samba-dsdb-modules-4.15.13+git.591.ab36624310c-150400.3.19.1 >  A cnSp9|k 0Pmױg E8óX>k<&xge޹V  _Ji>5;?kJQ,V-s 8AfEk`+}]ዋepҢ/(-W[R,;ĕT\*f\3ZEH.tfQ KH4`} Psm9U&Lc#->99?|nj PMhgn5e5125443683bdc1fc611094317ee927aec9303128cacf6133a4adc92015359120af4528f59570695713f6ba2c5d3295a59e5f87TcnSp9|!Ki) 9[Ħ(foh_qt,+ A˻V:״jyu}JMFHd#pA?d1 ? Q 7NT[-x- - ,- - M- |-0--,-zz)z(*8*9.:@P>S@SFSGS-HT-IUH-XUxYU\U-]V-^YIbY_cZdZeZfZlZuZ-v[X-wt$-xt-yuzTdhnCsamba-dsdb-modules4.15.13+git.591.ab36624310c150400.3.19.1Samba LDB modulesThis package contains plugins which add Active Directory features to the LDB library.clsheep06?pSUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/Productivity/Networking/Sambahttps://www.samba.org/linuxx86_64rm -f /usr/lib64/ldb/samba ln -sf /usr/lib64/samba/ldb /usr/lib64/ldb2/modules/ldb/samba /sbin/ldconfigX7Hxx(h H(HX(x(((xH@((H88(8I(XHYH(((8(HG(cliclicliclicliclicliclicliclicliclicliclicliclicliclicliclicliclicliclicliclicliclicliclicliclicliclicliclicliclicliclicliclicliclicli388998a5819edfb1be39ea72f0b4a2ac566d7f74a3eaef00e954609a8eb7c5528f1c27f7d33a5dff3ed4eb5e20393992f546a731eeb5975aa46d86dfab4640463dc0088944baef6fa981068ba48a40bac1dbe5fa4db29e933cacb2f673060ab1ead2c04d1c19f8da9289d1823eff210a11f1a5431b6e02c767e6201eb0a4feaeba84c748662c3599694a6e7d0f1584034ff7dd0ba8f5f886c2d7954b2124b2a0f102d71f1efd389b72907daf62096741019ae704b207e63daaa8d761078eb2f4c9799a297c729cd3f84eb859921bb88d2bc8867b8d6268caf6a6e905bbdea41d98a38f30185288c5ae354aef7cc2fc24da505582d5a1cf4574f6dde7fa78517baecf50c01cdcd95d11c41121e4a8facbf1f9d1301c8181ddb90d53f1c28c3d2dc0e4802a07dd559bfd14b02c265e647f9aec8a3b10cecf72ed56075dacc457854476f79bce992bc7b96de53ad5b883fa62ee72d72b0cada600ac660753f82200b624f4be3035a632c47eaf9ff56fbb5fbe65951eb6c5ff89801b8c7945db76ee6c9797e4d3a40dfce5698f95f02d2f265c53a1388a007c1fbbcecd99ea8dc6fa0c3f7372edf5634556fbdd9cc39d593400d8f86d79c869ff94850a0394f34c838477b1bb9d8ca21f2c75c2003135e00314b2f17408ef98708bbb10f1c6fb740e96a0edeee9af88f2bdfeb11761975e3b3c041f764b5294fe82c24701cf46a38ffc40464db4a09e1c718efac4b0f61d1d3e89021695a34b97ab5a561448f8834ed3b69be52a2803ce11cad508c892a15d4bbad48e0f130e4d3429bab8c3faf3b9a23a087a2437360fd8bd7d268dabfe6df0f8b02fe97386f03917a7330269d386c503c11af88b79d430119f93be28f9b4b1def1c9bf19ad578d610f8e50816031f1a56e95f8e8017a0852f7a673cc2bb6692a991222d6ce7bfa0fe8c4995aeedfd4ef544bae27cb17f817b4af4edf97a413e20392df3a431a4e28def361512f9afbe0c4f815d9b1584e9e1d1ba91cc85e268bb274f4f1eacd23497a19662667681764f578d7020aa83c492edda84122fb17e0d2d72c2e593b2e8b8ff8ce14eb6c586adf2e7bb0feb23b195a6dc0c58c002f75618dc7b290bdfcf0ba681b3b99d83db2e3ed9544655871d84ca32dd62c6df54d6a3ee092a79951bf056bf0653021d1c7f3e484951ce879335272aaae14bd0a82a29e8b0d1fee714dc842c3a62cb05ed050353f1635717cd8f995f01034606092d999f67694efcbaa400f4c732ba5d7806858d05312a809887d33781c79300286ebfa7cf6be28b4308fe552bda741616a8b5a8ace016d4d6961bc57d5f94811cec5954a822e106977c48002ca0171c855e7b368a29c9a27e9da5194983d309a8e49c9b2db42117bd4c3d329a163f03d55e84197a29f72351c839ff277110461b61c85bd75c379a8c37ff2165e55278e483d557110c921b500f071c4dcb25b4655b2ba23fd7b4772322127e28770dda2b194d17ba67f1fe370dd1b64a5be62eb59b35ad3952fd915b6661ab9b0b7b246719e99cf9cc241d7a0933488c6677ea70d6716f8a82184be9d831ff50d5af3d19e6334f87a6bb62e0d202349586581e88e9a20828644afe248d541991cc7f0e6f7747e547105f3cd27f87e1586346e5f72e106c6ad9090f42315630761f877e4c1d9916458604413d08aafee206a62d9bb60bf9031cec5c06061cd7765008a79c4a19fd4fac7e1e4c4a509b7f91298ec0d35d69297aa8506b6a871f8fbd7ced3063d95dcf6962e5efff00c75563178484bdf57550ed38b0d8b79acbf8376e426d1cb25df93971ecc0e183d0bf11e5d9f33dfa5b0cf7ce50ebbc48751704aaf0030711912da631c8f17e402f5dfb9148b4f93780f50227f9276e7a3110928639e9ee5ec547c1855c3053458020f546d2976c5073c04eeddbe0374c539ac4b88d7ff27a3da7ec6bfd5227682f400b88649b9dbd4927f1d2a9051f2c141862ad0f33e5bd07674a1239b9bfacf826c8c463da39a2f454e78c7e843f8152c1f3507rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootsamba-4.15.13+git.591.ab36624310c-150400.3.19.1.src.rpmsamba-dsdb-modulessamba-dsdb-modules(x86-64)@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    /bin/sh/sbin/ldconfig/sbin/ldconfig/sbin/ldconfiglibMESSAGING-samba4.so()(64bit)libMESSAGING-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_X86_64)(64bit)libauthkrb5-samba4.so()(64bit)libauthkrb5-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_X86_64)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libc.so.6(GLIBC_2.7)(64bit)libcli-cldap-samba4.so()(64bit)libcli-cldap-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_X86_64)(64bit)libcli-ldap-common-samba4.so()(64bit)libcli-ldap-common-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_X86_64)(64bit)libcliauth-samba4.so()(64bit)libcliauth-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_X86_64)(64bit)libcom_err.so.2()(64bit)libcommon-auth-samba4.so()(64bit)libcommon-auth-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_X86_64)(64bit)libcrypt.so.1()(64bit)libcrypt.so.1(XCRYPT_2.0)(64bit)libdbwrap-samba4.so()(64bit)libdbwrap-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_X86_64)(64bit)libdcerpc-binding.so.0()(64bit)libdcerpc-binding.so.0(DCERPC_BINDING_0.0.1)(64bit)libdsdb-module-samba4.so()(64bit)libdsdb-module-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_X86_64)(64bit)libevents-samba4.so()(64bit)libevents-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_X86_64)(64bit)libflag-mapping-samba4.so()(64bit)libflag-mapping-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_X86_64)(64bit)libgenrand-samba4.so()(64bit)libgenrand-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_X86_64)(64bit)libgnutls.so.30()(64bit)libgnutls.so.30(GNUTLS_3_4)(64bit)libgpgme.so.11()(64bit)libgpgme.so.11(GPGME_1.0)(64bit)libgpgme.so.11(GPGME_1.1)(64bit)libkrb5.so.3()(64bit)libkrb5.so.3(krb5_3_MIT)(64bit)libkrb5samba-samba4.so()(64bit)libkrb5samba-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_X86_64)(64bit)libldb.so.2()(64bit)libldb.so.2(LDB_0.9.10)(64bit)libldb.so.2(LDB_0.9.12)(64bit)libldb.so.2(LDB_0.9.15)(64bit)libldb.so.2(LDB_0.9.16)(64bit)libldb.so.2(LDB_0.9.19)(64bit)libldb.so.2(LDB_0.9.22)(64bit)libldb.so.2(LDB_0.9.23)(64bit)libldb.so.2(LDB_0.9.24)(64bit)libldb.so.2(LDB_1.1.0)(64bit)libldb.so.2(LDB_1.1.2)(64bit)libldb.so.2(LDB_1.1.30)(64bit)libldb.so.2(LDB_1.1.6)(64bit)libldb.so.2(LDB_1.2.0)(64bit)libldb.so.2(LDB_1.2.2)(64bit)libldb.so.2(LDB_2.0.5)(64bit)libldb.so.2(LDB_2.4.4)(64bit)libldb2libldbsamba-samba4.so()(64bit)libldbsamba-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_X86_64)(64bit)libndr-samba-samba4.so()(64bit)libndr-samba-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_X86_64)(64bit)libndr-samba4.so()(64bit)libndr-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_X86_64)(64bit)libndr.so.2()(64bit)libndr.so.2(NDR_0.0.1)(64bit)libndr.so.2(NDR_0.0.4)(64bit)libndr.so.2(NDR_0.0.8)(64bit)libndr.so.2(NDR_0.2.0)(64bit)libnetif-samba4.so()(64bit)libnetif-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_X86_64)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libreplace-samba4.so()(64bit)libreplace-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_X86_64)(64bit)libsamba-credentials.so.1()(64bit)libsamba-credentials.so.1(SAMBA_CREDENTIALS_1.0.0)(64bit)libsamba-debug-samba4.so()(64bit)libsamba-debug-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_X86_64)(64bit)libsamba-errors.so.1()(64bit)libsamba-errors.so.1(SAMBA_ERRORS_1)(64bit)libsamba-hostconfig.so.0()(64bit)libsamba-hostconfig.so.0(SAMBA_HOSTCONFIG_0.0.1)(64bit)libsamba-security-samba4.so()(64bit)libsamba-security-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_X86_64)(64bit)libsamba-sockets-samba4.so()(64bit)libsamba-sockets-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_X86_64)(64bit)libsamba-util.so.0()(64bit)libsamba-util.so.0(SAMBA_UTIL_0.0.1)(64bit)libsamdb-common-samba4.so()(64bit)libsamdb-common-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_X86_64)(64bit)libsamdb.so.0()(64bit)libsamdb.so.0(SAMDB_0.0.1)(64bit)libsecrets3-samba4.so()(64bit)libsecrets3-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_X86_64)(64bit)libsmbpasswdparser-samba4.so()(64bit)libsmbpasswdparser-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_X86_64)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtdb-wrap-samba4.so()(64bit)libtdb-wrap-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_X86_64)(64bit)libtdb.so.1()(64bit)libtdb.so.1(TDB_1.2.1)(64bit)libtdb.so.1(TDB_1.3.14)(64bit)libtevent-util.so.0()(64bit)libtevent-util.so.0(TEVENT_UTIL_0.0.1)(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)libtime-basic-samba4.so()(64bit)libtime-basic-samba4.so(SAMBA_4.15.13_GIT.591.AB36624310C150400.3.19.1_SUSE_OS15.0_X86_64)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)samba-ldb-ldap2.4.33.0.4-14.6.0-14.0-15.2-14.15.13+git.591.ab36624310c4.14.3cS@ccR@cctc5cM@b@b@b@ba@bascabrero@suse.denopower@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedimstar@opensuse.orgscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- CVE-2022-38023 Additional patches for the PDC role's netlogon server; (bso#15240); (bsc#1206504);- CVE-2021-20251: samba: Bad password count not incremented atomically; (bso#14611); (bsc#1206546).