NcS~ƪ}jvVTuzNq6ܥ!sZx|zDHǥ عB=#BA$vέO?Y$lT\)(!,_PTENAM)U߁LtGK" ;p,Syhm @qm'rqCc;*ok&>v_t(K\Uxeҫ\ sbڇ"xZLAIԗ&ȋq$%ΎS\Ri|'܆e)©A:5[:]# o&V4^ρ6wFA/`g~3u(!H;Zx>r/MlbfB erܹxQ!:Uġxi%|nj>\9bx xlFƲ WݞrX dZ1Zƅa2t5t .j %t8[a]lЃԑxǟu+I;[ i5+*3kW_9B@x×AUw{dWNcDt0~ j!{^uh^"=vI.~ޠ$F<1pwC& h~ [ uB3o([9JY1'd>9'}}Y]m]qs/AEXƺ(n#@]³_%ܤ`,C_{h@k n<؂LX 35m2iӭ~A7'`|=Q?Zƈ&₸A ŸeK_4usTмV" +О).Hr/DH]@v)&9^oF]u׶?X/؈Fcm[A[!$*3": PW# AWp~ TjWe"?J VCB:֘;mU"#LL ,:=Efjɗ(H.~>ziG ر{R6Sl jlի Dq6F %Һ5覻.n˺Zӟ+ABT).WnlVde[̗?3w/:Gq P܏?FnZ䙵ؾyeӻH8P]3 S}q[>7j 3:'Vn0u#yx$_k=Ƽb[RjG^$tgXjGr~at\ϐ- qiInkޠ2:ȵǘ 㸷Z"Θ[ďD0w L z@ū(*f{VE n>]˷(m< f/ ZBG$A'6<40+9dDBE^'{ (bzKyʳJ[5hܿpT? 'SJ511yP)p?Hw-?' eNBIE'ʨ0C6Nowc'$\.j=!^M/p[re)OTʊ w `ZQN0a.7pa@S~dxG 6v?D5YTYpO2DyVxTCɵi^cc~VU3 ^5DanC#a, RZ|eg}}V:Y&gհ{Q z1uj,s9>;{RS I`9vUfHMf Wo\&is)V\#DQ!><>煼0[,J\uPyi[xE1w-)%9<Ko4T`?qLh뢔c[Ut7Kz .m MlxP52Qe# gLQ$*_XNj{QA6Nkۯ`sU`R;L_Qf:cTFåGikindHGa}gL}[$šCnP;ouxm<-]W Xµ Ү o"›D!v%GDC< 䘯RKi+U @z%N1~]_\wX1-ZU-T;؋.<ԋf N|.}oB$1gZ5M|RBQ>e{NكͺTRK.T'd*"Gi8U.!ȯBm(G.~ˢFȧ)ٔoKB_C0Z?#ɳr!( \C [|C33 Tw;~4JM dyT]#wLp%_;4\X8b@sRoi<!F;ɬZ9TQc6 }FT Ba47X1RŻ ٖ hs گ(2!txo"_7nFx'Sx'A/#ytFtkJ-dx.]"Ws5uk@[\~JdT6oGf|ʷN ո<8P~ʵ'ni96SԎl2p]kM2A0oآ>NX&qGQPDb'\@_ɞfs9ǫwA*:g<*Q,m<$*DθVq#Blf| `,ͽ}<hoR]p"FzWǙTj旝F Qo&.۞кCOs;:NOVL|H/)НLM] Qqi U3"^;N|^GSd"okdVwy{~H}Kʰ7BPVCdCQsT 2WXX-[J;; "N*`\{tF0Z.G\)JAuQCP ˚&2] dsSJW8zc,#F]#xminj+>gkMƄ%1d^M*fS&x$RZ. ߏ7p @9&Kf{3=KE[-Q 28SGUX:*nZZ3`_ dA^pGu&s"$1Ҡ^KiA)`E@k~$ܢgj]zru\~[$s,4$᨟B_Y0;ٙy4hMfm{4z4{ DMdūQ 5r,E6Eh gfGM@^DwqzQyeZ18р"D-Bɛ~_}BE<,E <3oLK$| S NzK x7KeA1[:U~kuǟB@km}ΙM{1! Blg%O.D"~95MX^Ei{^\POUd{Õ6* 1&f SϾ1beJKb烇{3d:??~%_u+(\+DMZ|bl;LC&f*}㉕D"M푚o|V'"G8]뀋i1Xjv;V* ece2Ui{zF`B5K{*YXȷM=:ȪPTs۶ɦȿrRϜ$՞AzcF$7 czsd~yE Y:1.1bE>} }1ªV&Ιlgc!$/_:%['8V lVmnj;4ILE΄-!j X1}Nt2ݘE<}/~7@nȂ3"N*p!H\q2NWfQ$wvK1gΔ5M;t8c6nNSp_IRȮ%`C]i&*18@[>.0qB ݩǿFM9um|Վ>⃁v*H/m1\=͚He-Ǹm.YB%"jG-O@0rmU,DNq1Jq.ӟTb. =9ں̮T!H"qp@c!kMހ;qo)2 IQV \~LțfB*(Xz~G &^?)T:kѻŭ+.30F)f]*Aj/ɐ6:[s9xL!