- Update to 4.15.13 * CVE-2022-37966 rc4-hmac Kerberos session keys issued to modern servers; (bso#15237); (bsc#1205385); * CVE-2022-37967 Kerberos constrained delegation ticket forgery possible against Samba AD DC; (bso#15231); (bsc#1205386); * CVE-2022-38023 RC4/HMAC-MD5 NetLogon Secure Channel is weak and should be avoided; (bso#15240); (bsc#1206504); * filter-subunit is inefficient with large numbers of knownfails; (bso#15258); * The KDC logic arround msDs-supportedEncryptionTypes differs from Windows; (bso#13135); * Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue; (bso#15197); - Adjust the systemd drop-in file for named service; (bsc#1201689); * Paths are additive so do not repeat paths from named.service * Prefix the samba DLZ directory with "-" to ignore this path if it does not exists- Install a systemd drop-in file for named service to allow read/write access to the DLZ directory; (bsc#1201689);- Update to 4.15.12 * CVE-2022-42898: samba: heimdal: Samba buffer overflow vulnerabilities on 32-bit systems; (bso#15203); (bsc#1205126). - Update to 4.15.11 * Allow rebuild of Centos 8 images after move to vault for Samba 4.15; (bso#15193). * CVE-2022-3437: samba: Buffer overflow in Heimdal unwrap_des3(); (bso#15134); (bsc#1204254)- Update to 4.15.10 * Possible use after free of connection_struct when iterating smbd_server_connection->connections; (bso#15128); (bsc#1200102). * smbXsrv_connection_shutdown_send result leaked; (bso#15174). * Spotlight RPC service returns wrong response when Spotlight is disabled on a share; (bso#15086). * acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr; (bso#15126). * Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1; (bso#15153). * assert failed: !is_named_stream(smb_fname)") at ../../lib/util/fault.c:197; (bso#15161). * Missing READ_LEASE break could cause data corruption; (bso#15148). * rpcclient can crash using setuserinfo(2); (bso#15124). * Samba fails to build with glibc 2.36 caused by including in libreplace; (bso#15132). * SMB1 negotiation can fail to handle connection errors; (bso#15152). * samba-tool domain join segfault when joining a samba ad domain; (bso#15078). - Update to 4.15.9 * CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). * CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). * CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); * CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). * CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); * CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- CVE-2022-1615: Do not ignore errors in random number generation; (bso#15103); (bsc#1202976); - CVE-2022-32743: Implement validated dnsHostName write rights; (bso#14833); (bsc#1202803);- Fix Use after free when iterating smbd_server_connection->connections after tree disconnect failure; (bso#15128); (bsc#1200102).- CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). - CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). - CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); - CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). - CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- Update to 4.15.8 * Use pathref fd instead of io fd in vfs_default_durable_cookie; (bso#15042); * Setting fruit:resource = stream in vfs_fruit causes a panic; (bso#15099); * Add support for bind 9.18; (bso#14986); * logging dsdb audit to specific files does not work; (bso#15076); * vfs_gpfs with vfs_shadowcopy2 fail to restore file if original file had been deleted; (bso#15069); * netgroups support removed; (bso#15087); (bsc#1199247); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); (bsc#1199734); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * smbclient commands del & deltree fail with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556); * vfs_gpfs recalls=no option prevents listing files; (bso#15055); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * Compile error in source3/utils/regedit_hexedit.c; (bso#15091); * ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link; (bso#15108); * smbd doesn't handle UPNs for looking up names; (bso#15054); * Out-by-4 error in smbd read reply max_send clamp; (bso#14443); - Move pdb backends from package samba-libs to package samba-client-libs and remove samba-libs requirement from samba-winbind; (bsc#1200964); (bsc#1198255); - Use the canonical realm name to refresh the Kerberos tickets; (bsc#1196224); (bso#14979);- Fix smbclient commands del & deltree failing with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556).- Revert NIS support removal; (bsc#1199247);- Use requires_eq macro to require the libldb2 version available at samba-dsdb-modules build time; (bsc#1199362);- Add missing samba-client requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.7 * Share and server swapped in smbget password prompt; (bso#14831); * Durable handles won't reconnect if the leased file is written to; (bso#15022); * rmdir silently fails if directory contains unreadable files and hide unreadable is yes; (bso#15023); * SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on renamed file handle; (bso#15038); * vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback; (bso#14957); * shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes; (bso#15035); * PAM Kerberos authentication incorrectly fails with a clock skew error; (bso#15046); * username map - samba erroneously applies unix group memberships to user account entries; (bso#15041); * NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES in SMBC_server_internal; (bso#14983); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Crash of winbind on RODC; (bso#14641); * uncached logon on RODC always fails once; (bso#14865); * KVNO off by 100000; (bso#14951); * LDAP simple binds should honour "old password allowed period"; (bso#15001); * wbinfo -a doesn't work reliable with upn names; (bso#15003); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Uninitialized litemask in variable in vfs_gpfs module; (bso#15027); * Regression: create krb5 conf = yes doesn't work with a single KDC; (bso#15016);- Add provides to samba-client-libs package to fix upgrades from previous versions; (bsc#1197995);- Add missing samba-libs requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.6 * Renaming file on DFS root fails with NT_STATUS_OBJECT_PATH_NOT_FOUND; (bso#14169); * Samba does not response STATUS_INVALID_PARAMETER when opening 2 objects with same lease key; (bso#14737); * NT error code is not set when overwriting a file during rename in libsmbclient; (bso#14938); * Fix ldap simple bind with TLS auditing; (bso#14996); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); * Problem when winbind renews Kerberos; (bso#14979); (bsc#1196224); * pam_winbind will not allow gdm login if password about to expire; (bso#8691); * virusfilter_vfs_openat: Not scanned: Directory or special file; (bso#14971); * DFS fix for AIX broken; (bso#13631); * Solaris and AIX acl modules: wrong function arguments; (bso#14974); * Function aixacl_sys_acl_get_file not declared / coredump; (bso#7239); * Regression: Samba 4.15.2 on macOS segfaults intermittently during strcpy in tdbsam_getsampwnam; (bso#14900); * Fix a use-after-free in SMB1 server; (bso#14989); * smb2_signing_decrypt_pdu() may not decrypt with gnutls_aead_cipher_decrypt() from gnutls before 3.5.2; (bso#14968); * Changing the machine password against an RODC likely destroys the domain join; (bso#14984); * authsam_make_user_info_dc() steals memory from its struct ldb_message *msg argument; (bso#14993); * Use Heimdal 8.0 (pre) rather than an earlier snapshot; (bso#14995); * Samba autorid fails to map AD users if id rangesize fits in the id range only once; (bso#14967);- Fix mismatched version of libldb2; (bsc#1196788). - Drop obsolete SuSEfirewall2 service files.- Drop obsolete Samba fsrvp v0->v1 state upgrade functionality; (bsc#1080338).- Fix ntlm authentications with "winbind use default domain = yes"; (bso#13126); (bsc#1173429); (bsc#1196308).- Fix samba-ad-dc status warning notification message by disabling systemd notifications in bgqd; (bsc#1195896); (bso#14947).- libldb version mismatch in Samba dsdb component; (bsc#1118508);- Update to 4.15.5 * CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target of a symlink exists; (bso#14911); (bsc#1193690). * CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module; (bso#14914); (bsc#1194859). * CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks; bso#14950); (bsc#1195048).- CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share; (bso#14911); (bsc#1193690); - CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution; (bso#14914); (bsc#1194859); - CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services; (bso#14950); (bsc#1195048);- Update to 4.15.4 * Duplicate SMB file_ids leading to Windows client cache poisoning; (bso#14928); * Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error - NT_STATUS_BUFFER_TOO_SMALL; (bso#14932); * kill_tcp_connections does not work; (bso#14934); * Can't connect to Windows shares not requiring authentication using KDE/Gnome; (bso#14935); * smbclient -L doesn't set "client max protocol" to NT1 before calling the "Reconnecting with SMB1 for workgroup listing" path; (bso#14939); * Cross device copy of the crossrename module always fails; (bso#14940); * symlinkat function from VFS cap module always fails with an error; (bso#14941); * Fix possible fsp pointer deference; (bso#14942); * Missing pop_sec_ctx() in error path inside close_directory(); (bso#14944); * "smbd --build-options" no longer works without an smb.conf file; (bso#14945);- Use pkgconfig(krb5) as dependency for the -devel package: allow OBS to pick the right flavor of krb5-devel (full vs mini). - Do not require the 'krb5' symbol by samba-client-libs: this package has an automatic dependency due to linkage on libgssapi_krb5.so.2. Automatic deps are always better. - Do not require the 'krb5' symbol from samba-libs: samba-libs requires samba-client-libs, which in turn requires krb5 libraries. Samba-libs itself has no need for krb5 (but get it indirectly anyway).- Reorganize libs packages. Split samba-libs into samba-client-libs, samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba public libraries depending on internal samba libraries into these packages as there were dependency problems everytime one of these public libraries changed its version (bsc#1192684). The devel packages are merged into samba-devel. - Rename package samba-core-devel to samba-devel - Add python-rpm-macros to build requirements - Update the symlink create by samba-dsdb-modules to private samba ldb modules following libldb2 changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba- Update to 4.15.3 * Recursive directory delete with veto files is broken in 4.15.0; (bso#14878); * A directory containing dangling symlinks cannot be deleted by SMB2 alone when they are the only entry in the directory; (bso#14879); * SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used uninitialized in rmdir_internals(); (bso#14892); * MaxQueryDuration not honoured in Samba AD DC LDAP; (bso#14694); * The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token; (bso#14901); (bsc#1192849); * User with multiple spaces (eg FredNurk) become un-deletable; (bso#14902); * Avoid storing NTTIME_THAW (-2) as value on disk; (bso#14127); * smbXsrv_client_global record validation leads to crash if existing record points at non-existing process; (bso#14882); * Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call; (bso#14890); * Samba process doesn't log to logfile; (bso#14897); * set_ea_dos_attribute() fallback calling get_file_handle_for_metadata() triggers locking.tdb assert; (bso#14907); * Kerberos authentication on standalone server in MIT realm broken; (bso#14922); * Segmentation fault when joining the domain; (bso#14923); * Support for ROLE_IPA_DC is incomplete; (bso#14903); * rpcclient cannot connect to ncacn_ip_tcp services anymore; (bso#14767); * winexe crashes since 4.15.0 after popt parsing; (bso#14893); * net ads status -P broken in a clustered environment; (bso#14908); * Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before smbd_smb2_ioctl_send; (bso#14788); * winbindd doesn't start when "allow trusted domains" is off; (bso#14899); * smbclient login without password using '-N' fails with NT_STATUS_INVALID_PARAMETER on Samba AD DC; (bso#14883); * A schannel client incorrectly detects a downgrade connecting to an AES only server; (bso#14912); * Possible null pointer dereference in winbind; (bso#14921); * Fix -k legacy option for client tools like smbclient, rpcclient, net, etc.; (bso#14846); * Add Debian 11 CI bootstrap support; (bso#14872); * Crash in recycle_unlink_internal(); (bso#14888);- Fix dependency problem upgrading from libndr0 to libndr2 and from libsamba-credentials0 to libsamba-credentials1; (bsc#1192684);- Fix regression introduced by CVE-2020-25717 patches, winbindd does not start when 'allow trusted domains' is off; (bso#14899); - Update to 4.15.2 * CVE-2016-2124: SMB1 client connections can be downgraded to plaintext authentication; (bso#12444); (bsc#1014440); * CVE-2020-25717: A user on the domain can become root on domain members; (bso#14556); (bsc#1192284); * CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued by an RODC; (bso#14558); (bsc#1192246); * CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets; (bso#14561); (bsc#1192247); * CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers (eg objectSid); (bso#14557); (bsc#1192505); * CVE-2020-25722: Samba AD DC did not do suffienct access and conformance checking of data stored; (bso#14564); (bsc#1192283); * CVE-2021-3738: Use after free in Samba AD DC RPC server; (bso#14468); (bsc#1192215); * CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability; (bso#14875); (bsc#1192214); - Update to 4.15.1 * vfs_shadow_copy2: core dump in make_relative_path; (bso#14682); * Log clutter from filename_convert_internal; (bso#14685); * MacOSX compilation fixes; (bso#14862); * rodc_rwdc test flaps; (bso#14868); * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal; (bso#14642); * Python ldb.msg_diff() memory handling failure; (bso#14836); * "in" operator on ldb.Message is case sensitive; (bso#14845); * Release LDB 2.4.1 for Samba 4.15.1; (bso#14848); * samldb_krbtgtnumber_available() looks for incorrect string; (bso#14854); * Fix Samba support for UF_NO_AUTH_DATA_REQUIRED; (bso#14871); * Allow special chars like "@" in samAccountName when generating the salt; (bso#14874); * Correctly ignore comments in CTDB public addresses file; (bso#14826); * Fix transit path validation; (bso#12998); * Fix that child winbindd logs to log.winbindd instead of log.wb-; (bso#14852); * SMB3 cancel requests should only include the MID together with AsyncID when AES-128-GMAC is used; (bso#14855); * Prepare to operate with MIT krb5 >= 1.20; (bso#14870); * Heimdal prefers RC4 over AES for machine accounts; (bso#14864);- Enable samba-tool without ad dc.- Adjust spec to use pam macros; (bsc#1191046).- Adjust spec for size * allow some Recommends instead Requires to be configured for cifs-utils, samba-libs-python3 & samba-gpupdate; (bsc#1182847). * remove fam, undocumented and unneeded.- Add missing build dependency on bison when building with the embedded Heimdal Kerberos- Update to 4.15.0 * Removed SMB development dialects SMB2_22, SMB2_24 and SMB3_10 * VFS layer modernized. * Add the ability to set allow/deny lists for zone transfer clients in Bind DLZ plugin * Server multi-channel support no longer experimental * Improved command line user experience, unifying the options in different commands * Winbindd no longer scans trusted domains on startup and will use enterprise principals by default. * The net utility is now able to support the offline domain join feature * New options for 'samba-tool dns zoneoptions' for aging control and to mark old records as static or dynamic * DNS tombstones are now deleted as appropriate and use a consistent timestamp format * The 'samba-tool dns update' command validates and rejects now malformed IPv4 and IPv6 addresses * The 'samba-tool domain backup' command correctly takes out locks against concurrent modification during backup when using the LMDB backend * TruACL support has been removed * NIS support has been removed- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2./bin/sh/sbin/ldconfigsheep06 1673948326  !"#$%&'()*+,-4.15.13+git.591.ab36624310c-150400.3.19.14.15.13+git.591.ab36624310c-150400.3.19.1acl.soaclread.soanr.soaudit_log.socount_attrs.sodescriptor.sodirsync.sodns_notify.sodsdb_notification.soencrypted_secrets.soextended_dn_in.soextended_dn_out.soextended_dn_store.sogroup_audit_log.soinstancetype.solazy_commit.solinked_attributes.sonew_partition.soobjectclass.soobjectclass_attrs.soobjectguid.sooperational.sopaged_results.sopartition.sopassword_hash.soranged_results.sorepl_meta_data.soresolve_oids.sorootdse.sosamba3sam.sosamba3sid.sosamba_dsdb.sosamba_secrets.sosamldb.soschema_data.soschema_load.sosecrets_tdb_sync.soshow_deleted.sosubtree_delete.sosubtree_rename.sotombstone_reanimate.sounique_object_sids.soupdate_keytab.sovlv.sowins_ldb.so/usr/lib64/samba/ldb/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:27433/SUSE_SLE-15-SP4_Update/d131a1ece5f5f825caaa77fdc3bce37d-samba.SUSE_SLE-15-SP4_Updatecpioxz5x86_64-suse-linux  !"#$%&'()*+,ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=2e6d30fafc0ec3c952a59ec387fc8d0a0113de8f, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=e924ea528e5a8b3a1dff9ee0d86ad624307bf757, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=7e2f2b2aae6612a949c586dd06a7747ffda9c01a, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=8e659a383f6d02953a24692f4e76e2f586db0a91, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=7e528593a0d640b8224aeae1b45ec43d1f4d7b0f, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=6e753fab817f0d3236649c22ba7d1b529e19552e, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=5d82f8c9a24cd937c0ced1bacb060a934e76e668, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=f32b9e42301a277a36db57dac8ef81c795fb7500, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=0809a1f32ab9b0407ab04149c87b09730195dc9d, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=04cb0bde96226da7e01bfd3d3bbb90b976ac1bee, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=37b7fbbf11518c283989c9d65adf912d27c31539, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=a7b5bebed50fefa8907ae9cfb9c589e89294038a, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=d86a08b080b285f90ec40db2d2fe4f842f9816dc, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=0e788fa2b410b2a35dc5ee572c8162fe82dafc4c, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=6771bda7f29b77c6f294a7cd2629afffd81938bd, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=7cdfdc877cdb3569883ee6bc617652de1514c1e5, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=0feef3ce84ce96164897c98a430c283119a08369, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=742c97203076e9e8d78fb86de995629dda57dcdb, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=5e7d1729ad519643fb3d2aff2920057ae4d7c482, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=0bd96018a578c6e69a9b774e00e3d7440aa37a37, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=1848d9264a3aef094e9e225f110a0e29d071b093, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=612f302b650261b16f225bc53282befd328cdf32, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=2897cad84cdd4e9b41d89c798073aaa267863f1e, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=05d5541838783683987b2dbb71f8f3808e893c78, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=0a1b3d0d1d25de959a6ac972a9f3483a3ac11bd2, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=8465bf1d6cb32f8ae79c65357822c545e66b264b, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=bfc2dbd2ed5479e297ab74dc62ecff29a468c8ed, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=a1d94c6e1a1207ce30fe9d95eb0af5fbb095b9e7, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=ae39d91cfff58b331c8479c4118b258bed5d32cc, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=7b2186580b5769fe05fd6eee17a9a7914dca6c3b, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=3986cfcc6b805466da8c520b65441bb6b883f1fb, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=da6abe28691d182fe076bc060a9c61c60a2fe1cb, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=01ce8400e23eab844b3e3e0b222e4c5e46daba43, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=97d3aa7489513cca5ccd2bf0082ddeb7b1a5806a, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=e01431cce803f57c9792f2d294080246339a81e2, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=6a991207114f30af8236ea961f810d5cacc2351b, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=43c03af40ad48d878f9dfa50e44fbfa2dcab0643, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=015bd378aedf3b889bb643c7c11641433e049aef, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=1113bba4b87058fe99ac3c289e21e5a7bc0e711d, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=8e71776a9cee68e2c065a2a561b2130c61be5605, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=b29788babe2f792306cb502df2064c45035ffe75, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=df1a3f474f1cc247bd249f187beae24c5eff2dd5, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=704902e5dc3df6bef0febb4052a10e08487429d4, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=242c92e76d810ee19b0f32fd205d826fc7e67013, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=33e64f565f44947fcd74d2cd7817493793348baf, stripped9Gev+FQZs4?hu->KVat   : ) . #  R_R.RYRRaRiR R R RURHRR,R2R0RBRR^R-RGR`RTRRARXR+RhR/RR[RHRYR_RaRiR R R RURRBR3R8R9R2R0RRZRGR`RARXR^RTRhR/RRBRiR_R9R0R2R R R R^RARhR/RR]RR_RYR[RHRIRWRRiR R R RURR2R0RR\RTR^RGRZRRVRXRRhR/RRYRkRiRmR2R0R R R RURXRTRjRlRhR/RRBR_RiRaRIRHR R R RR[RUR1R7R?R2R0RGRRZR^R`RARTRhR/RRDR_R%RRiR R R RURHRaR8R2R0RBRRGR`RARCR^RTR$RhR/RRYRKRpRRrRWRRiR R R RURFR2R0RRBRRRERGRRoRXRVRARTRqRhR/RR_RaRRiR R R R2R0RR`R^RhR/RRORHR'RRiR R R RQR_RDR2R0RR^RPRGRCRNRhR/R&RRBRaR R R RiRR9R6R2R3R0RR`RARhR/RRBR_RHRiRaRR R R R9R2R0RGRR^R`RARhR/RRBR[R_RiRRaR R R R6R2R3R0RR^RZR`RARhR/RR]R_RRYR[RRiR R R RURaRR2R0RR\RTR`R^RZRRXRRhR/RRaRR R R R2R0RR`R/RRR R R R2R0RR/RR%R_RHRBRiRRaR R R R=R5R2R0RURRGR`RAR^RTR$RhR/RR R RiRaR2R0RUR`RTRhR/RRRiR_RaR R R R2R3R0RBRR^R`RARhR/RRRiR_R R R R R2R3R0RBRR^RARhR/RRaRHRiRR R R R?R0R2RGRR`RhR/RRDRRHR[RWR R R RURiR_RaR2R0RBRR`R^RGRZRCRTRARVRhR/RRIRHR R R RiR2R5R0RGRhR/RRkRORRYRiR R R R RURnRmR_RBR>R5R4ReIfKutf-861b25830ee76341eb685b6e5f65211268b315442b22301b31d9cf7861b5dafd8?7zXZ !t/] crv9wjLU=4mYjxuf'w{-j$_}cohXrjE4Ex~{ʉ}n*0-A9?B-7FKOO2xe@lE <\;t#ތ׭$I~5:}iRVk.ϖI(e=~߃9-:J#buQHihC[4Z: ;#=C*'oi)N]?-`am'\gm`ZQb>?鶔UWN0t#QyH% .Pa.ezR$ D+e}w\B` 54 5(Ͱ.uC uV-`j#`_2TL&Cjj< Twuo~W].P,v.g&٤eϼДx4-fJ6+*]v`WwɗX{UqhEd+* Νnr͋X-3jIi`}Q|0լT֏GYT&j\^M͙ 2~n.aa`gk%HNpL Oyn Ċ{(L=Z-+vBtr+E߬ٗ%?֚rw'.]Oӯ9Cve@A۞0f to{0o~Ycwi ,L>.c(7W( bx6/FQV $"k`̮Ű]!D_֊=-ʪ⣲9pi"`*[tׁaX&VeAr`*?W;~͂<O6yR15KJQm⶘p"-y󣊓;ZYsi0<8 nqf!Om=I]8 mC0SHp9+>R.%Z)Ub2 ]n* B:Ea SfK3LXpäQa|%}S6.2 6q'_j| RNAAD:S0Ҏ˵cPWocZ*"& Eb[*$:pC̯Rzuu骣NwU.QgoXe3!hu$w5tDGY)qERT*βO~wΐnQvE ӦDXA'rnYX!- [#`}HO g!o4d̾?@󆼖-ŵ Z}-@jGLEs t2+^chzd*~Q8CP d/?) ע2#STB3+"20 ?CYZѪ-֚8?h0~~!ٿqQ{r^wx]z- t#ذDCW)M-mV]XhD̸q"1<.)[+iIG-V?1O7 "KF(Ew-Cg;xV V)-yuSyEb!W6$^QFQ&Ikдfʵ{fc6׺Y9{ޣi+ޝٽr/àjiC+(=v`('ɾBHg]cA8˒Hךvv1OpּraI%Èm|ᡄ4DŜ$y~sاVbrI1Pz$GSH";7Mtq z;Ʒ+wW+U7E"n}NkH rhVE߭y#}tX1L&6b:&4pƿ%BXGMx9\^"[:O_Ou0D;g< ,zaq6 ˜+kēex|4 [`e*7Yzm}(@|(4fŜ èKp/x]_Sf)UթG?jj{us#+Ӈ ޼{C(AdIg ThB`cqi:e~8i_- 7xI 7_fş0+1Stx4U{ WVPZeE@pWu@dt7-f߻RmB{UMI0Ԯ_m4PBgҾ}jflZΌ\#LBOVnФFǿ,o\F1vX͍> bVw `'D+;~bz`.4lՇ˶ZB)p7gb2-)hSR_iI̠lo\єȋP6i _6#5uH0e,,LKZC h=#kZ(sU;5y)vwɤ_IUA/^5j9z:,o iJݴ)KǗ8,rV!*A/~VqYRxlz9"Ģ;ԟ͹6GM~n|Ʋ~^= V__sҚ=s5P(u>]iZ%&*=|XEX[A:}rECt8#aBr\էK hfanzC Y]#G#6km 0t7^!* J+wVUzm>fK]f 5v"Xϳ(?3 h9Z1$:6UڜLXz?FFpU3j;?)GonɞYo'lѣfҫӮS n{\A Ԙ@#8V zԓRRǽsXW3I* -Q?ֈ|h[:A/4TA+%\ʷ`# Y];z?$JѠIF&es^ 7p8)8Nl@vFxQ5r'te,'gkK}.V^P P+b&"Nhh$&G_ #d;7%0c SU>te ]GIm DwXl7&2%4KDyJQB;74J #LxI#((&@x63qG9aYxQ Ax^mu͹j4(#h!6 .Km?^j2adۓe\0 F~I`AjJR< +bI#m)x&;ݐrenܝy{sˀ\PQ1mf;&P;\$|y)mu#+Ne"V Y$CV4/g&ee^sl% ⬹{2⨻],w?BUKDJ+uZJL zX1N*Έqg1fÆOMkwxn*(s]AWna&i**ZQJ.c,j*qI_6V܃TBLU1#==~ ^q:O2(cxWQ|0Co9~s.Ghf;RO#s(zpDŧ*V,P;"0z !Y ~#mL}b- ^4ꑧZ7[DV~2ވ -6) mgֲ.UU֪(\(hvr]c/l9m譽aOꕨFJ ;DԲ#^LBՆv謖͂MɆ\`ӑ~-*"? gߐoa1Y'M~gs-eB ZA>be /"]Wȍ^9RjBS/H%("vb_lra"Jfcǁ .v\Jl]>N.MYp{IpDDTӡN v$!6ӿWprhb-#0MH??j'R 6,c-+Q L %1m E#E#=K<4Ӳ}-U zr_hH2K})+8vQdcQEZ6Q59XdŅ;t:mn-vs=bυ퇙Züǂt\e&asC6~Ib$lVlaUJk$H @j VRx!/ѯNWu٘P~AnXfm=Y} _Z | 0br2 p6|EĔVmyCVtީ7J {Ma21D )K[i3z(o;3|)_# \r R6etP( ݽ4dwH:<]Ph<8{py?HƠ C¶-g`2ģ?:~Y-XwE}(."w-"V}I"V\aM Ȏp).{sWV--nuR18.Aو~!q߯%R2M XV c6G̎!;c#U7$e'jvUy+b9ݜDvyHg!k &ML_7!)npʌcT[Ξ{~Tlh=ʳw_ځMz'XƼGYvЏ6tߗE{2bY1ãGk%D+r狜W-vuKY3YHRj)0fq-D{4~ Ŝ[/j6WRp@f)ar`ډRe ` qԾzcj6zrhބ>Rسb'z=W 7!J=mVhcq{Fs;Yj dSIƢ7,v/Ʃ;rWd1Mhth"[=nrp`7b#Ecڐ]5)&;Xᬹ9,'+RU `6ڶ Ivm҈G+&Ѐ&d[]̤ aI:B!BfMBUx1гmBQK)Z1n a-{LgE'Qbe%ܕdvTB?7_v %G@ƽ6DKLAp :iߤSSAd\]\,'glEP4+Ȑ}oxX$Tc5GgDfT [kXZ'$ah9 S{x=JFy\GhSZX2bT8)`|p[in YaVuj,~qW$ Zgl ΘH:FɄr4el(Ok_t!oo?Cx6?.TuY~/gX^p֣'RǮ)('WdH1)#6,L|O|V&M7&msfcVKl$֯8i, Žp>"8)k4&uog ;oRM5Y+@4ӵ\;U ;A$?F ݹAg$'?OpԼd6*)gx|^%J_dMS2K'6:JZ:D j /Ȓٗ|ző)C5L=Ji(iU0ֆ>tm56%񱶵l!ٱV8\܌Cty$k']h>+a5# C7auH[b,Ka؍'^FSܫ~Z-_s H-[_.Vz"R S֙06uT{nJ Cq@|#*b=I\110T6[apX g!l"GG278fA0!x|+FeYg7_ jL!p rgkV eҬ Mc]GnX\S?^َd-1Ioa6ԙuA&dsҖ66]WAi#BaPgW]3 ylaDAWl.х,٪܇Su_w)q %@AJӡ R GN|b:}}9yXTńKBH8ucwcRv9D}ߨ9gfY죑 ̓뱢Fb/6r#99hPoſtВb—뽵8sGH9(SQ*꿤!Q :҉k?/*#}qb4U:i&@SqH{轭Γx9_u]LҾD8CVc7 ڊ;&:e˪or)Wy۬0ztQS,49zRAMszj gvfȢt{ņC~Q=NtQ R8Bk צ4w^1+.% ,;b6 B@YHk$OOTDt><X{G0&RlAK-3p)B-qC].fs!uto |r53ZEWv+i؋@%>#-SmPFNDoԫ H<}czNڔ?Emc[J|_C^s([`,%\韮5Q}5cC[+ڕ9&_=Rq_Sېz BЂ;…% dAYuq98#.jb$L4 Pe%A5NU!0L,ix6s? |>qZ'RRY( [  t^XGcyo;d^ӕu  q*Fi'Ɠ1C|3X=nlW"$ν!/{DWaI!9IB9QADH\nzb4\=bGfx"V04nsSN=wdק4YHI=n{}&;-' GQV7[]#\k;r?68szl)ex njao~I LAM`_zBl(;cXk2GTWN'\ܔ<s=g&}{I;ѭ7<_U5۝dNaui\ɷO3M{Qy_ҿ>q}&"/Π?"&+iv;Μ+ƜZ%#Je6,uH%]cfM`N:!.bal$ 9"xIKXJdB#M,K9CO"' n!nI2# NNYR~9fr{W!i@siKM6̅I[|a ,q? 8vV[qb4'}i&~M]ǹ\pk-J}_NXH,a+Z^TMvC&K[*CCo$c[W0zQ6yZZ]ĬeX|Tv%l5%9:*rQzFݹb#_E fWVR,j&rVh%^ʞQOZIHG3E:`wE[M XZ'LCc7n죋$Z~I^]=31MQ:P./7Dkݶ>Sh2ξH T=ߊ9a:oJ`S&hީ 0&)"0E`նnNz8jd 'AV`;(4҆KIJ.)sIYG<4rv{_>ec-q1߬l074u>Ts9RMxۆYį]+%K 0ja[69z.FShr:'㛼 \oNp / t{I,zT>B+S1#芷'9э`F٫~y=^#(뮬W]M(>!\WMg̪>ӄayHVbeɄh*Xr+H8GG3N,@Cye!"MYl)߆'tl#pp@HI7hDyi%R\'a@x\|aM+'dL58]\uDT  b%&mLrmKt sIr?xԅ :L tEpJ+Lt_oLj?zշ#34@K>'+OxYsA4N,œOcp: !^pXдqGSػat<8x1#srJF1iEq+57yʯ ŷw>Oa>vqWPCϤk-uStsr qG{ y9P)T'g=["\֍l7jY\#zԮ尰KGs˸ y9mi]PF@ $NvN*ר=ԊOtlcGsptNR)|Z6+ o֤U {~:2`w yv Si2Q[W9dƤ] $rn|̘TV~j>] Vʨ:d[b'̄(j>tHP 2]%|48Z yڥ}v~5*BTn'YTjYƝzrns`!3ehYVsإ pm5?/xci84YƑ'MSDL6 \o.ug5zP<K0HNoފlnV[G4<g%XydU=U6"1p._NʡՄDY]*3iO$Ҥ)ז6+ds&RsBU kSD+)GM8*;B:Տr٩WIahր0>f[SF|3=4)c~xƴ6/uU)or1ζzc?c R?Mm;|G\YUs\Eȷf&+–MHm+@C *`(|)IoLI4H--@K({;kW$j׿N ߬꘥k]1l*ɒ 1w&Cj,?NJp'qqR5p6sJAEp؏"R}Bϧyd ˅%-!PQqA7e9F3iVrc/7@]c̏ X QEtɧv8)Ӕwu"scÉF33/&cWhl/(j_"y*`(X !j⻮)tH؏\gVQ8@w87r*0sA5Π "#tC#˓Dauq=9wmMyl ܖj*3'w]Kz4٭ꛌo]߾2LR\OS=BR4!7WA7fOtΒ!4ފi>ye^;&msbzLP?1Jp8| fa&7 U@E ybU@㯬Jc3>j`M]-3:Q.yxpFrZzt`q f}r1z?y(sٌC0fh2M'Ue"xI'||4BO{V@{UʘNϪΜ7:S>;݄d=sgLlLJa_3 , E$<]|R*^ U\*q^ŵ6 WC 櫥686bYp4ꡒJW$WsR eE_?|KcF90T9|]e&@g'j5,uEcw5-I^hXbDZcS2.jU[K cuCG frG7+Wb Q$97l@⃦4ծ.=-KN ~ ),xv[rT@ ~m'&p,7t} T<7/ 4\K@f`;TgQ{e[JbO Y nB| n#"P/ 2+)k5 AaWX8"X˲V04:")&uhB J #I-j>9ym.@t䂅 {]1u+.kϔv?`{}TSgv[L0`#4̞p?Qj(IaUTO\^i?,pl`fk{(.=Y<#Tc;O̺w*=dUyrՑ!Jtk KI_*A^NCsy{AULsSE{}|eם)cӕ`>]nHWǡRXaY(Քh-`z|C)=J1ʩ{Q>> ǽH7w,%YAbq^t6C7yNKWO%Sr%u P̙Q-3l/Џb|u(N&¶78=cuAiv6dީw'½ռqsDgY˶!aȐɁ~G+_;>R%0+Tu؁ġ{ ZXٶ,Dp3Q*tnvYuJ` IlZ`m/]1| < ++75qb4Py'5;VWǾÕ sf*0$aVuav 1SN{MɁl#CIbY^pE5rIߤҤJ-F)J?eF6@ڵqf3!gیreE <pwr[S0R0L +wN:lƋmTFZ8}8U]& ձFR-It[<3]B 6̌TRuKRMyN(Lc ]""(Gփ4o,'阪s#ΰ1A|`bi/cFOrON ġ2Hliqk&Hs :OraAmP7[lAp\Woq02J}Ju$9Z5n" $m} 9#‘4/t"%'pR`6XXb,_yeG3zTtr:Lڄpz%+< !E7|fzꕣۼgރԥ"ĩFusfay:jW /CP]^F\+=${[Y%(s#TKs䑾'MeCM/$VuFH( _ rݔZCk8EotƝՐAa>L(XRIC \!|̀JLPg铰(|.`xSхcHQy{S̀/dp&f.[$yNi%fP_:sQ. :TMY4m eIRs ]@&TSpK=فe{,<r~ 5@S p'Us~}Y*Ph~.'I Vޚڤl>J {yAF!![5;Vv$ p݊4r]|mia }ӼKżII*ؾըD4ՁG \(.m2ѣ5TT!iX)i #bMY*/~ u~W.w,()K-^Ԁ*|d=`1_K٩wܮ'ohl,oxE"bg]!9cx/ͺZ*vn,sT&:>:)t']Kǰz' RƖ~{ f=c Y2B%G39x}}f1g{IdUonA-&ʇ+=g'f#  p4&Y_,!AFeX-hOg$w[I*UdLbsk:Lծ|ΧyLuB# 5`v K H =I '.vp %H[ PfzxVi8BEsˊ^=#'^˄~& !p1|''8(:K@g3U`a)}XSaW Xz}.B8}wM J]<쭂r*@j+G/q.@w05CKV9RzEĘc*6K1iՃ;Ojtp7&ks6]ߓ)'@G"*~?߫I.U~&tݢF^^&c`_,rǚn=2OiF9@fD%^(#q{c/HGn Nbe@w<-0g8('o{6DHА4ҵ|9:%H $Y_]4Og>=m_q˺xat;)@:+6P=>4h_6Z= CjV9Zq{5f2| GwKT%LnT5*[=Į qkD^`~JE&Mcxh[-V?0UEh[4qKC([ 8@x2 ?OQ |<؞)Wo<+%¡((ND6?DϹp&(BҚh6vڧbVH]w6pE[)&g@/E% Y4,"uoȅA5DǗGjzl$IUFj^  5f_ngBh0}#&Ne[w}_$$n80k:W <{,̺D(l?o D_@ObXKE]FIH˴B fց1C% 1D[?8/aQ)>>/&L@b(kW\&%xZ2gSaWɦ`˥)9Gf ΃Up G*[Q=>*(csj=#,L*/,Z0|Q+BlLA^^/s[ rF"ɱ<+K,R]9&280&iYńHue~𒮮zBHrܑܢ&`a"QHeX~ՓRcP@k8he.(7 Iw KŐSg#50C>Ӳ.gFLp^@W"þv`/>yI`;PוI?KݿLeOH}U m }WgSZsnF:1Yǩ`Vy`|@<%,xWS/K'A!Lm䭋J6progx)+%+gBJͽ]1^߇A,/lPuC$/M,k.pWNWm|-Ko fo).=E q+p2v- j{Ƌ\pS<4X%k|.4ϒΦr-쁄)u.!)l zcw ṩ)LV|<˃l.?׬VdIa ;Q+IQaׁ/>!x1n[>4nEHEgN{5a&>2Y-YxgeZ\Kׁ= T~R;A u2)n W[磧7_)SWH&*$`i4? |p:~ͮpcBlZ4̓ d=Yn)5(*;]I!tQ{lBCW+|cahNp:a>ټX8+yD,a~"ƁB3Y( P~/ h`oВXHJ@I,\_*QJq#_l"{)w\ȓ:gbSDV\gs;6Vjk[3gzO}HCl) ̈́6(>!(*_Y,\cۊU|s'+ c%~ $y?mcTsVnX#D?;co,Rl $8 ;+;@Ǻs6ᐮ&^D!~!p(==1HFDݐhu$ۅn|ˮ:#K! 9,Zk~r?[XY=" ;qbj OR[Ѻ's:g'OW R:MS2+3G &kݟqi{ Rv$H/q-P6bwmطVqTmEZ%Λz_*ᑳM=SG6T_waNJAp%+H3 JjM`^:T,21Q *ޏ׈Zg}Y5b@.Ba[Fk~f#b(\<vνXn$aEM * ɼ;b#gɈ߮=j[";i:^i}wカzɅJ?a u_<zj+'vL1wB2S]z2Jib&4ۑ` ݴtDE/ s6SbB X?[<[ϸR۷ VTb?OIZzu %ۨ'0gHoVlG,Iu hdn-Ne`FGZ=@Kx&qԃEDHGgBnn`qd=]i8FZ$ԃ턭Ϋү4K D98*1%bυZ)CM"tH!"' WvOM6>TՑຎ1;z[)=Յ}w5AWIh0 ۾=cK8zanZW(niy"]Pw2^ ӂqŎo=8]/ B[:wy\_,,]?S+;}i1e0&X߯DK6':k3h(É .53ȶPp$gS-[ i+O# 2,ی=1n] Y~J*[K ʥ +WV><# a^, L!ƁVvU\xxJWaP*qO)}`g#3tr&^t[jG_~8.-&QuF̊*K~*ظl˅6&4b1mb })Q!2ʘi~DθdDB \@=0 4stjZ˵O7W]I'9yPWG YDX0hA5VYh/oUNJ/^mt:Ԋ얗Z^pk΄PT%(cԶwˎQA~'& gUpLBCLڑYlѪEf`mDG }"𲹂Y=fsogϝɮ';v2 !ZWhEGrwt=.2Xi(t{qS\M*-[4[K뭚!ѡ -v. #ibXa v#zS& f|j۵J}]&KϿfV^2@x#QT7{#[tJdI*5溎XJa0O0181 t-Oroeg)gɛF햃]?l<=Nfer"M0-WX|8g"/Zy?GSt>fUP22;]]J0f ܘD|!9 Vд+$N.tX.鬮n:b;< eh,=ƃ6!=8D—L uo蟏YNV.B,>$>ZYݽZ OIlet?& 6&Ժ196c#<2:{Na<L~:D۰< W&S)hlfLf}=FODRpX\=e-znEF_mFNס̅c|VMvԽsHn9_q}#~J RI*n2Koڲե@ TpBlD>8|M}!Z,zPc[؂I)P xD jtr6x<1W؛@&ۛ\D}7&x*qL#ҫF[c[-rqbE~F V,H\̄v$ b7 ;=\<7ړ\%$;ȳ\(ê)O5.tz!xYvn@mkFj=׌ n{QpKppėC΀@NFTd5IRN Ӿvoc'tjk<-G }fcqPP)J 8t @&nc&XThSSa{}Kgvܽh;9ڀ&;~YT/fcɬ/rdKlH\6OvoѨDmn𣐫8aR땕>ĥm-oCvO"r`pqчrPB=h#]sK2Ѧ6Ɖ̍F! q٥AaއlǛy0"y\!;rOpL&.НSzĖKM7v},tuwYC;]&d0Ilԅ.[:7;5.țf kyRv{G2XZ I9є0,mc!n1(dGwJh6*(3/%F^@~}P*;?Ko7tt0Tjb)!jsIL&M _z"][rV>w,,B >i&ᔀka0kxGͦ6X\*J}hl,I5}RˏQ݇C;yoV59r7U\gt6K8O6[ES9΃(_쪅yH?[)R{Yl\ۜk-Hi. +֝xUw%vFv189ijuc(ۻ'yv6yIlJz!Sֲg|RN9[^ WQt͹rCanh}W~nUQYd: {gһg IcEK وA+䥶 ȟ1"haa|& nUi"8n[CK0'MXX.+IeSZY-f53UyͿ(x$MO iOf Ŷ߆N4_tHw=D,MpC$oVl#2\{.z[>6ql&|2j(ٻ*R2䙦H &ivMׁNƛq0B<ėmD).;kHjeg _@r @ksze&Cr\3{p,U/8X1dzr__~& Xw%fM_er@qf 'H3%w;_`?ZyɟHY%Nc?p=GSĴ@&[bhIY]X $d`X&יECDF9=q2+