>X=*djk 6elOǣl9dfqVݶBEj!p'_w79oNaG}QJ@sLY٨_LŸb^[yS]:RxXDsoۚ`} <}fut;)."wѥ(3a~8 {$;̖YɘY%Em/Ljw5ֆ0]S2JȇnG@tFc\ɲ4i!`qQ#6E֧qdlJ`Sy2(JstL.rhzGh0A36 =r)_!&UxWL<2)̴ZmZ_Y+bQ?g' ??7)lm{k'iVql{!_Znyr0Z|DڎAUB6XV"QeoEw1uf7"N_Sc & `6't#؀]kP}>J4j~Mv.^W8,gQbܡ/)jZdxP~2gKW.FW+ 0 $fuO3~ӬBxsY\~Ghc:s%vCl̙>pQ ryR;);qn8 ᓍ)Пh>~IqJY'9qE.xQcJxk[`{p ^]5|RIP.IeJjO)yJDBcOIt{J1vtF91rFU!*u@CҸڅRM-DqM5 N?tTA;%[IkE$F߽Esz !kN2Q! Vn0)N(X ra|ו61;MC/vϏ_6z>_ah_!,\Y?h S1[95F8irX5HMa YxvQˢT^R̈́\^ 8/|v9~U#{|pź/~Z~__8pdWU MI,ӧVj=8))듅ˌoh:].&^M}3wgH2Eڎf؊(w+%%._SbLLVPp =VIJ{r3ƺw4]&{Yebp!c 6ڸ>^Ieh>Wn.K,l5&jrJW)t&D5  ;]4_ %jŋHjJJ^xRq&DŽTxT^z>N50q=1, D?RCXHYg'ڶ*Gnr"k6\͵EaAuGצZ*V1\qYUrIδrV(2ѬAd[̜Go߫I<(XsU=G^I|$K&wg*5!Ggs*zH$P}\ڗiSUC١ ؉= c'^,uQ~2N 3j w>*{>W9bV"Qk?i慘moxGh:>:s>snxe@#QOvZM=g_ӂin l8(} NPZd&ضu\)^YpKL;xR+~M!?&G{*q'T˺gu2@]23F9(m8db+Ms7elkjT _7B".xra]Bе^9]## U94t-m%g\Q EhȣcZٗVtV5b!t m8j:!,]ôMk57P5>i!R~aJEа_)B 1T9[;[VLh qEsyܘa:w;Z%aŒlX5N%!o`sd]dYq/J"9v]xYw字'Ί-Jc6CH6S ŪRd09 Z@KD Aɚ6&HmseFc CJA4ϧ:0%NDU|| VQmdr.aXp(6~6b@q. ~i>} YYl%`K#]٪3H G~}JvzMģը{BdBԘ@tF/u֣cGPQpΊHL|eGq%v(T{mz%HZdȅO/%J]DkIjςO>L8 ȄM(-/ =${x_6 |dn N a.9K;Q/_H`&rŒ6EyNY_o?M=0Qیqp5aJPKF/Ά^,gZXx7 mݐ 1e3;;bHCH)-! _-U"%>|ߏYu43PeL4Y&AK`EǼXh ;$r|=D/N1:5h,wu^z)3Kj\2B!'$qO{M|O;L\K b% zwިNڮgNA4Y#A>hC2nOs LѸ\dStS 5MP"ytM0'VbͿ;oCPiŗjCdu^u#Eq=.>cU +;+*A(/OlfWv'=0|ˍYh7tDC >H1$-`IzGBJ%A'po?jR&qRl@W=4xn-5BmrBdا+qݶS!_A a b>s[jwux<ò94Ix+(| jJETW73wẐ"/dyГv' :W}ez ٙYC6X49 lIkv@Î*Fܪ/X pܚ+67HE$'sjK4[l?S$? >Sg2 ؽDvf[#Dm*|51!KMUpw]Xi}792w;M'A!K>͊ [roRlι#/AV;2Do0;Cߖ1ډ|LSВ /K^ wws:gv}Q#~Hi#.X6ߩ4^*ޛmBNW SfJ$vቶG67Ne:8* P:$2_f1tO6˻ x'd ߐ]0fniR9b1""͟o1׽sOH4Nh4rκHN-eGTviՀ43Zd Q,FD _Vq MˤpVKM{/hĆλI4G zN$(H:r^-*8bڃ6L f U]K/y*CS2PU @JAp=5pv&Mf&+u)NǮOrZLlLDpMώ=wwb0|xkx֑D8HTĝ33of5t?~*BoX G] -c2]Ҁ_ Ҁ إN-%jJj /B2m8ϐ;kCޓ'(hY!GkŅی+b]~Y ,D~:?ħsߟjم3鯠ioEnG#uL.0Z R?tGVߝv)$àXUIHw^מ"RUy/Mn[1F3k8^o)s;bYE>aL}ACq19uQLg=Ep5kD;q!kγM0Ǩ{𾧍d-Ľѡ>Yġ3;b,^Un ü[a9I g҄3Cu$lr".)&w\T]jvk2H+?bmwYs)!h kO^1 YZ