tVMj. IF3!sd%љ*~=PL6, F 1Kp%0-˪?;4V7$18U4=٧h!SKpc]f,}ﭧ;(@屇9Dd^cJoXr#ޙ"mxh>?֛`SnR\'\UV<=5ͬFpH5UO3nWJM3z3q/sy< _il@E-ۥٱOqpd "km56%NIgsd|XkJ7z!o0|kV8Kn.тL*yvb}3f vgkſz 7Ĉp$ѕPǰKgHa [[@R\0QEb6B9.Ɋ/k].6iu[#D|~}"I0@cYהW޺O6#"Sc-B0Yb@Da7rS0X4.%~b^YMҤľ bzx᎒&%Wv!~ e+; nǐjdWJa}L#p !bO ;;/gh.ZҜ G\.]^ʟ(~ ~iHƦ zHg` [<qI?zK-%"e$[G]_QezɖAP.DvHMUd{9!Ehlc?<@dC=|A_!Y04O>J\{[( SU$],t+3 bTFfrVO+`Pz{ 2, $\},6rƲ~]E*#lbåU눡ǘD>W?q>/Uى Ҽ:( )K:@T267JF03zޘ UВUc"`P"[.&gq"o2*kdկngd@8)19w;мm`pk6 $^* ;Uzzy#H# @~QۏjW&05_E9"0T-{yO5TNGoCA V.tH^]<ls6B}=i; }GV:J> ?Bd^EDl *m?Dq1m;.>54C_|!:;UQ5L k[υ+mUlLP,.R>{0z}OE1JsՆ$3V7aG|?a  ZQɞnOE}O 7i hBa8X %3tFUk>x#3̛]Fl8^W`f4a9b'>L棨s߭mz3KhF"u9aB +m䁳anvO*GfA $axYrrM? k͛f1}s(0(Рf)++\ 6-0Xh rlKYR Z J:n29ua%%ʭm]{R&XT~9ZOȣFm+/eo &#W 82K"eoFc;w&Խğ=_vD; w p{q\?Z ,՘"pxAk~V.TT s`ˏ0?QcqREk ؗH!Ua6Ȃӿ0ׇ{cڅˏS[H}n3Fn@,t%A=ˀɁKME嘰-dwh]F`s䈈]%2wD,o%O~)/4JmMf(ĭAIqMH%C_:smk)O6zKtWiU:̪?L!ѱ(ˡ`XQ&Z`iF܊NxI:r6EE 1`+?45B^?hSSODq|3Sx;X2dƕzOjlc/59M?W ?7ؙ*n\o'XG zFl=@Jf'ءhN7!ؐw;B-!up!J3iM>8I 64P[hܯhj UX*$%#VFZEnVx >FS~UyΥ0D䜶pwXyM#:PmPBrHK&S2 캓BmRdNB9;fo/ѦV76IP%h߰Yiq.?CM&IZރw¥P dtq%`H N՞]8Q0׎uOUSj0/٨ȦRiTF/ 眊%s&Nk'ZDƃ[D=}|(KڔKأ-#]q1$K,jUē+mA|!8Sd ꙕUv C /'Y~.*jdPz\?Jz8Y%B$y_rϴk ^_K965EأBmG'.>\G 'C=p^|hL0DzϿB}QctVORE F5~H|d} ŝ_~#Of>K9#5U0-RdS3|M:`7 rlNDjLOF$K^zHmƞ7ap Ÿ ׾lQH6gA6Ul$`M^c#ZHUa5M37מaGk숦.,rcǁ/_yj OQ/(;]#kл5{H5 lۥֶ̮W~W(˩ A#Em51?ITxE5TY!x`hZy:|e%~, y$ҁ.m6-[ !㈬'2yla .={6^gg`(Za#0^״&œ;5]tnLyvdv܇i@dS}:n )lIẂ/vڝW7āDA7 gWm'oj1(0.9 6_#:Ԣѝ b| iFp,,VmNYbr @Є6d;m[k wzk.KQ tKFs6IqW.IWOmTZx=oP@=07Dam,ePrEL h#SHsLi k+'䙫HolF l$U E"_.пy@L9Ӆq0/Wil6dlr0F@0-]&4BZơ(V.5^9 Cޑ9jS8J&]~MkZWm*3z:%@ 4yUl0{|s\_!cArt*$ǥ8~jqˮd6r]C2{ BKZ'+,;PC򬥵U-fAMd$bTUPb6>>*AֶG `aJxG.V2]y:807?x<^7?QPKXAWm3Nuy55VIh 1tn:!=+'B>3~#?qBMy{% W|M b[>hX5gגpl^OJbk| a |(8'ºJ@`1zR; [9J6s{pOgj5RyS  0w"W}vox]}k&ʡ}[:I 8E[{TF bH&co&%<ե\N1l13KTJ|G $9bmg_N`"{62FZ+gKxo׆0U 8ۼ94fH'&cwpÃJX%b^u=NkgN"y Ԁ^mt<%eOlzF&+jR$jNTчݣUh,9~/o\![X+Z8# *^Pl}Vll)HT',KyYsnɎW?ǽ>@83 [ oR(r- 8ŷt—[d F&H@r$ċ۳G3ͭhT/^9ERSs[(fܞ:QRtj0t_2F'wOv_AcP"i;X$F; A2PY@/(^C U`Q eWݓιç3Huc |;І#ř: \Qޑ BВ+*ѩ-h$tC߃ i"AA`RȪoP^uUItԗ'FW/9v$r~s0 ~)K0Cf[A .4E9Bs!xj oÝZcCt<(Ovo[C+#Dl[~AZrGp!r|Zb qY϶o٦F9 l].951ZݧFZqb#-~b)"u8y;9ca %0J:} sd5)v0~ߎ^D* ᳤>U'J-gX 쫢8>YRL<[-L5?s>MFƇo,2,}Ѣ7PVOTP,åCa0;(F\rĐC\Rȏ7.e% PnDq>6><OXgP_ i dIJ(%X8<+9YɎ2 ib daϢMqQq6jS-`@CL 8~{r\aTuLrXIZ)(>dQoJ|1rc.s!/YfQl`݋ѻcEz#.G4Oc8"7-  ؐ fAw-.>\Za&[ Bq獪C$](̽W(ETGΙWIlHOqڋHmˌ6 چW*'IV(44)z&[]ѯdz<{Bu9v"&,{W(]!1JN7 5;[g!D$`ufa)SpK9Y ^Ӭ !W75T%t)ҷx}G0o]'!t>}qLʲ{0ÉDї[L}rǪ 's. /]v< ~Xi5W8O9I5gD,5fjMmAmR}Yԯ+,H-ޣɻ5]v70FzU l줂Za{ v嘱#h) 2贇%Ndѝ?*B+wLMԆ; O0*Q7J"[_|>D/ObfӉFR;L7ВBg@flQ/.T['uE .c r'jErЯvY\'`0N1&qI|6 d"[$w[,Ey_ &{}`"͇w6:nBFzxWQ~Mįq k`^ܸsIJo/6G7db!^yzly&cZ0x8[()GB>DԑjR a!5>r!x?ϒs/n3n.PC^ϣ &O 5F VPs0m@mi6($6ےr7b=V +ݷz?kI>QU9dZig 2rhitIg]v0KT9~npZ'ϵEgS:!z'+:MQr>*=? b"FKTOމ !mKI#騼gˆhAiִy8&}1bmn2` 9ӋXmeW!ts(tD  H|֝f#P{[xSxgCQv $ fn 04|wx8croqeǫvFϡTm̌Yx\)LFkà?z~#'Zk Tir 6 V3M 6w6aBdF!y5ďF p\ ֦Ui38)jaDFO}Ɖ}lxOݕ\_/6_M 5q6S^ n\085e%c\iw 9şMc' e2.GCkAx`P/ %g}A>I4hR:=vq0`qf?lbjk }QR#*,m ,9f"$z_r8VԢaEhǗF"h"l$JaYx7#ܺ.8G։֪C؉\Hwo˙ lT E?Z2R+Y{Uk_:j{ާ_>rݳ^ePIhYrֻ>!`cKd~\.~?Ha =x),~I, !xo+nY> vCG.-LAƤ_soH')m=%bmI)c91Kqp#;^," td +uZ000Wkp,iW6۬4J[.4b՘y=$sWبdRq,5C"#8O`"|r۸zySJξ(H׶kz%C+~v6Й!J!UrMVR*]WB'mX_b3uh<M1q`ݬАSp,/"QИY%pHTL.GHI֘`l"ΖGQpPt"?ܣI.l(۸%`9Ƒc98U^F-?2,Fc1b5!Ljo7V_Î_[ 9yi.ONw5~١P^i^>V'\'ypԕnV ~ PZ @P;/1t00^R\t.ȡnRu^9IחX0,G` 8Wk42:4Kνg89V%T<=[S[ y. {c((!P=A==m[TBߖzdg! VVԕ@Td=/Do}(En0X c4 J> ڮ&Sl,0" MGv?9q$2]wXZ,PO[+ ꀬ&D\t"Ky]Xd5<g߽{&|&u?%G$@&4Gwe^tBsts墁SZ?뗊/[ڛkWcVFtmVB,~BMC? ɨ/H¸1dL6S`WTbmE*☒vgS@nK9zn)CeM֛M(.~;`j^;eiu$`fq~谢 3E Ԭ[UED9#w1s,KG|TJ7uŘw~ݒå J {⦢Mf1O80?tM0YSR{P5= TC:ޡ3;X'MuM D!㊺ZjxNiĪPژ2ij.̧ARj&ͧY SP :mn>zxv vsze5VUҘє'oo(_9sZ%H zGt)Gf'?Ji9!c|M9h=h aDD3xnl>6ئ.4Z+: (N?E['zA6 ?~bcآY^I-XHM? |r],ftaUOE8!O~1_d~۝FـDOaՅdak?=мn 5\R^ۈKr'!$'h"OA,^hS4 v'俫/=IA`ίLxŢs1Kё(}"0zƶ\Rj''x\u0\!K̘)/G!WpḌd(_]\ka6,Fa9Rg0tkBΧp'cA PZȢ[zb4usش8(y^e,} _0K~>wۜhK,aXQ0ogvQBSpfMx(&_zN96O>|n̞m 3,:c]ZSI; z9J͙X4g)y(i-o1|3}67';GWtaٙE,Mtz eƄ{/^f)o]Y9{QLhnwES{ i֞^bbD+_fSjs(kA?x+ɯTTdžŤmɈs7ȧ净mN^[,FvaH3kĨk4H _GrnXNU D77樦O3:v[$1SHZ; kv2Htu? .tA:kq$ĩʹPKʀ>S_. LhٱɰvuݍdXxI %t>s۳DEl~F\d l%п0Z*.=՝.ҹIe˘“U>pWB])b1+ ŐŤexTmTbNq͇YJkWp2^@p.Sݞ?D#2e׸Ϯ69=\zI{S!5Wʋ̨ZF2'X|A>  䩞UgϵCvuquv]#geWGyl1s, k/lOf!vkmA%%/ x8='5X7?Ӕ8vE@x?oF":4?SǻQm\fjN[M&BI]3zG|5SKtOТ4y1>* Ͻ`H/-S%ʛv1<3OSP%hV('_{N̾@fb ϼp ]{ lhyX|Li,2C@$'=\[Pܫhq )ΞFKE-5nNIeϘ5p3 l@=HW+'W@]re tM`o3f}Qy-(g{dyN7ټ\l{^,BFi}祂Hc|q.R]B p\:d58+BunNf-RvuPl a_hz]>g$]aGEyѿק$vg6bRBgxG1􂲬%XMpnZ D֬e0|*,>0x7>C!ֶd^y>`fTF'rSCyk8b4U;0s12P۞e+xpϣ U8V:Mߪ=;%jNw=ЗVE'O@U4߂q:`Dya5%PUpϯof `;20U㴶ɂMÞCߘ*Vjw@ᆪKX|8Vi2fgOBR5]:/m#w+W̠*(a\25@5_1e ^vp9P>OaO4%L]ŒX\SIYfQg7w5yĆl1XzTG0:zE>Mꅙ$vB@X2OU'FIxxFr`>-Gٓxwp )}' UQ}K:OfoyBȃ'CS>m\A24FL㺚&U1i9ڵs9FN u㨳 4Jǹ5[s]"-Y(9 `ã*XЙd`2#t=3$vL4vcOpXDrsdPJN9귉69K͊5`Nxc4ͮ<euҫF5Z̟9_>s U1Ξ+i2ko[n^lSAУ)@D/zD|̡bjDԍ /<};'8r~ I-14Lh[?9od55L鯴i{- +-T@t9_O5~Uh.bsR? VW nmbZ; ŏADHǁV|]sA^Yv?c14͂-Սs~c(HM!kp8wӦI t(ˎJTdC|aӮ ῷf|던 ,Kp)ģGزz`p2Ż_VIvQ:UD*LVlV~O6ׯku)tYwD4]U=KK'>!`*X!j22H%Aı 25 _$3R A\+jJܼwp@<*:ïr/):H9KCaX=>E#䚮n,J\]TgpFe)/HNS6jmAnۆIklWH&>%сK~mxfvfq02?1:YGJW8g(7 7m)KF,;?=9{3zx8yl ׼=]m9vU6|MOX~dՃ8PQre#[zʗ{' U/]Dt`xH$#=WTxgt+EC3$NA]q}J`Czh[4l`W3ׄmº{X3 b] F'HfQɓ!ӧw_#ݲ>yEX]Ghg$fm[.C#^UꙒ| !0nı Μ4_́ ѼOؚη,=".9B L^]\7{慢 ޥsv.i6SFg& ڍ/qUVXGqVDP*M2N/0am1kPa '6bV-Q'ӟFwJjsnN[8o! u)#}_H)zf #1,^:SOI셀ܬ8S=\I՛xʾ?4EöUratgP@y[`Sb^ b>3jcC\DFdȷWtO4L8J3TMqyltZ@N>SǼH D0/o4>:+'Lj}CTyk >r0Dk|Vvf9Nez%1B06b!nnN*G[B$cyTVӿ׍1ƃs8 SVӉ _S)=-ymh4Bx(?~K3.2qlm\\sΌ,ƐExT!/[1uI[U(pt/ 7[bvGrl!EXIr`(.*(va{~:f?_(aXn# ÖLoHVQ)diUھT Y`qF;:oa!u.EНS.#ZVPg&7kH+nBcC6Odrt;AޮA˃hmYUnľ. f3DiNRw\_Lu.jE̺R6M{Tlo i G/a5+"W@쯠P69SUdtۤ01gsy%Q8NYk)g,ֻV}#Fbr&\?H961YqStnM`OU. ftSOa5tdpt"<YF9 =F_ oRPc%mztm)@H#к\ 1<`aArz50m]SvgKC*97Nc` Wlq S ri'`T3^M72(TPغS`RPpAȵm&#F.Pm/l"J|rLD2kNٲpsL0 Z!ז\rmv?T;qḱ|CEC1g"D>nw!\DXЎcK `檢13Qfj1ibZV(s|lrבõ{Wo*P f/=H|le3 `lΡd&+ v?rO E+mnFEI52>g*@=\k7 r9MEȸ6n8ŅzzG0^r%2s;h!yYJЖ'^m7eP2SN.* Ȗ`a[b9"=c-kE_8]1.^:٧ۼNxUb뭖{Q埓wREF%WMv>ܒ뵘ß< Z&?S#T?KCԕf`_S~N^̭@E+D#dݵnG HXG'(ߗ{DG%ѽ :-xLpV|U>ӹ%qNϬ@Ҍ=@-NҺKRr.>%Į`l ^7Ń Aý!s4`sB]&V_IH{{Rs4՟ ;F2qZpM}8awR˕KD@Eg8L6\\}] م_ƓdM9̫ɚQ ֩JV28I>qݟҙt8 2XamwpΙeuv"Pomo] cE28ҍA$YF*M1o(s\L$R%b*[L3? ¼9FltQVo˼ezҰ^M(po yӷ6%I_2x>4Rs,rvp&IVS)Gqot@ cNQ'QCzVrW~ S[/V8mSTq}XSXZ ^ خUhyR̫ٝzͅ:XMb<&{uE6e;b~C~L9ܿFn· 1y _8>hI30lk$$cpGjc_ m}̑3Hp*,CEȉh/olƔ& {$ cϠ{тLM:.A>:E&reʒIV{섋N ,+iV~mHG-X8Le֊r6İciS\nq\?#0uGv+Woi;vI@"ĨL?RșUS8wj6SenI7d"':.k9~"յ#b-@+)H6]:̑PdxZv,ג x dwL9"哴F ~;یK9.:7 eQFO\η$N7l&3U[0;mZ4F^rI):uj2RnJg\ 3Jf?I^R~*U6-hD evݰdyj3ⲇ9yYI$="~biboxko'lsi)ѺWp_iҺ[ORs0fLoJ(1XIGHe6yB  wTװZ,ߤIDj@ȔqɥE@Q: -L!uI#Ğ-t6ys?:NJi(,hH>sI }*zvY yzq+AoL D}igp6; :\`UEӵyGqlӲjhbOc S0%mm)̼Tfǐ]JyFE8wY5,V$\\c[xB=֩Xk܁Hkw_C߹r@|k,2m2!tsXk>o"V34R1T҈f.ۤiUB|$Obp ~{պ7 qgg+)ȖMmJjli̢Md qy$` dʼnW>sVÙ~+V$`|sBCLN\åRh VnRo Q8~7+!eBaCh\0ٜ t~@w7`y_J`3/N󙰂3t wx /&oͿen fLcဣLi:Lv[FtֆT$L*෴&+Xǚ'6EIUl$Ok"BR0}az,S5Bw7,2ݢ(5ҽG_SRNfU<n&19jM K:n^ِ{ xGq^s=!| !S,ٟp/%LzʸI@lD79}CWo0=U؊k)j\ޒJM_ }Qak [$`+  ?'xKOC B,\ABznPJ ٬7+#?bus dy}">r* O?lDxfb¼·;ze_~珱MYz#Q@[fHKlLX6~҃_~J81{IRk.|S-U7 g CEjE9Fl@g# ]cI=0#D ҫxyO&i}ݑU3ʧØѫg~t qh$!]W@ȎGkA#PfUnpKgWV)x~b0Z_V#)vct0t`fk~Bilo?Ytl[ǣ Yh; _~s.pGݖ<>EqSMFy/y+}9N_1 .ͣiYfl7h[0YJrA}Ko_kIyϳ._'Og+ꦀ# :٥@#SG|^;t@WY1S2O\YBI3fu]Cٻ}")(7oP5ZT߼Vsb) mMf-9z=\?Y.,#GaA8%iiW-FxEGT\:euߞKE GBpa)75fNԇ[8W9IPyJh&[|$z&wbV;su@MmX)εQ Z7ޅ.qjt"BkZUWdLRPϫuW) {#riM1-=`}>ќ{dWqK]c y&HGk.kH)BȥA{ ߚڀN#qdO+UZ6.TXG@\FG!4ZP^@w?mM%T?y tgtبn<7 A4.nrE!`R&}OHU37[\?JYKTmtyWi6g>E`|bXsd Ajn2l8:7>#)2/ߧ I6- 笇=:cT|ڹ&PǙPD棋B#@s.c#J?f(=tK5SMJ*NECpGPA{ h*O(3/.y}͍TȳL/Tȿ!T.J@&ġH#; ^1 OQ7LNet0gxs[Xzץi̥@D~]uk@ j4"g6APS:1 VY~9C6ܬtb,vZk.$t&:@ƦaZENI*J͕zu+5)?T:"DDq=gsbuo@@qo\5VQ*gʀE!@%rZ7H噪PU!}6Ak @ Z?Cx\$­j[,,.J>스 84StjOG.ǂPwlκ|@ ;9*qʡZlW8"{,8q̅Z0~0-Ex`q7\C 3٣*"vm:"K2'[]P/5q7Y` inQ&cQ_?0ƕ`a&NkfC>+cQhҋ;#l>0$)CC4L ~4T)0|zЍ lMж1A)C劰0SK(Wz㵕R~>d5ɼJ!"V''Q54ݼ1 :FM1cpsI+ep‚psiLM~Ɗ+ֲ2]0ρ J(LR+Ȥ_7̔p֬'\AvcOw/-6l7N1z 9Ǯ3hu[ $hF>InJE*I]Q!2(vc4#dzSYAkOilKVMP/c#>>wHBG| 7N!b͠"#m_# R% 6}0r,g05 : S0&HĊVz+(JmUEI,J1"E0n#0lIFE%d჋ ˇ7S paKŶ~9NA&3*hc_M|,?ugwPCA?c X|Pr5ɍaRF48 '%-$G{8\F7gCX3u&?XOf^4%>tY?ax dĮHՃ5fIP9|L?+!xϋ/y!o=lA eonNP>ZI}ZLroT\8cag:k-c/z@9wi* aNsG5<騵^ WwW#xYmWp]|~y`=˴瑮3RoZwZ3X))C;%\ @v~jLFʰS{褭dƸ9 ,T'VrWBdm3NJJ !bN(v0I.m{y~?`[WWbECeu^+Ef&mޣx"3iхb;}:=,|ܚK<w#U)LS6.#^`X;Ĵir\LZ/+,~TA1/3 p (KQ԰6Q#:D:Gyr!to4a7o| 9J-;Ÿzس'O+3|ROu'u.[ 3&nړȊ?0I<^D.&C**zTVKbr/ms嚒V1Ktll 6JaĂ>B]w=,r\%e5U~R97G&|8Kl&˯zYpNn먍oV~n!'ҿ`2Md-yۦm ׵ .Y.NĎQ 0}qYʆpŸvWN15"zt+fu{#Zx0\;o1RĂ7h#?[ag *v_tBܾx\y]E`[nPm!>s3n\<Q1z.@7]}Iz$fEʼ})6Qĭ^YGl]P$4|2e]wM=>A@=`>gl|uo(ѧU1mY<ˊ{V㍒'i߂0X_kإJT lDZԩ7go{ &SC9nۓ$(ׅ%4DdM&G]3)IT6PJw(nj o5V0V_E(ܥaߴ"ScPWuG3稚"0y$ϕċK!7~6AQKXvB&//3;J?smhKCr[:5.Ak!VGNJls/7R{z9+6Be(p87>[1}L @թ.h%I_"` qO7o䓕.ƕ aಥ/ϲY  3iVCwT"Uzs.b-(by28d6dѴ7k}6 6s].,Q o&xQ /~sgL/'#ܲ*"`%a/\Xz"gpjS ג`K0Ջj`q#?~V[7U2[>z˓ ̵݆w 2Vk; ~Nu K0fϓ\㦪xF$ii%.Z%akAOg]Pa.EOKc̐,`d =b+-5KF,ɱi'vc$!*kpUFQmT7o; 6_uؐpl)lw0]) F^;눂^y#9ۗpuF#9 fzhDOW RRP͏}6ɻ}Fv26V$2MG!(Vr2;nRR ) AY $PJ%W1 \EH´ޗ%:+)۵.Y}ga\v7 _ ]wPYX;΢۬˾ts-8?c-u(;Z?ß L`9HzjszZsN%}QgEER~-?7ݚ Zq 6`)K6x,?4%|P&nMɡ*wߦ@wIX i: ^^6 jʢn=?4Rn.ݣ!*/8kjWրfuĞ7#0* BFq~KBg1(9!7YWJɪ&}1jOcەDѰ2 (k22Y'&s9u|],.Yb6 P Re#5{ X[_{% }c$*pu| z4 YBq= 0oC#5臀Ns=ėc(,x\Uq rۜSH [)ݞcpdAeR6m]xfuZrpRJʇ#k]G*[8,[TXئrN>ܭEjt1@]џ_^ Ph5bue 8:!6y;{rrbӔ5+hjKDY,/kQLem dfrHz7GN*Ca+c)Rc6mP8"'UVd⚁;@\ 5o0Z0 dj{eI2Bqz\l݁1W6dF=QrFL-:ջ?/k 'PYSuw?g W/yu.]k lE֧Riz(w1')` XKKN3a{$a|'Ij;O\enȖ[/1 rᚷ[>R2۷X9:G㭲eKBL/^>HM |I (~OOcMKF8hC{$ \&".|F^GX4lyqbVHtHnصv32 1W Q Hj:&`wX5dCo )'\ ; Ȩ~ü7{G[b4U[jq-zk tY嗻)sY7~sebb#zwo]fj Y*U:Dݨb۠`}v7Kq!igr=Dqs@{Aq&=$ xLV>dNf&1LÎ-NO|ʢ<JOkmAv)ZL+#dEmVw2j6PGRΥ>t6uXС 1sԹ|e0qj P1AKc'?Zd$?!zC*I·Lz>D$" q8 g>Bⷀ']Y~=gм(5^v1gމ }[O[U`חk𻒕A>Ӕ`ݨ*06E y>KQVC\#4u0 38hj5n]"7eFtXf>3km7 o:_kFiQ** oq+jX_./8]jmݦ 1h-p2O'p\"ަ{-n@{I]p=#*Gr`R= X괻eyITlIw($h wZQz;F0s/zjAet@[:Qq"AR|ޠ(-h CIb0wXiw .d b{:uC8; p})C 3&~JD) t6eO5KNt]dV٬0&G9.tŬa!&km PbN/Uf#&vn\-'}_\/ =Ӏ] h.0&u^IoP w!D-/thn2o牱|)i;}@E;sn<=P$i5&ɤ(j ύ%khl$2Nt}Psۄn  K]N8SKJOqG_!+'Fglܞ&0;Yⲛ+'t9]@s|rt\8wS.\e cVvW8HȆ@_rU@'&qSz ,ii+jlvEJ0'O;ov? G0P@t}>%NpR^o\Œw؝ 1z&4T`TZwȧ{ !C w $N\טYlJ#Oӫ t@':vS}4d[!xmO1 s!E94J˳'(/ Po<`2EL[Y´l\,Ev ~MtblXp&Y62mccޗe~ U1dmdpap|* 9(Poݼ4up4KoݐkW@=hyO&N8>wꬶ^dF)-{g͘棋)acOX0')tSQJP4ʪ!.? CU* 5Jt¶CzGhPN͹ 7ŧ:r Ӛ/g~FًBY1E ErXE` $G )bVtR\HZo D#.'tO aEŇ{P|r.6?VKQȭng;k~CZJ/:Bzw/ YorM*CZ*@C6VXu#$=KpjYwֽ{/?JD$ H,or1*Iehx#N HVO s߆Q%XdǶ_[YE,63跁,<@oxHs=5Kd4-?z5 ]Ť~hOF'Ƈ=5XrnȩxPjܥsr!h'!@IHsK.P}L^*lӗ}pj1T S5 t5">*wo-X"B 2щ"D!P;)3h0y,59i'g9ǁXsct;% UQ5PCP([? tWL"/$n9 g+sWڮ@ćS߾9)VY`@kGH!%v(FS\9¾1=ә-5 l&D|MtǤfnFRǣQuG, -wCц(ɯmK{_rJSW39A"vܑ^Cvǃ  i>tl]Q &yH: R9ܕ~÷bpGY2Jh GL nZ4};BglcZ/R« ßk|0b0 8!)e/ޟw6tr:;  [!@k7-9}O&qY+>VѭG䡁)96GJF_2yoB3MH ֽ|/"nYsvv 4"U3b7u(4"R'R8Og=mМ(7YMy@ۑLSzQ(`Sy|ҵ0cRQ5dbP:.%H(rdҮDžRw4}%Gro@w8AOЉ6V7~\+7RmORf]y_0g)B" ؎i/uI0c:ZTVwݟ~)G1Pf&:p~j'&oR{s>)ygQӅc$1[9=QFć\e!J,/h.bЧzQV:(5P0ǺC34nRw0$M> ?b-3(X\"y[X |pQ92:nA**a[KDNXvtR> VϑYT5m("# gXt+EϚw~K$Mw|i:ӷG4< P o;G2>h:c{PuԞxL/d"}h~3?uO$QA7aOIpR&U.Fw鳩]Q ` {!v2$Z)j'f}C*r E5P.L+D(YIdSU 1֗Rjf}Dc;*3ŗvCjg PFQΥ`l^v4!䱣V5ǐP$9m -02 e *\ A VAPdw" G<{ r2YϺ1\qЎkuM 9٦X8Is8BB!*<^zBy{q}Kid2br4)1U)4הXDyDcB7,a\fHew|hIbx׉l:yy X9T]*!e\"|`Ih]o(Mv2`|txZ-lzrD~55pT2>Vꈱc0W$4"$ ѣ- b-^9Ԋ-k)jX|:{ 3CǁϑQ+VSNB|3-YT*ąo˓Sc8sSPA"]gicɺ9dh8$ eBDF5єW6y'b+ubLOC kG݊cl)Qm'Ϡ1=6YYv 6fn@`\] 3!1 8[2OGr|Vר(WtdO. V`8p@ b*>̗bZWDrb:|)Ɖ2 tAp⛮|OO."(ޓ(S4V9ͱ)] :WM|c; zOa.kX&pB\ӧƢx>2ޙNѦ9쿑rA؏<ldKNR–ގ%x&%"9d%:wWp.ɡ;RZF3D.c?'7):GWs!!&OVt|LMGFKBQEG3.3iФpnvt(6-ڼѕB~֞x#UmB5rj]P/ߜmL^j3zQ =.7=B5O6-P j GӀ75WȴMD~;Z=M<29JF+>΍Dܝ.z’jqgA=B(tGckfB+N{MM^}ڂ{7LTj*s>;d~d%5p`r^_;:vת :*,d|M:P@T><:"pќe>yS%9ļA #'Nx+Sba69#"N=e`D1MCG)«ErpT`' 6Oxǵ ZfP%i^ , Jj+GYPHjb{[8%ITVsU\Bb5egS kw)n(% MGW ,Ih8$Oq L0CE@5<4 }cQgw`n{O!T~|6Ԗ[ bwvy^9OX4jh4QeK h \(K+Lی@C,*;ߡltxo#@T1 z?B''en ayɦ6\9Zw/TyWuOx΍YM4(oΧmnT*ͧvOȲu#?bb&4捆J~Xb(\ J2DB9ǵH :k8w`f4N~݀.d*)ޱ*Dass?+$`ǝ>_^uRv7o)Yt4wmj}~Q's{܈^ t71\.C{ Pv|&t$Cq#.M Y#,=; g+5Bh W;#˥s\s ;9*OˉʝCx043c"DעXdsaW 4W|7^+Z(IK3Ri٩y n0/ æBf#&"Iu<_Q¯l vKꋝ(-FzxV4'YS־DS _پ]3NϚ1Ď\CDwEL'^&skx-넡ƲrgoubS0SmzkuҶz ~mӬS,dOmtX Bp+&H)~D+Rdžs.:ްn A9qcaj.f'RUҖEvb$^dL E2KUQ x՜^FGciLk&HPT厞XmykS]䘻cCj:2钯V=(Ó*+=,31Bwn#&s̭deƋ&[Bt{KcPE5Yyc JY_ jvH 15AZe4)Npt#Y _:uXk#?p]RXSDeu AOB& X@oEf;C0JƒH5`{[Z5 JDV,NwkiۄW ~} ㋢GKh?vbn"Y#S>y?.ݳ_Ob'ZI. G%:R{SL^ұg4e:y%g?6^s-5RbnFm/ 1iv&H=ڙ"29ЕcƅS]RF? J0Ӓ+P>@mvptH}щlj.^%-Z(wA6QH=Ƿ`h 섀,IZECY DK3}2dgvR^- d:6:Eb8"vTpNhBǝBᇽ*wVU܃|5lfy[VBTZ|>fQRr< yS1X,=j"ī0 ]YZ;=6>muywqܬ~O3e}H5x瘟&2+cb3ukZ  wMwdCP-hF;4찕6iH_xY~V;>`/ObCJKf݉^"A4@CgqaA7z;K`;OYVJ0xTE]n:+<X(| dgeXcuMqyę4)EMgݨ Fgջ6c\hЊsC7fbZzn|j[sAh9hFՐ:LԎ)VNe&9HjVl""xE*iŨ[3 ?l `@R|98R"Wn|u{KVr'OVXGp3TJb՚|hz5S_X,՛/|&(#ޖ!Yqg< N`|`pwͻF} 1֬J? xt:$dۥ=q`tvvSq]{z/>2F<[Ę6O䅊T{999mjisL(ӝ :L|-|oM n7*6"Ko\TϺidz}Gk8*8jvD"FL6Ŧw9g$8uz.p\\kqIblG}i-Id\zucII"|"cdQZ@్:H@/Ћ) dQ^z҇PðՖd7Q+:L9c7jNe3?Ib4_fEiP\EŮǀ6Sd½SKTyC[|;nOne+O0E{P'q+Ȅ# 񂿡&@Y&9RIo o(';IEf$ gcaRظZ:rp"g(e:~=T$C+PԦأ^z._24G<#]6تPڎ^cG44hx(C\e dxs4-K&is0,0Ix97}mQ!D,r8GO-ЄVSp?F' KQ6cidcoY^)\LFHDD_@ -/} M[D\ic\*]gQQu+NʐΦMEڏA JC+ע@"k}znrAV4}KyUnv{'8bUl쬝g,UWU>ل4q0״k:tGC7IKIjCȥl#5?V΁-+; ܸ&7u 1d>8.+)6vaV<}-(zԔ!;v}KRsY frrcPX"`W*}Q twpة̧_ k _?Ś~X 9TSUz>US TF("$hogપ^y%lm_g k-{`n.=a4ȕڂtIm1Ɗx4!\@Fjk14ՠ2~>lRx(q?My\ڻTCjdera"^P]q_>EDSi::?ŅC U6L@\$&hd nTq=o(?R< 7CEi]YK=<0Ï4~ڠ0E XWrɷHp>%Z6l{0F㨨,WԊ٧L3(`LKjTʔ ^nGIjZYf{bM.#eڼ,InJ`LQ](ձ>VKu*-i/nHNa?G#ZpD|/2ϤC/\os#;*m]!B`P|ˠ}ޤ^&48I QD>j\&7~M޷6Rߕ5.ҫ)> r" 4Zoz.+n`4uOŽF":Fb~p켩ݠ~SnVȲ$+cP?[CJ=Kѐ"$A$.4^4q xͥ6V;vaOl, /fGq6κ)B[zh0R0W'> d`GWgA oVyJl r|4Evgטِ05h$6JVGD7,]QB^`"!m+#nH|ihT[W!"pD 5jjexZ h s1- B*\sp.kH+~>rC\fXX3W;C'<@@1D>n0kK\N 3r,ڋb@P_fI_ݙƐlJ}yDմbG1X?=+$ uͧm٫|AÏvYr \w2uJD<`%p0w48ˠl`Nv>s3Hiϯ`}Ud-x c}=!cQ<75y4t@i S~_skyIs?<?TPɥ8VUÓ4 |1p &qp*Q70^,uֵT"FP65Dtt,98he~{H[9jdžje6 >v\T^no~yg:BP!j*do&"R]auXkeIs<zPƦۭ:-ChRݾS@=4ɸi1w߮O!zivIWYf:8k~+u#̛t/s<5r?Ń`n$@d4u5;Sy *Q] ´T&(Ȯtx[o:6F;u*mI dlMpaʛlK="߈*"m3liWoSa|eL AptFlaҷdU4CV!DHǗKf{\q3`2^[e׏A?yW1%] 3ėnK`R#hH^{(:$]-L!sS?i;^+ct^Q@1]žP0{5$ j~[TM1ahN+$.^L"BJ-;XeL%b!kDF1wP=odEB.N-wEyCoS"h}[\ZyLn|nmJrl N[Eg)53N1CCp;dZ)lpAvHq50AZB.\ңC )N9: l$񞔎5VaU5 o/'=48M @w`adU]D@1LC)$(+q5]6V(o%/[ll6y9f*ӺV_Dݩ-L"]Imr=s]m[G>zX `ymzƒ d@AgyB=@mNFc)YO{8$ۿJUeue5ϫV7@"n[p9/AY߼r xIf\AAM:q1B0n5uÞi)G~nA PPU7>?Vu\Z/n,jWj􁾆dp&12~@*RH0%x^ *Y!~EMCRLB8"ra)?5C>HZw͘b Q\tAKoNO)}|^f}G(S ō x!DLcU{wqh&U7OlVFj.ܮy<eO,eE/ [Lx]8lİ]GO2u\CA=1i]iJ/TB<5T@m~[Ϥ 21M$^ؚ5+ Ř47&:Ԗ5fļiuz젉8&E_nӼ"%D\ @L$[-}(i( &vN[XC@-:7􂡺DaDtCwN b;Ob"6O'}IM^FV n7iPql ,@(UUg#hrUT*Rc 3iRw|tkvdo@KPvr4a4o1IS,\OvOuACMԸ=z~2] ' FaW=IQ={t~/իw>UkIߤlR\)LE?-՟zL!47W7Drc_?` ^,0N9+2Q FQN(`q˼rbcwC^'_mz}zfًR6`ZD4W^S)pZZroVFv@5<^PB#鲬2RJh+"gOK4_d{~eC@ܗt ;)ihQoS`wmuO-,\`ݻy|DCSB}w#1e`BF C'+=r~{;iٵjs_-ΟŸ=mԟ4K eOHZ5 k70UYa &eʵ_a 9fI*as60rB Nb8rƗXuhASav5}4:U{Y}^|sW쵨84ޡu`4"$ȿ@+R32\kgr?;s ɃK 2oאYc=@*"i㸜0makr+* hEbY 4#& @ӈZRfNzƮvEGs?gyb ~~tP0ɄCAܬ{lhBQ} Ife/ˡ3z?]ևMj qmN5,4ә;SFbw2"t:Pe, 1XxXa>k"翘¸[v$bydvTX%-_vN S]Dpk-& `rPr%r=KHKE?E_fdZ]")CM9rxYچr0@[1[+y"zؔ:x^73;G63s4Sw޽k/S ]&B _3KymGF< hWD] ZoK* *bɲ~| D/>‹жOicC Y(r]av讞:Ez?*xha?HD5ic/ް(c g|r/Ƣ՛ 9Z~jS$Ԇ] I HDp3Ze1R *٥sT9F:Jg#.3'Hs@ƓU`b3O6\۴ҜHGA<6["fm!(vJ3qG[w>LU\JgA{T9#,BMԖ~{օB8t6 zcC7.jX0_Ή4Dm7p< oz3lňzM8,k=Y4I-%?XӸn,NG(&c^i2Ou{ O?=+Ɋ2croԠLsc!HޒS|IcǾ2~Xg6=rt뵸TZ9p :Į=g(BpG! 6$ǷzIfu%U`}1E#Uk`}Wkj&_mQLe VnR"gn=I&_gfO lXW^S>FqrG$^UP=H6 DPn+)"~.1&GahCG$>or+p'/p-~I-J?r툅W~q7^n2mYU]ւ5& c|(\(_8S1FZ9=]9(%5'?4B3ᡪ _ WÍ8Q4;ɱˏBu͙aۛw>.E^t2ґ**3jYtRZe54Xڄ¦5꩘B^vDo :}_9fl[io˰2QTPv I9'0 f弮j܎2RtŹn5w!LJ,qi ugHeFt"MGjuT73E}ױ >6lqTU?39[_Cq2HL2 ~#WPZft}r49+4M6"g- kľY[6a@N:8^!)~P>]qus8Ƃ1%+¦jՇi[Ysb| v$ܪ|,*:r{m\&J蔣e;!s$rq'BcX,-3(neڔO0j0"93΅\% +@#_̖STC:+e0_ ixÓdcŵe{W{qjVg˛b39o6-FP^}tШ/x4GGN[GE9 ܫqPM6( !=;&W=#%';&^ ALTةE * 9B;)b"aЪEb(d`74X t_Ԁ2'7NuX5ŭJb2{pUWZv{"O"~gP׃ ?Vm؄ob>h~VkbtB ݚ9x7ijMHÂޱi>駰PT9KTI:0B(=F$>p erKh~WR|cCeSA]Mn4K5+C<Reu1+PMhj"mˉ!Db@@CBfIv^7_d!_=;`T"kw{Yy#hdJEE}BSޛJr^lj(rvĐV'u|@ ]2³93` H_r͕qY*_sOzc}=:gЄ";U#^Bŧ+ R,vgq{ٯ/nXO,*9~1_NȱXY$vjr%ݫ=#E%9ˇ!,c1'"7͋Q=s74&c p["e+8eM H[Rb!-{Ƌ!oհtRVyd ÒXWv~!=YB%qTi@{p"eԷ!_ P+as?롃;/_ A,cN(1j4nn2|h5"/L79q\jG'z2qpQaVnpfxe=U5NQ߸eXQ|j[VϑC9uÕyG@%G_I9`.{L{dYYki4oL4f/?i6!ݮT% `3^ 5euBEJ;0%'^:`ITn%d'J3+׵2)*֛rXՖ~4ID}4>0[N7*б0Tх<{ HƵvdR'SeL1#>$T/h4,lW9@<Vǀ;UQ0:2yedW6샀W9pQZ2xq_:s@I%h2W .<(\,=I*?øQ8SɥAy3u+vVL1kbFA0.h}G1j:'hw`b՚A#(dF { pbƜS Y܋#Qf9ZFq؂{=%hV0}37>0{/lsjO^*t@^;˩ :V#LDn="2"J@|Ƅ;/$G˰ ЁQ@ -bKl?: .ʚ( >{!AFXWپvq=6V^71(~UARVu kBmTC8׽Ð){^żL l D0El>?յݚa^j4 ʧCbawhX>HԬ,]6JN%|q0L,rJ?'{/n_8:$ U4:-SH R-AΞ,8ǵPHC3^.o`n~U@.,aw\q,PQ3Y9wlOIe@8"W|_ҹBÙ Ahܷrh+.e"NmHI5Xz}I?<VPE҂q IARv'+ HҟLѽG7$tk>U=>cV(.cbEBiNN=1UŦ2\ Mt~Q*|΀n|Yslfv,v.\'F@n]~P啬>Y~V %Q+H:2qE;)[_šO!%kIZEs@M0e..uxեCRal٫b)bB&|Z$'dxi1WzWG`^) _Cۑ:É4.eN"R+,fq.KP)S_Pj,nh ySQ\z d!jCo݂_C6Gӱ߷҇V35=ԗr*^ dԺnDrs>ظirpH me-t&؀9MZ-稖U>6l٤m_Hay=Vwg;6ŷilf~< Q|csD$ՏƤ>D[, W G塈8Gx,޼{%|˜;}ZiyjL:@"z\mT?޵M T&Zr:gIY̽ey8Vw|dNL*y{Ɏb_<)q(RGvWRB8KF*M^nCPNMv)'Ɏ-8s#c2D˓MxoL\yݧtǡ#*(p0p+i#OS['?j~DhM& jq+zb$_#!?# <#ĤŀW<^ 0-jy\<2fV[4Cs~/~XhytB=rΠC^e ;[@6e~Gng/lx(X" }pneK%-jH/2,趙`<< LC*̳= #oJ7r.4Z׎Ȇ74]%&5qY3b2yM] nN'[NXͿ3CdXm<-~YS>h7#5LKa#luy0eV5CvVBgäuTt 0K_8K]Kz#bjSp7ًppF"gt${ЭgtaIOd T&bzD3^EB\ZW^,$%EP_LDm|A[z%W쳨,F_h"qr4'ex ctROK*A)Nkنt4kbEA8gXV 5z=fU؁ ֆ ?BwgnP9jwŻdiCr =g:ZKS*S"Ul)K)4?  !< Px4]a,zzW=g@_;R@%P"[qإs҇W*7ޔÞ~']QmǠ:})RS:.O[c$_; ׶Zu`BIFX/vM¼Җ@"‚rY@BOWx~l^~FG+<_VݼWCKk%U |/(Ђ-:>*u7Z]VZFJAQ/ 8^|'s,JjS*mg|"mȜ&'n ^\SJN*iK6ԇ|QO¤|{;]- ]DT[`l|ӟf'd.!$ņ>Q Sph?]3QtU n+m݄DO"z_h[Xe,IX<'nX_~"$u(.hyiajr׬m^L꿊_A8! \ Q4NiUN;|?{)tʼn֚a:;mSv$x@ 3.s|tѬU^34-Dx`D _~thU¯8eAo*jCZy\!afb!Bv(vE=N _a[3`4`.}(֛ix>NA1*hBh:.3Zd1CV#cǠWp[mIiiS =yYxЇrGDj{LS9|݃'K`w%4j=,T 6n=uB??vG ߹Uv<Dj0ǭ2 ZK ɚ+FA:5 LAB ۠k͹ϴ7S>j&Fz@* fb$q#!#% ^dQN~ҍ4”a] di[ *U8)sS<%Q$d"ڣ{mZJP݅6J"b8$fղL.͕˚bs.PuY{W4!xI8ך>{ 66HXCLe7ƹBU'"zzI8ˀp@)Ub4εH1kqY9|آ8Ǜli̒M'}x<8!O t:1JWL5Usm͊Vn#Y%[}lf:2lcWSMxQw%KU֦J:H'Kz Z<\"c }f("sҏZ#UiqѪ:OTOnFt҅x?b5ZpTߞqk0NkT"uOojvkDw*!>vVQ M7gF+ĸ!!O+4t=udzafUcr6I<oP~FqqBQRyէԞeU표mQ]G500,:[F1spI[=a'Hŧ3.l_nz(edY"еԖYIUp[Ig9;sաyÒ?op %bQ_샦mSk(F~K#[uY7QNٌXRnOɗw=/@O%^ߢL h2YBAk8&SX%[2PHو3Ψl+7WqoQAt xvFn'4} v"T:jt:I4r=ԗup0'FhAK,0TUYSYif}{fGAG*Vk9 ыB>]Oh2N]]V5A5V*'cXyz?jb(ۙ])@1/9n R9kKCN:zAg橇>xHHZ] ]+Z臈2S{&abz' v 2BffǚU /#bȄ*YsAo qb+yL ',Rr`Йa%xEEvo7jF0>Ht\xP?F6 1%\F(r/o r5쮾BEAa 5;uprN0Id']Gz\TZ =% wAڕq#0^Z\7w;D(@`I5> )]yRQ1Ga$L}_D?T?ׁ@0_nفP0W7Fd"nI6+U.&VR|Z=䰽 (ݐi廡Z"R3$?jelL' ᄾ< Idʌd v#` ,GҥkhbK{N@'Fb'uU*vc׵*(rEd9GT|Ad C'yC&dXOny dRM<# 6.Y-HϏM+| B~Ïs&uDLMk0tBSu>&O!~Ma= O [c:^N鑃o3\0=򃗶%AMxSp.xl|Τa(3Ż)XNJD8cϑfx{ral *]fP'P1dNҷi{x"34.քQ̠v%HL2};[Drg\ u& sPq.pe v7Cwg̉i~p h}3jJn4)7iDȝ`q^ח[4dTzHCNiiS< l(IURB5w!g-9z|iGL9Q qE#55 \ghbMF' 7>#h*]19WjbL$ nIPՏ~+Y/qPY.:q‡ YZ2mp,6O<)k '+(B;m|v\ Wcnޜ߆4hM۝A7 %I!G \1I@,-0@?^熷n}]b%LzR?8:BN"m4odZa`ma -}Rs8##8dzu!.I74P\wbwq|cebyV[:cƤLBxT'U%GKU':OWӍ-8 6X E [%^bZkPgV]0O .9M+PW=r&'svpB2D<e :}I7 deY*ZQxQ%ϡ:=._܃CMoob¶ 1cMҍ uջs?o>ڼ'jw[h19.2.2X3&nq>] Up!KLmih³;tN;/{5#t&QUŀ?Om$ Zvbޔ腧bgX~x0Ga#W3QVuɣ5Z 2KO\Roa.}G RyRy]9nm#x4C֫t'6'UYk {N] &fL()toc]S@QvbE]V|d(#~v|zpcHϝиBa>jU`ǽYD ߧ"3;Y)-hwƒ@\%f!DpV Et'X݆ 0Zp͉ȎmDat!U}۪LZoxkui 'ޡvX%3hF̾::/GzF_:`udy^PNaC헩[B}&YzXZY舀Q4yJvgnY8DfSf$l*J Ll ) EXRRH +|MqҒb3,}[$H >f6g|fo^դDRU f\zh`L[Yd^O1l'p#& JOv2G@B alв\FHROoٝKxn.B/czgFÁA =d9qjG:՟В?k{z-%0ҿlp$sXyI 1?lF|9j EXlvR4gfM΢|vNݜ^ T#KkPm%ʮ} "(1E<@:YYPO7;4rl8,b6m]=][[K޽9_/[1ӞHcZΚM!YSHo1BP,gﲅۻ?φ=a,ȋNFPմ9̀! s={}-CIQ6΂EQ&5|LүߙLMoX d,<с?LԪ:.cdlW#G|" a6VJ?w"#WHV.BFV) @WD{+ϰ{Fk;.z|%X' /oXlL)oė7S8پ "Gb ufdn1;.u%tӛo;JU˿|\ߏ'*TˌF"5".;ߧ6Zr'ҦqC=|JBXdi8)řTQ:t8ڰQL E?wX*x"1fxSBțV5uޙE\.rCfcd0\y<8!ja_{C@Nߡ"uAdՙc`oQ\ZxyTziy8 jvAE3H|K.DyxDSKv<պ-3~# 5$wOĿS6ܞ IT|?lLש)c%e1@AKa,ƈs~|o|X[ mQQ9P6NMT T/ "]=M?׸ԔӖ֙~zC'RXxFLJ/}4T& WEm_ŊVQyR^ẟKEy|ic2yM}Iq#k dh-~[C0pj0xZFf_ێ|=hV2sThb"ƺJu,lNEɓ#rBI. }Ji'1HisL],*Qݖͧ\ o)87!:9 i dFQ+>q]̣  &U5BkV= o0-,uᑵ褏H8!j1uAK.3Qm N||' u#*Ŏ/Ϊ)*{ܙdG3lfO[e}C/z7N5`Xn*ߧ?q5Aݦ?u̧C,#v 8)LǥVWb۞/i{HShǹ 0~P%-P(^ODS-r~BF˶Bfź/ Dt}_a%Bg}pȾ[`6h:>jv~DOQl$Cc'3ZdlI'U_C "4qy,~mQVI%W L^M;M:I!Mb ku&:hw˛שgc/aA| u} sƎ{"9;7䑀hK݁EFb|UebR1%7dNNZХ:"- |%gRuFfZlR6;޷$yH>Vl6?&0쯁fk >P?|3K$(]aNW.WlI?KŔnb1Cc[>^{ JWF"qϴI|\Ŋa)[,kkO:kgW5C+gcx8/0i|婺+xsjElNZ#f/KTj,4wR>{T2g4< |RAC&\wP&I4 _AqxS8/NlQI- 7XЇd惸# ,zϙ}1v>+^p7ú+B Uv~'h'4e/#~g:=\A̝…NrS\_R$:Ҹ|NWU5K=7HyTtЅI`!/qSjmPtF?[E~adjE=N=i>+39`=6QIC@mpXZf_~/q(By *-jl  ˪cٱTV@OgRR@NM.-r#?ƙ? 9^nijBf1Ԓ(jImi-v%5N P ^̛zRǢKۘN>5a-8rs #)ڳ,ue|zYYZ(8P ծ5^k}=޵"ʨbU9^8'<5IZ͚,>*ns3_O̝#sqsr<@?v}NjbstAjE{MDs{3QV\bP۫Q:+.0i'LhSRԬ'x_HEu^zLMNc%;|/D{ Zźc=`}f\ t+Nsj+F@ƧЪ\o{;UB\wPr3dqZ0.)$vv~ӏ֊WzS9XVc)v;[) j H˨pM&JSWe!j%2$DBM*plq B-OjJg9i1K@i#A- ?O'9i !jrK $O"d󘡈{=R-IXG }`ޜuD'؊+5V7"_Gj]-V(#4D-Cm )!^Q茇~P62pY;{ r"z]FE~s1#[^1D|*m3G*QHW .b2 0}SWKfj@ġH|K#VL^T`8 F{k`+DdH45Dzy xE15'MwD#[O,tE~sIcx ΣDWӤ%P tcX>WOg_?v8["M*"e YEZ};]cC@<xL{#qLF3)ӕSB)%{mLd2e?ѧ*o}L=TdZP-l^[d+bnONv3>:_ѹWq+]w(ȧ:[f'\s&aޅq tokT1ejתw`<H-̕gW^lBϕ<癆2hFm $!ne,EӔH7kYמmM9+q|ZnFJ'{cὦG4SXc kp% ́XCPEz_@BP*Yhpmj%w|?Jq쭩Vkkx=p zj8Q__mnDP_Xrl*rOyW>[̏M8ru򪘤\l;_d0&W=2u,`xh=;|>} Z+h<0MV TS\!YSkp](#@fv[UuɇbPw i4qzm^mrƘxv^'Z7= =4c̑VhdP6MP k!~^r%[&)SRWQ /ѝ@\0ouXi>Nǫ5m[wH!bDg-cٱ{=d+-Bg-%JqN"O5/.@+ وM^m0pԧrjC4[D]4?m#&wن`fj{yLv*s==f%@Vn\RʝC,V[VZv%(q2}nY(,ƚg(ئX CgYvVP诸'>0q:f!_bjƜtURɢrp)`lz+CֈKRb]&UlU=whiSsQ pD!iC`[oz1Hބ>] ++206w^p&3V{p3-n0pe&Oѫ=kv2τ9[usnwӀY|k*j"tM!og*fNx`"Ͱsdso 8G }]#αQeV0nY͡s2nNe0d=O?zI2;Xz]3%!;rJ&y.hd,15P %C!ڥ|A9fAԗ{s/^BB-<*#i3ю3D|7@)"ĕE:+p-&]'Uĵ85TU>9wIÎo{Ʈ%u%½݉=c{[}iAf mo-f* ÝIhA>\=cH 2s*sO3QGT!`Wh6O>Ṙ4-s! ڜѹZnY'a_vy3RsO}Hc;]2u4_}ZM6v טҤ ]gv`zg[nZ]"٩.(]>ëy6TA͗ 1\1UUE=vu{!Rd >51cJ۝㎆ M=Уs +T|7s7;SF8i%Óws<:ɅT~XEemekMbI+NpsW"a/ox?C$3}~D q3G|X jtlNC!ۖqdu-RF9S 9yFyh+~w_pz=':pC5 ?:JYܯ*=&rk .F672dm=ݩrgh ~T|HuZ$<+7jT,KD ܗFӨj@ R!dj$z D ^FEOLڷ:6J "ˏr_JXpz8H vg9Z/d=Olz?ႺuLnΔ.İOu/zEOiM^EC^C`ͷU x<+a+:DBrOY VKm)p $rba>!稶zK軟=Xo5uJ<y=d?N2Cʸ*< ZJ5it<@EB {%&ʀU^l)䋖3Cx-.k)i>;f_.,Q(I28-7Ìz.xCe qb.K *)f꺡{ƷQ*濾rּ"* PPϣP%?_p#DsL]֙ft➓CW* ,#3>3>"x`Npaӂ*}b )NIFg+Cgkse{ҭ˟}Ȝ9%y4`gl^1#wAzpL 1|Y?RM J< PᅢO.ʃ"$^sw8dh䎣dBi6D@:WYj:vgjm;@'P&@5-e,yyz(ŁJT(_\В iNk{TY8Oz%Һŧf?gZY ySiUTdgWJt 5SBių׷R-a\"I OܹQIqcԞgiBaVeU_ǒhOdߏ3hClەMld];OJ|0ǎ[tH4I}B姛V]vwɈ .T߄2[\e˞=4L|PɎ]UÌOZE1Hw=߄ඝi ݆1I6kP\HLpѭwh8SENat)B8A^3wGDJ AA۷)5"t;?4ئ E73=y(JdcEG!~~ AIAufMxWJhv:Xw<VRA;x 1sJ|4هDpbٯT~.!NrD)1o>"{׽;wx?&ByH%(,׳,m =u1]7s9'<2|4$S1G0q0K-=7QCdkoGIOB*|#2ĻƚO/0񍧭1 ԁX$' ,5`[BZΫd| A<[ZOⱁU`3ФQڏbYqJv ݼ# 6>e;4 aCx:Vaۭ{ xϵL98͛ov[B$f %E+D_j)źɲX\S֐!.PWY^]V]£$^B碟RAc pI>摳rge@+(Ǚ2.N#UV"%GfDZаЂT7XFdT" +ն-k׊Ud!z5MZ͆rudPjC5@aKU'Ծ%,R[$B K2J>eW{xtlg9&76;[>Q;(,i>|f},yy !P=>r}،UvbL{]3x kxxXH?M n8HǐƼȤlЧ~H M_'{1s{&q-8o64nͣEKa::f7VRXoL3h=2;)~4:g0m݂ ^Ϩo[IӎPUڝ pfKօxTqϦ&8ʟg;pɭ#hjs}ňbQ@~ވޢ!ΪW\E5Q>IK,Ԇl7œ_+B Co UӰ xHoruFt8 7w.ˆ*im/Z; &4m$ .gK+e}"DX6l[{"#,s@V0]S|λgB(=k p\fY@8q#@70V)q>xb_̕VFƷ]0*a%7F' ).}YqmDXI#53<~jWܤ(orN:+ILXx#S8:=MAeLQd#Dƃ'"(s7W.#4Oi9dЊ4%|u;~bsbTAQM;:IY}2s1#LSh;D]PFyhY#vڲ[V/n>ۇONhgJ@YSU6C2~ zg bW쓧6:j~@$\q9)4_𰠏 Qb7E,Nt`=f|OvL/sS)^iZڼ}F`º pU讇Et]EkOW|,|F՝հJָ-97RB-~F1 7o O> Ɖ#v}'Xe~hb`=fwǫ^GbwP?<$YD!<^Qvs 6Ǝq`W<&Hi;XK,HHI%yCDĚ2-BN衃^dߚDNf2=֡T3 Ε/ t ׾? 1wa#%Oc"RtL Pg}5ޝ?+Y1뛴̑{R 9l69uYLFQC!KMDာXTX&֌o*SmLW3 .Z* 0ݿBiin3X86d*&#Ep J 6"4Ĩۭwoeo SA=dt35F/3` #S^Qnڧ<7-&WCɖѺ6^3YxeNe5 Ev/Jlj> umZ1g6Pcmh۲+0) 1b4չ^Yt )Ty֟fguW/>]dqXx&ғRNĢ|TC]̮yt8)s 3Y;g3(lihp7&C*Z4?TD1v>^'։_B:죙[ƈd2yFwa55Cwٓ2VRPS`f%aVx x ;KIۚcjEBBM⠥&!GFS7d; _ {lы.#vU- nf|jߥx>PD Ro4?xY| ݕ̳' 4*luCPYG0Lb:3krW"=3Ha/H~Tв M*Gۻ\mW.9%v0j -z-0K6mT1a3iz 'rhZQUa˪Truz_m\#7ۤ"H~5ShZY/_aPD|h:'}t#jif&秜"rzBZE]wmA/Cmxگg}p[p.or,R:.Q. =OU@|pemmqN)*YQB?t;0U/E9UquYTRs/,*՟|Lͨ I00b6%w(W@n΀;m'~2 ]%2*M'D[ QN.*0\ 熵b+9<{-keoӋr*?7{$a7N3ÙC*7T,Y%d=2 Qh(nj04'lɔ %\ZAkwwcP{ˆ0g)Cjty%=AzJvd&ݢG&} ,L J -:V:%w.hn#>-'2/׶oM544`EL BSG*|$ᦐ?NA<:R]Kp\l" b2G2G*zzF~W~3E1닮ڻGZsjimꀤ[`MEU2.Dm&H!2N:pp.A]E!WOiX!tI#x=T8i8.;%9TiVtg™GzjRG5T# *7 oxj#cS>,)kkxKؼ qШ98ܵ1Ï3p)ĤXd~%}S{#҆=M7ҕQQBIEZ%r,> ʯn@-`ޛ8=o]:hf(#AJ0a2bUnƾ5]޴҉őäM)_#rMGE#w- r+p/YՃ7LE%$E$9eJvU_6*![Fv#YO> }qzwWdn&7 }}Jif/A|(M>yZʬдF͑HwtmRE\[|v -~E:~Q FlBqI1 m.(4N;9OEWSeba-.͖]җ#f`aWTq#UvT2Ϣ0}WC Fgjuퟃ1m?!Ynqtfvk[VG3yqX@__ 榒^/{ɉE5 ʗp9F~M7㠋'I"K ;C߅휾i{TJTegry7ɞcςעHp3iN$|e)>AhDAڒ &ߌϓ؍@1bfK`1""gXfFk.UUF0 4vpL9R֜k) gm42bƧ`KWr;'N! ի|s)f 2zSk"WKD;g(C l >*x!-2^h?k%S70GyDh 3Rl]M rkKk8sb.,}f=L#x Y"j oCbW|S%IR4fM'u#W|LRC]Yo&+>4?e>\//`FF lC QWqd>s6ԽYG,"j6={2cBht 0vby(C>׎(}.sw8ZcJ+k9&9ipki@P`W # -iJjLx5~nD'p_sWOYgw(@B^ 9Q Hp4gilkr=|W8S+QD(||NFkj.Deѷ_(ȍm%k;h( /N7ync[x-9bYN!w0+kdC/sC~:Kڠ{t qL+{e0[7>=;E s0㊣oPg'h|y St @jְx=G ~_k(y" )UpCG {`'J֦T/s-ex!=,4=J"kj Z4ʞ4S 72@o09sh+'NpޘvCH݄g C qVO"F5_ZT=3a > NIv.D|EA Уi K)N m5NL/CE>]*cnW˄EүlQLC.3gاc8Ń3&Ҩ߷=bO%bNg3T($>YD؟Pnm p<&4 pi.1X02Cs˒D|BaEbMCw^k ( 1N_4+.}8C`'CKPc}yc B ʕSϻ /J©P1GnlU@ekiG<`<׳CéOL|?WPZ5F_wKvq(gsvl!c!ٛk u1kM4@YTpT} +jmPOQQWkϟzJ:IMUJk ipܔ1n3q[]t9+emZ0#78]YO&B eEbDǷ,H gSȉN*T){+4UzͿX!xLYB5(ESCWiĀ+dԟ=u',X^[|l wyh0xn^9:~y/ FA@Ro7wCٹɘ LDfe dHmB}퟈P6@ ~f;[r"e ⁆%FH+ggnj*!0$0I8Ԍ? AdQ[V;dN.W4mFPZ I j^ȌAqd6]LԦ\܄i"ATZ-A:9%'g\uYj;L[ ϼ;CY|ll6Ġ7s׷Չ-},Ro$UQJuWUZ"jˈ oOs1ᛊ6"xin8 yH77c :1޺&2h&+ "̩ $T(xv!{#V]`(y]̹)U8F![WB6ZTٰwG`UCwlb⥋ u5OK^Dwj0 MxRihN)|ARվ! /7?8.l#' EJwr O3֖g؊*}5FmOAGb13s|f(z:z.hr Ąr3v:C15G|zxr|z @'@;.0 H%O ,>>–--Ol8юsm9c=s&ƾ%wigNZQRmģI5@_FLϺ)1,i[lgO2Fޣ%֢-?OFy1fuaҼc4L^t7;2Vk$]v"'1_;gc*rJ rjs| 5 2TqRP-92x4xu#qw ~ޢ:C#3"FVn%iGkhq`8ȐYV Ԑ"Nv7oy)kJdvE_vm,@4_^ob:R5%4 8أ : w~5q<r(:觸i[q ~lV:Aǣr?_(Є[jcO&C/C {'KHؘq`%j ){x%pMo5Bӹh rJz 0u:TW{^G-q@j8BnŴc0,*u,vurB(L0ud:Ԩ-Ӳp)ï$yZ\cDg~cNx/b{fȾzKgaHgsP ͙QFjba);VG+DOuO:!%9/713D6w?j?Ng%^WOǪf9C\8m:l>@>7 Q;[aGjJ;z$ȂkyJ/e/l͌Cܢ xS 4ZS +QrZ 88M~(WAf[3O <#P9c.ʄ U5ӌЈHat0 =-.'m r4~r1v> :Vq{W'f(hO'iuE᠉Hǭs̖@qrI?)?@nS˼3dOC]RnkM%4G2 wrזG^YKơ6#C1J?P$y>8i`Q<6WԩG=h8 x.Y7 Y>ax2¥ySիGGb >Z5R>yYz#?aO;ԆBh?=cvAk{;S35Dw>oJf"u5=݌ߺk Ƚ6霔$dzϴ\XOKHA0cW):vK,:vfL1t*[%&Jʊ$~qGy_S+p=Ϡ\{M@ B程1d5 *t> * FϽu%N{&/euB/1()&D.Nu? %hw hKz\092` k0b5vxsi[ KwjNx'嬅ZwUy&pkiì;vY=7vҵR~ x _ 3`Y IUdo!t?Yd(őcT]"E zKkքdݔny% Δm{_e~fP ?& ui[CU-EL uܢż4~Eˁ><"ϹV;P7d~_Ҡ&ڎdgAr,W~1SDPSV!{`|sm˥N W{ pd@< ;`^noήW 7#0eyE$DhԴ 8|F)<Lud'mR%mwL6p p)k;ZOYH@d pUe/@'ݑ5/|F'%+hUz#ns֐{6W[g -8p(AǯE=#k3A\kUZXMDۉ/*~0˪^aƌDjA/H]1=U`߄ֿ]ZCbr m+::c1f/'![5r1axn3GYm/A}|@6n\/}EYòdɶ*4ه\$j~NΆs[.9n>\V Yx"#<&%(xd"}|}ѡʷ"c޹YOt:W~ڶ|\=uZJpiՁ<0ZOohEd1 ;-0~LF& y@hPu}]WW60I**vD.ŚJ?FcD>ET*Uf* Xc)\7K\;D۪ =!΋ 1Fg_'],-tIL@ީ,f:_pTt ts/덈⏶sW,Q~3-.ݤcGR/[<9~3W0)K隫#J`L(  H8UZ'! yȰb$,&Rɢ( 'a]F_³CMGI2J۞Y +SЕ 0e?0x{q"A.t[۽swvM+L̵T+iMA)6g/|Ϯ3ιBSBγ*d%J]2FAEjʥDnq#x\߈Cי@VC=U*|@!U=o6%Hpm>Ęag Jn$ն:,!)Blh-iҩs=\O}ӃQpL즒ܴZD4_` /mv8>2f?HEz-3oh-$QNG$NF8:/Eڮøㆱ ZGJk@i4)(h%0/N?$<.|JBx[h 4v'0O==o 5Z6ҡwtZmtACp3w,"/ g;)Lg"W[obѦg2LO%ݥw} aU^YH~vQ>VqW*[Kk{~{r/ bq?fLm*,h6K;3lY!HeU! o7m ,%1gJ'&nlRH j@长5q\Z,|7pQjuLokx/![3]?`nMIwz4L+[s?G?̒]մ dEGW aq}czn"ڍ?*VWiG\}@ڃwTW-gݱŇh-$@A U 7 }Ϛ]L]I.\MX_e*g0NhjΧe8E[%Wה~8̍R !XJ M) 4Ճ2#8 ɐkӻ\;cZ3'z_a>55P{6 {WQI̟'As|~Sv?[Oba%odKO0EVۥdmNQ |3wfaIDʷpIz (n;Q}EjGR*>x#cgI E-{-,瀥=r]oqi"e}0j4-OOʈ7HKm{X# GhhQ*bq>a+xHl^7c fmv%}@xR'ۏ0"̎z1kjA¨(^k7iZmզP:} "KgW6["^9;_&.ŌRgnb`nk#2M}ˇq®blg݀'ʴ~8K6ajH)ǽkpyVp0v@aڱ2ڛf\p( v+JT瀏(Wk _YɳaO%=DՁ*4r;бzӞZ$ʚ%@`%f1Ia,U0~C!*7H35) ɒI'p ʼnPqNzZ㻑yz{ϟ7v6Ja\&1rO.:jm!KW33\ә4Z`7T!/>R8Ӻiz&Bh+P/ #/2 NI ,fT W8Qcjp55l_CXIpDz4ߜcJڹ.<̀phA }9.yrEDavTwR),/E|aP NDX~P ϶a"Nn0ngdI >:L:GOк?hS7]._r`y`R$@TQo]zOꋏdQ;7Z,eSe[K?X ֨gư]]oLGe P Ipg|<.i&Cд#Vbh}L>w""hфQ Hd-C+B5vJCE2lA,ѝ' fZ%[h|ϖwv_Z-uS|2Tfj AyҜzx412RDJ1O>Knr}Z-mo)<;G&>-O1DFn0p(NORꛮxRکb"$-+9d #mxX7 1@UY*!_ѪO>3L_b C^_XEKթq^S|l"ջbwa8IR DD; ̟ 8+r]Y/<<,JKY|/ |nr"n2%I4B gE%x`uDY\hA5>&ü4*$6evτ%Z120W+k`v4)!<, "11;B7x DJ cן#ڌf)+NaDqȲü{-ܛY- w*$.+&] `-ᶰi` NݔǶ +yljG Rq5Njs3ʳȌf9`O.jOswyp#35h~)sI7 ZXC\_qU/ő_*i˙,gȀ(/`L.G9!YiP JV^%{J^#DD9_r> dKE c߹&T顉U`h9AeVp%l@;5te AB{˞ԟrP?MLƃwdb%FTO;ݩ#*ۤ:R=W2aFOdt>ܪT/: =CVaIwU{!Q_5zu=Eo`14 Ɔ"؊faΊh7Soѯc{ckߝ (SJe@Q4Xr->9@ z1IVg4ް"p {w"iNqV (`xi ].K>zvmMJxya:.)N _ .#1WqƘE8,38QIBHgWޝN;c))L68] f>(6}=mi1|՟s.Y_ڊa?(͍ 7q( ,DzPKE;B+WlT(鯔9*e9W(n]kU B*nk)""=(d_ H%)ːds311S-ZYnxLB,H6أɵO-,l s ]yxohV*čiQ[[>lhL͘CmfhOUَƓ1y5!RG >}+JiCQآK0tA[V=%s{Պsu_*@"ybd6b97~j^yMF8OKUF0b?NCT{z9 jn nw/˨8ɯse뾫CBddn-%bUe0~T$ ԇ伎^S#:T݄֘0CN.W^j=_ v*2| fz8_3],"vG:z>>^g)ƄNJLNJPp݂Ɋ%ZӐӌ;l1Grp*#A9Ǘ/zjng sI~R&8&~zcTi!\ |cM🽺|1)-᭙(9EuV3sF:]@n.vCa{+ $`ڥ%;SBLji_qwAjĉ4i&ؼ-6I@[W",dx%J=;k౨>PP=P0XTA*ۘ,;N'F (L߃2S)4zS,lUG]e ,WEMѠ5ukKN_V\ ND !e{\ ),"P ..P{YQGͰQH@feSa欖.0hKUc|A +!-0HSyqԯ#LI+}^|K$M )T?$hm5o v/e J`-:࡞))mwv̮2߭sO?G?!v,P8@|"R6|^BLoĈtle=g5?[/X0 ?t 6 E)&,dKV<<o+I_OD/$qgk⊽gZi&{>N_\P*|ypT ߍPC<͍80KG<,O^Ⱦ\ff6tbl}{?̏o^sak%^1uaAJByQ <15_l5O}zca(툹Jsj_eX9GL;DtHbZdjEL%HK=3ƈw tË ofq1x$QGYw˰:!E袿m7MJȻ_G+\]@gpQbu|z bwX̣Iinht*bM;$ AF9BgRvwVώk|} ~uJxfyvŻ024tog& 7wb}=MA,dtXܝ +SIeb _ $FZ\gJ_ b[GC񆩼ScW2-ɟ=?[~ߊE1r[^ݕ*f?-V ?zgIuO7;k0.OLl_܀Ol)챯TC 9rc{@waoY[އ˓ɽO ^= Θ ]U~–g hHʼnUwku-'W(BX^ٓڳ$3=;.&2U:ȸҕS烖)RDp)7 V \ώ`ZJ]yd&V' 4 p_s6c-#gWByXilR*xJC4ʉYOly+*C j `u*&2̉0pg*ǝ/> @_LP} DY,5'0K DքVS ǛsG EIÍaW #@&G=l ѕu(=a1)!q0n$Q}ﯰX$^,E6s"̈́aTk RHS?F?f5 z eB]|'6#! pFq!=9KH;2/B° X%TTUtn%e :4mo1mW/קּPZ÷ 4nKʻZ<M ڛ+M[૆WƱ# 5FxbuNuZm- J6 t:ýg(fפk/*va0m!̟6} (_+9>1BL].G GI_x-bڳTDJ*ow); Pח'E)tP]9eK-vFɄ`:WRfr`{ʷ+wP37+8WæG+y2pUf5# D7ߏו[]S7c#Msy٣}4XjՆCkoؕ$Sy [9$n68P8i>uC4.֎u]q=ˌz7Oe(߼OȞe*v=,:M_?AԷ†L_|ĦYN=>P,$@ރ~B^*G+yNޡ%rw&Rb- 3b]lX|w3@|+:unfX:3SouؑH3 t;gILRU}G-Ül`u`M2̶WMJY1e, _ǠM "}4tZK惆`t3dQKFu<[F\Dw[3k'R!gpb#2#4ą*UyK?1 )dHqCr4BD:) ʷCݴM8*FӖ`蘉t"!xJ7h|:#a3qdgbTz{%:XRM'zR'J%O;>p@'atYlMuYMb|Р4cXv*y < Sb,,#"~w@-S|jKcsY!.⎠ULt\iK8ݒRƕ Y:,mWFaì "fˎ tӮZ|g9!;.3wwQ$)7z(iiŜ:=N^LgCD_‹ٶRl(<<I·PB x#%Q5мVK5znZ[f) Y=i1jͬF\"^M>pX;V-$h0Yz6 G ~nsmд*ed+TDK׍>@]_Ei7%%@"C=ڸ,GZsǶݙ8Gyh)|TxxeE, e[n罾?#p}$`S7Y^љ)St%.WENN(^;YCO; +_+)=-TyRMi?noΰ//Sz9ߢܓ &ւմ5un[szTۢ|݌z㩠o zQw [q>9*V2X4 iy9&f[ \ V6]o–QJ Ƽݽ_s""C'6CK"@ i\&;bw!(zU"WE4*]qK!newKvuD03%\?ָ:ٓ&B5Mn:n d1| :R%s4#a3m9o-xlٜNȜepqBOq[0 +>i{ <;.fi:x*IB r,uCh˸cTCk-DOޛl|0;XƖj r@y 6m88.6%[v!K_P.m넽4P}ܦWЪjޱI\fجvT Q5c`н 9H!Q~ kͱh8K+IL<|wԫD ,+w8-GY, $$jUUp,TPQFuS$ERy\Cl?u'mJ^i.bni9At;%؃X?~) &68y%A16E2Ћ3,éU= 3CY8;nN .FJ$)ievB{'~+i6dSb;J *,ŖigaܸRH8+JDZk:'RAF'>nHA(0vKr.sۄ=a,/S&㳙wgJlIhmiiC"e 7BU4S!X C_ uEsw¬H  WH#bBkZ,Iear쓈;R+J :L옡q>¢[۪eS:trT\l/_RI0k=X$[|%kC$¬<]歙B2SyLN\$VmřDhn3[њ` VXJ9bCFN 3LM ˜~pUOz !#R42߇~;qWh-#W.^+?iae.O$6T+bc6;#&-r8*"e|~#LgtԂ2EVS6_oY2j7YdrKU~4MNƃL؝[!jۀ7 =g x?bJ*ΰ2E'&'?f $Dgͪn/[l<! ;ޞ1:T!JˇHӜƞvtr0D4-{~i`pG b~eΚn>l2wGoLn]lDw5m2EPF@e\9EqS1^HÖߧ),H0b/5̵0NjN=1ĊB@%BKWExxiVlSu(r0[?`H,X,Bivi8ݽ%pBXaSa&D,g]1-rKMkH =A}tOhw2@Zv}Rx VOB )$xą1J.&T~8t+b$ 5HH{j&@!C~cjKgIEWi"rYL7׀GAN$ڐ;I=Ԏ=B SYbl"\Ic61 Z^SKE崃+WPȐXBY#Qy^g*#N_;nʱKhN37V*l̺x1 -eF vpt:wUToѳ,鱟4bN>@&r_DWݯ `K/n\gnG=nEbz~>mjf$3oڄSm{b;3up +i;kg"vɍKGS71_~؆Da©A ElOj\RwԔcۉ ؛|Eפ@Wzi0'&~T֩jѶLLG†;>Ƨ8f= AbH qd]a{^R <(RLJ¯@V\? a+ ;$28N =Âq Y.xDo?M{ 6^1@ NXsM)W7#I&"b=}誨Dk((]_XD4g^}dn @m]KqV%t,w*c;BQ 1?+JJAmEk$u^D(sMR[LpW^Ճ*b{i5J:fk  g_D\km?hG՚r_8wA}s}6N3jGmڤϖ dǿ /T9JdmYW;cy7aª^Mͥ`9[](@$;#<ѰY~!2yCZG.~*u*nU}q5Û-YO8k!~ =E OHJdw* [};?;"Aҡ$ϐM~C]KTrWHgLݲ%#9'DJǠ.%s՗@e-&bݎǥ| R^$9Zw0È{ƭ:Ru^+.͖οفM^ͅ}XpG+mCD@SD%4\aa֩XMp3ݭbvg½CZUUM z&*oKi*le1o@D4[N#yϺ?̨%OtUΦ@I%u&%AKN ]8_kWHs>>_5p3|s)owd*vŠPfdl+MhF%<|WHWӣ6Ƅqn؞$w\b4A)d~B ozNOl-ZϏIH/u",E8۷}P"k=Kg9|BXDYսKlZ{"Җ1wzm ᒆ~jHKJݹK_Mh]#"-}~֟ۧ쥘$h X?ТK $C04x8qƻ@='lxPiav..5تX0A,?# V288\b$!DxEtM+ ^,K1*9qU Ucv0*DB YRE0}k sa?5*8g_ X7+Q:dlZx!V_/vn=?WIwr;vBRgд%rVJо#P{%;n'ܽ~Mxb`;[0L{Wxz 2P6A;8dI ^ufp.UDg0\ h|3JarXbBM\h[W})-7`\ND9-SI*"u%#dBfvŗy(D˻toj)*Œ.}1p@sQJ5mKl @ϋz;sǻjMWͮx|h+ˆeq|^cqs'Ktgt&^ Glay "]np=ϝYTy@N- rY߉Bl HFWb%zw L:yVqT&P(ďQW7" Lj~ k[Z)m}Xenx#$Dk6֗V,t1~3%$qٳ&Sѷ*B+\c'wYU k洵OwˑshpPj}šD\Kqn& +p+cX%Vܶ \n rLweZf,bla ]ȑNFbuti69GD6+M~'u ӝ@b]$m`4Y\"UYG)|Kw+/hKU*9bb:w7 g ݒsdEitKfd_c(puǫ;SWdQeD;b~|XJ 3ͅ~X3Mfu2!}z3cDq|V|n{.Ϙλ,>.ZVFe%A@9C*昋ApߴiĔlJQ[e}tf?<\!'> yJY]Ö"qљܹ` Zz018^4Ǣ7JRu5i 4nfci8@eFNCIU>S% ю(ʒ<Ø3?IMc57.c :t a.KxXJAо v#w D޾Ϯs G㮈d2#R|`ǛQ 8O;'6IKNk6\;<ĸ%\4s%C vy,# 4:dKϻ-TP5jB&6߽+8UJ-xiv9),(nUp)!fhq 4?o2ћm ",r/3n Ț#i}tXfB$os/ܨT<_T6рvDt̘@]X/t&b%/Y(n*S&7B?P9j7+wiCkyVoƱ8>?svR'n`^axu1:5yX/x\2xuK@k:ցŐҜ_B%e'L`rFe.=ϝL-5#mcٺ!e)J7{`ު մU:fBk ,M/{^ymayRw9!7u$Nd} y:޹:dbPcC|򑨣AB6SO{NڣО?E,״rZ]mA.Qazbݩ1r"8 MY!{g%N2 q(Bfe ns }(Ӟxx[iRY?B3 *?J۶/$VѥM-~ɳ{;|fa*ϼ׈w;T1J@6gt}ċ0fr7,Kcܻo!Dm ە2'̢5^T@BQV/C਩|lzuaߜဓP7 I 97\#JN*>oPpB=:58ph+va[T4%ڑ!pD]*j+#K PRJ(=GũG/MAX ,m!S_rx~`ZZs@d.[ns *L b/!]Y>bIr6=N}D#Z8ϭ%~ JFe1MUHVIyq#=iZޫD 37:`qJa{ǂ0Kx㻧n ~%~z^0_ˊSGƏ]^#&B-%z< !Sonb]R:ukt=]z 2eoK ӊNn_): ~6HJH}&0F2v΄Aςb2m`.0b (GWR>s 5L XWh|\"/Ɏ3zӓTk#aм}X:*0$]߶ _}ve&ꉵ- 9Xc{e X5k4GhjLT8-=`7yxԼ> =O;oň+ 4jI_q/xE:Gab#Nt< ˜N3M9'u(o60IiH5S!l~W=dw4ߘ5+u8lx  %YH?xBf)4aqJKVX IL>jr^nrbHyѷq)ي(pEZ_.s(C% 4h+]^l!ӢE8\=ΜsΦ.Shq JN/@]&(WkUOT$d(j/D>m!r t昰uw!6F5=$-fe2on n}'}0f۔q:k݆#=Қ3(2Y@``m4ݰVon{xP᪎h=0{<{$?9(5d%s yE+Ѕhz\Gzu +2澥cUy-b~x0XÁEkyQE-)^?Ȋ'bk49ֵ5!n4}k=擸Pl:L*G6$*@0ǰ۝:+un9n|v^ɷO>&đH1[RVdb|s zƾ@6c OB[8D¹Xշ'R}ݤЀP冋5܅RPΓ[l^²;vP[ w.'0x=}eĝ]؉lDoqgB"^2$oA}'\0pXsnT'mR'Ehc2< R#ImԏePGZ5)J>Be/UGu7)ukG>&6eR/vVcSaW07QcTF0Mhog:4U|GopY1ѠE|kR'19 `kR ];\x- ~qIomwfr8gw*{IyN|-ZA`E}dL ޙ&u|l|⁄H㋝&ܑ:I{Oa߁5LEG <~8ec+h?nlMzpgl Gv*"p5mQkn|YVU<%vkV+G7=@(ۣZ*ohbo"T.~dbVJZ<|A>`Ѣ%F^KRA~p]o-g1 rve=._\΁HfsݼhvW, ?"w3gֻK E[~-3<ZbWN?DPj̬?<(pfҜ,XwӅdw<&9'-Xz=S ;=Ak>z*Ǥ&7Q/Sd 6suIY̪u<\"|!`M;!$+C -"W|P*Q ?OҞƫ\LirA1Tkx'N40 ՕvTQ}+JCA~~6eEj eg>$Ezouq吱밉_*_ 6XwѾ u=k.YOGuww6 A-!E ?h %L ˭cNMg3-3@Se"@ pK[?:> +}eH=w5x[ݟr5]GV\ؗCEX$^KːW}<yd~ Hw_{V@ ޻5q}L՟b Y}悷>D28: )Q8IB31fjsUs-+.܄D"M>sȀ2;媦em:-ZBBd×и54ߞI\9;%* .[*5ք$EOkL0iE5RI`uHQ rwh2 y. ]F8vV)y("M` ^)&>7ԧ*Čڛ4?xs=-q Nk8^uHᚁt}I_0p)Ցf HJ.4-]h+rޞ{ /%˖.t8),V~l YiCf,i+`BY8@13R(8WKyH%o5:ǵ~`H#)`H5UL8-~oVʍ<R/%=k XS兤&:`~.:Eۂn18d,)_o?/*t|'$dӥ EsCRD/ {c%m*[Sg'b-v22:eTX PЀ|t+Yz*I"r$3 ڻ[]W0+/1š&b;ita-4j[ʼn@QUݳä'T d,vIWٗa0Igz٥Desm8py`܅a)_Kǒc JRi6yȑca5`>Cps1:~ s scqqݣ{,OsMϑ_ٵ/A](u ?pWK+s;[:6lVxNMcwm_ͣ'ወEIhV럄?2ߟme-hx IKc$|Ɏ??3%lwUOA_)ISSs'?ApiTW*wˌꥮ8'$>AKx'#r䯂G`AG7`o TQE\EǏؘ*{g0_E]톯ŃgVR 5t PTt8G?l~ `r>@8_ۯl5 5e!4CڕjK9Q~]cfw(MHVofS:9f. tx43M-Ewiׅ+6Vs/7*HQ3rfr?  vp2)x޴y"J`u< v} FU,VAu)l }Ȥʨo %sbz ;sٯG)=W)"Ȟ\Ֆ,bhu@kW 8rI=eہaϑ4yH{hAE;ȅ7MgTBm+m$ԧd`]]m*S3P4D)q'ʰ0Y=X l!Ȳqy 4'J6s daar[l%ShXƺudnjʲXTd0DI_Ɉj.2 >8Y`٤A&c66-V1rR#/U3NHYBk&I׭fLDcufN)%qJiQ55 '2 =k\ݜsBûh͉»gcjm?O/d-Еkr.vrv"E 1(F9 &|m p.͠h?Cj>2ϳ?tOictodz>) ^)wɱD>ea/958./z ̇ho0Rc.R>4r ["6.IiBeMԅ%9|)O'cX Ѡer?x-%a^Zosv9n[#jjH3֠_bc̒,7f5ƞ>H^4×9` )zw^}o&'J҅˾?g 2L`O׾J1`;T"`Dx*IUC4T>ȉpZS#1+]f^Q-g}O!~;Ys:l ? YCNj;ki"1\0K.Bu VhtmvE|3'm #CoL߮H#S U$#>zZQ3ӭҧŲtFKjv,Vќ^`rN`~aC˛ڠXX 6➡ZпVr>u4f7mE9˷ENadm[^vÆruЊK%ނSp QO7`35k s7TSχQ *D=h%sg轷N6 ^wJD|qgu|"VU9sit4#o)MxЧ'7u,Mm;M*)=BsЗ,s(Pt\mD=Y'dnaM>h!w K,oYvœ/}T]K)\t} oޑ4EDޑPKKu3yWqjH2&%>Y_6*a^}3ܽ۵>h}p,8 &3 $/ Oܮ;B#/*p -KEgF/^aܧ΢vv)_(#õK#Neo[` `%c 6Om_Bج1G8F6 6pR #)z2x+Ԋ3vg@+þ(,,^*?㎰}ф-T. 1jSYkVʹC:PN,lQ.8Y*Rrsh{B>.et$Vqc"TIL{lzrvܝ)d:a'ڂ޲gfmpa@AAoFѺ^Q_/h 6 j0K`.@E-+ BƊȳ[ u{-1z~Y!H!cXs|z>?QA^ŔeUaׅȖya8M;k~' oX׋1FEfŒF.E1 Y{&ֳ [2X_=;6$|[ST0k% b}NZ_p% >t+_UPi)!͝϶ 셠cS[KlF3C)L']]IhN=E%:k&bS76Z_J8'DG !I}* I&o0 E{AbҊopIf,0?1 >i.[A5)'M_HKq, G!MZDT\>D@.~Ǫk\ӒOa(v{(m9hr6YyAcϙכ.ӭTٞ2<mn*#|*O mǽGc@pEmg ?l y?W]ൌCҝC OB)["ɠoOtC7Pw^>uz${ˌrbԸ=͆2̧ 'S +'IA} pPǢ?p`vh.9,lSUPЖpςʇRHnߍl|ml tѺ\A(V&6hg<*? }hɆyW<`RkqX z[`KbdD;/MzSc&l*3A E9b 3݁aulR[]u AZhH8|w拙{JujDЫMC4;-76}*(,n3,p2GEO!~h!!q0aк %yAjCu.8XlQbTm6sӐv] PY(7mwϏ(6~'jMGȖ#b=H̓Ԗcc}r)b! RłrC^?\e&ݴ| 1A)y%5a,%I}ϝ6U[/lXD ߡGxG0VHrE{0ĵFAC_SިݬJ2&nA~gbOwRt!?AMJq6hwPna}+CFN+s-hp`ɫ$X[P8s'stٝ\mRMJs 7^̷ʢG%zοESe4̿|PxXP]b~X͹E*$љTti8E40N-- oXf>ǽ,C_Yl@bzl/ȎF=o jɯ _we~⓻#HIF9.vpifJI@oDQlGV\I;1l' \ĻO$Zt1r5[2GDrLEg Y7L释XZ[@sc &= DžqF!vmeQ֫lxH ! kAvwA+"7@E} 5oT8ѶCihŔ6$rz@$c㤎:f;\wi 2!nǍ0OS΅e9oUa]S'e:աxa$`mLby/>7tk J)|5{<_aÅdJ '%^CɂV1bqҐaYm;Q#j=]3~6٪/B &>JʭvaW¢ T6V ޴]~ .ae4LgAǛպq'\hGF~zLRc(K]`4 wʐ~z`b?HZƼQVݜR2.x p,K6T`]&IVs_mmIk9yAVLV:YBnRnO>}'WunXQ@?sDkUSt$=`‰YK)%)K: irk*CEqJoد`C, lSj܈>  NP>|?|pm_ͧER1! m*`N./L?˺7 Qi&V&Xnm~8jB1 ?KkXi֧x^LJƐ13)^[bRݗic%M2cct{VV iFl,ChN}5y,ߖ$nowC)XT`{նsýu*jA bӝI\L.kQ=5^/ŤcrM C̰EE1Z:Y@ǣ 5ժڐS*S)GJ]"Z,$F~"GR+\ugO:}n褗8y/W  ؕ *zk?nT:Aތr*}EᰦcԳ[6q4:5GVM&]+b^ ,mf.md!s0!݈?&Lk:g]n]Wh=<]?̸uݥ= a*f1 aXW-NKfB}=l\r @82zB{=s Q`M$F\a~k!%iPUk] 42<Ԉ:s c; ^4/_GrߤY"覭6?7E ' ȘiM#pEzeogͨD(:0Y*G4$bF#?L`&|T`'vO4XPڦqj?!*r3E8@WqW,J?Ȣ': 7=Kv1\TYxuIvξhbbFȚ=kFD3ɐpض =ݺF_||uuuBcdFRR0OjH;7?A%as7ԁNQiN&\~5 j]|vTG#cWf 95Dݨۗx̝&Їt)7݅i uI,S^%qmB%TV onlN!Xٸq0 "E g1 G&|  S9dSƮXIy<|qz@D=ᐤzGBj0]\*;A?`bC0e2NdDz:6ys?v)qv ꤝF hyЖRN6MjRP3Tz*4gmb#?삩,a+OfӛGR7 ^}Cz.?l*y()R~)Ӹ^-Evi2{Zm`F;~kZ`JTK\ G@g;|P7BWJ$%ߓ7aK 0>UG㉖q}sr.cKSFF.QHؙy*Lc.hct^Ѩu@ʦ\`ƦRІ' ͙9ڪF܇|[<(؝[o,װ$p"/a_&iSCixɇPKޒ?@" UlW݌6yw=qmK;S\mJbw}FYdY)#QoR. AuX?ϚD2@0 5/z;Oe^5 T͇k棰JP|~knqvG137_IszBcxZzABtT?1<{ޯQ#wzXI&j⺶dL+T̼xǰv}@)g[fY$"3*;" ]y8;*"jjiY+t%of3 eX6'𵣟<`^`O i@4B5Y/@B~@`u`"0y3|WAxi",g>oR9.s:NňCp1sSll= Q/A UէIc1hL86%7>} y2}!Df3uu];?B{V_xks~x ^pX5|&A( Jv^5Yc7%ݗG©ms[T.1š<]Rg(=l|F%+O Ucvˠِt<#8~, PIiهfbۆa{jU 0q\*4>-ALlF0KWҺ<7/<"l@.M! DGɜ} s6.^YAV:}ێ1nvΡrb Rh~2/Mq!3a1)6-WR,IG68|S9|>M)ǧ#/q&~%'ԫ{0aВtKk(ڝK0ۿoj <]4g}\$uH/vtET^s(cdttަ6W΃م.-#.qx Ϫsc{"`m]^ e u%|Vgh6rk48$qaLB&ǡro:KP|z 1_AtkP]Gs7aF@b rr}~vf0ֽB[oW_\h}[[,anЀOΔIT.C koq7UXM 645aⳲB#꤀4)ԌXpn6!8!J|o(8Y*7wt@Βs2H5/vT(j~(?/W0v.YuJ2<\:L~ΎvOBRlw dLEhg3nfvI_R"e[;Rg4ۇ+k-g!!IJIu>F\g$r'l2rMnp~O.wpU&LRNtX :6q;z ;xڤݭvE Xu4cC Ym ~M\~ KWÈU7"˱80i_ WRyNJ^·{ql{ϟT{c u7+?$Y VɊͭ]f:;v,OD,cqWfdR3|h Q:ֽ6t/e]a_ ZbUm"J 0>SkeO7I/f= 0 m7nC$ [ՓSnNvAJiH ;U`_?x9aߏi>`-ܥ_͠XMP/$S[n;{u }Und*UZO2!A;cA'6nxV8йȆ~r-xzGAhg>)VD?$+P᰻w^ާ>&S>܌+#PagUiɱ 3C]?x6qRwa VJut}@760GDa_>ѮyuKhimo:ܛ X^#!/ MBk6ǣk.*GT|?!IAgtu:奚 Zn"=PS{NDq?D8PV OF;h$fƇ#ڢWl!XB{"͸Ssai:Z5>bvj#=]Vz-յCDsJKJ*t2-.Qr͉ Uj_Uu BSGo0jk{OLoakQ?e]8b袖ס?ڗI9v AYr. !p݊]o@ltݗe }!D(f<(FU::V,t[AF}mnjloG/P`KsuFBXtqƅ@ HE.2<9)#i(yYu~h #t$;=IҵtD)Ics[-B>Q(Wm}G'dOBsK'@?~K~h*:Ev3ifqw3F.0?'dT*,&4(>N$?ab#us~^ȿ3īL>[S*aG7j<`` z? tS>WPto"@p1CggUe;*'Y"8WmomVq}˯w*0*',c ؗ5֚lE&J0}ӐNV3E}G ϙě)8Pi"Jמ;{ilaL8OI=J^*(ZLrLhi+%ok$icppAIᮾ*֦g|EK.-@Z/Ɋk4kJͼG=%$>XPFDɀ5}|! Vv(-/[jsKS2S y1q=$T;/=7ӓ3.?IhnpB 0Z Pgh9Q\_z%cI_{LKU!3U${2e4;G}N_|s5 8Dw bJ)EѨvbK'ބߞi ,vN7#*]D֐BMfr6I*$FG8smϪ;&xOL g_6?s k' 4=Z͟9{E,ZD/^7Z8Dt"'2/ՓJGwf] no ʝˤ)J086=a.5LM#t6H}e_/, jL,ZE)gx$OW&ڏ?yj*1O'Ϯg !G} #*'/  i"d&߬ݸ.;|F?rցY%<: jw<bnjTn'Jl]W')Г_C(W< o#ĺ 2IqE9kn ܰOܑ5W9e(4#ݟ b3+q Y :?Y5x* ZD^-._/N}>ω%^]^U&v9즏X^fG7O1/$[:C4AA@?"i !ӌ#AKHbO3BB9:_/,&72Z=Zq. xOH8 `P5fʱPwޛՂ}Kn%/:J'1U Lی<-= З[HI+ԐE!<4#xAX~wM6% &m{8s?2ӏ~.Q=xGeNuH/HBT2 QO6G)5 h0 sI*=pcEUiG *9<llPpV< ^qO'=p]Ҽpk\lyKmf-σ?,<@'83 -ۀA*#5 '3ꍾo?bHk JDXR=jOi'm &[Ȩ(U#oY\UIHD &*yT5.QtչB!Ì{WAPvL@ܑ4>6H.4:!WkyvCu$d!Ĥ;UIGz:ְG E:L$ Z|fdԁ#g/4Auf 3(ӤUhv$>~1fK8ɉViXJ,(/ 7zz$M =)8Y6/uP̰K8pIV]]*sOF!iojmB uf}VW zPN  \2:ۥ,P~ȰC:}Ɨ':=탞a&ǔ#6c ;dF&פ?t2}gFح9>KV D%k{ Y|`94Eqh; X(5Q,A>>vf 3@pܪ5;,Ht15Ue EM!E5rd62i쐇.RoR`4c<|slkF!p*) H $>:Zz: 9Q<ܭ53~H({VL.+KWµ>.D=7󹔗f\(/A՟IM ϓ P,w ~HHoMbYt&n@ ?5_dU{Q"ᠠzPe60oide0-yQDz٘4>TX{~'.͌#e/M5c 10[x RKޭxRhsr3#H͗..1A)*Oy<==.$SQ'Sؽ؜N =]ٶG I%vO"TUT\&_!lI%+z$SnNg@WO  JRJ~˷H+ ̹;.RĽhu%/+OX?Xb4$ 0zaEōG|xp&m^e -%!/h$y AbMTRJpKPo& +:ӶugC ,- Ҙ&+.$6ès]KVUrV|E]@cY.h /l.]BU wkbpZ8b:mE<˽kGbE ?1@ PIet t H]R:x&$G;nQ`xo)d(Ashnrz%lw$ \Y,R%1TRSXm`e5dcPq\6R*c]ygvy =2N2]kq =Ai.THyCpu?eprH W68e%L u̫*eaG:!y,]ZAyZ#Hu gys>=:yFݔԭ%FO0ؖ1Z Tck(dL@bS-"T3] 9A I…eIpa VD̝adl\`I+D}1p+bGUƾ`\ >J@rv4J;ph(d`uwzM<-%ĠScGsِ4ZN`äW4yɗ\]gJ{Nyej*za$J]!2\IL^V7K9M _ӆCy>saR\HvP-&jIV#m#QfHx3 aŁğ+^El;P٦Gѕ#ǃuZޕFbv&hib^ R}ɋr[3)ܼJ<7^)B7P7_1xjNg_&Jm4Y `0?6 \f>|K)(_(A44Ƅcz:% l&[GS>m1P~!idSd*Zy4+TWnb ;yLZK&rӣ}{ yv5KW# QU/\f;@braT7ycJҷoԕAf%H2ضG>g@P,I*U)a:#53T`ImկctkUA =WfHx꒩W/^&djUX]kLL=PEůy8Ůhz&׶!`Hn(QNDGRZ7ɏ$ӪTJүf;* vd }?\;ͬ<U5mzHR{hy(F,1Fc[cm&̡O7\ƕ}Y,[m~9JrG \0[A3|?*z6i/{+τeݖxPLv6rMj*P0ޡzŴW=kq r*kĈL]B'P #(9O)Gv 9n: 5f+96 gu2d"z{sQ@k댳%~M"bFxⵡ8}|<[<aѩ{kaPK)=Ηd_/pzҖס{mɫbUVnL;ᨨi BA*,s} *J1\X _Hkߢ|0F&}WT'L.~DJ\)M-9iߊ8Tp'M1?W8by+%aJ˫$rwqcDzsBV?| qԠU-}9~=ٛ)]-ɕu[Xp<o_F"u=~ypZcT_a?Awf}o6"3WL/ ruM]xeT5]o,`CZM `;'g@؝ϙS1Qlڸ$Wo1.]>@ 'ddP'k˓i(>"ДWjIDE@]:Жj ݜ A;p!vj!TS~:E14 4ڝĘbWddJM:!SKUc:J$ ,PG7#["pDҗLMռIw+qYL S*lA-VC>x==Ң8j. R7t2IPhOBQNJ%\׌F @phNL] rtGU{$^mdD΅KgW69-!AN`\b.Y%wx3a1r,TFu1F;N;8Gk"b|co yNZ@5;j(& bkwdP a;R7iE?Ong@ԫ0Sܴ4$oA1Z:\kyl55VTM#?e7$vqfV 43_eYo%uບE[`(nQŕEXIJfWشl6pzm(^#Q:;i&IcL< bV#9ҡ,7;^K!Ҵ|R\7$!p"=mbB8!P&&F8 -2"2?6:: v>/)Za%=hh32\#lu93+ct-FgUTh#I$reO2AT٬?wS܃<-lcUOtv`R5t}ѭJ!x~!D)S>~rN>S, [#:2E“IJu8B8/ns܉~]\d/߅+Jiܠ4q#>H|yR&GAt[5*WPZ%al pӪ٢$M)?1z{&Tϸ)H^/X! 7O}=xGϟ qD~D#hr>A% 6(.6S FrI(/8yOrc*aa+iDνO槽HH>'N9Q-k2%aex$/ 68)癪#YIC&?[`p@8qɫ ZNuuA)eTh}(O,V4~+?v[|04#\v 8w!vUoU``j njB/YZ﫨TMJM+SD'ѳVH32] E> /PlmT a\)ѽ~ ΈX02fں\%cVE{_|)^Q G2asnmfnVڼ?dfeL(MȀHX`^,$8S-C2 {?ْ;H\ՐX\ *TAUtڟ@PçuIdW@b#& C--;/(~99$VC/p:|'k)`N ugkaYk"a4ۻ5JW!/bfcd8Uε* 4ry/1ˏuMpoU$Y`뺻u_dl0;qr&ezY;ia_뇓4 qxaa/br1PY~skhZhYYݯܑQ & ӓX ۴4f|™++$ؐWh#:ؿ*ޟ-mf8,ԨK%J=z|- RNcŞ 8fb;QVȂU!wx q~P6*)_J%,ߧhgU)n@eNu?Lr\Q4(Y/9COE@b:N&x#vwHvH%Vܨ> wx\ Χ1Ah狌}c7'U!m01PXՉ?0oX`eb]e!`&[9@vgW*4*PLcxHxS'Ekh/j_@Wzxs.=%oʚ5VcA#f[S~_kdgƟlh 6W,{cYm0/K(D4Y!ZFǿ7wTs` {[8#$O~\+.ă y@b_ڂ*w`g`de\%6_4lAjA \[mڹ-v[98~[X&>IήdQǫ"xxlnhX7DJuS3CkZyA\' R %ShPƾޯOLe+H.[ p]`tq3作+t?k4<'YI;\:;(M骻~^,I~S6|V?)zXiܜ qbՓLêq̂5}/v˛9rnY]whFEbUZOjw$ 85VXVF98P?yGt^_Qi&Mt'":ӂG0f7^\"pa!b^ϷĿ]J}Pi%R TD}e}wᒍB6 n:*aaAIVp!Nh|Dz":##7BQk9RsM'TI:Cjm1Bu>d;NNfOkfsM"{@CqU$wIaN= hrV=%W5 eaYQn n(Wdf$I>We,$F|i}yoZv\* ivͯsʬl%rVzwN&AIaVO@"ʄH|XԻj_0C;ߤIh5w! ӳ/O%haEoM\` Tn!̾Ep_ `T0P;ZRblPj}1?y¦^†? 0CGtһ2D]o)v`5u@t;j @G攷7Uj"q >1r`,Iʤms٫p~>C 6MMI]My'i_DN nB˥B$Yϵdb3iN0wx+6_͸>D{J}nMzʾc J@M$kmEB$RJʹPtN?&7;6u4e~DQOQFV \i!t,Vۏ',On8|~Id7GʯjVҞuK0>(\?)qQ@w|2~(.tw{'jj(aoc8r-:D2oN$MP! Ǿ"8W߸%Oo\,W*9F7}/w0.!#zQ/Nحt$Oƛ/,Aŗ0)Nz_!Un'zd'eێẌ́0z4Z9K:ku.Fװ|9sjܙf ZOvVH _O$N#^s>{dԌҟ㌺vĭ5لT#2.C tTkkq_ 0mf_"t QP.h1'Cex<6 H|#0y7ќ-dV ɬL| /Vю31_I EᔝI F_` w?\-4Ipd35Ĥh$tn!sv!k_'+dZsXGc&N<@uI|{xA+%@}g tNUv:ټaM$$q&r1K}Wm%&&$Icp5 fEϘxE h֧/bL4tF@j'[yK3s(P6fVEKz"$Z#4 R B;Y ϳn[pnW"%KjJמٔ;S+BLqΫXe7%W" (|ch`/ wݔ/@bӹq W]+4Gh ݏm}/ >>!jVXSmɇeKM=7G6 m&AlehؗBtXlFI>b71EzFD:!?R.CQmoŘ˞!A9l +_M^ ،op@fb"ްY =&i#0Wjޚ5ӞAF>CR3f^=¶|i21mfKJ l,*DӮ)$"XԀF22 z~)ga ?yS\Ȋqې/r`y=O'R#,\\M՞$C P. !@XJ͉%M6ϸe6)[FWH;#  hdcL#j3t9.Unpޫ1Et,ܣOƘ>4a{5&+FiJ6N&tF B9Z tB7Hƶ( gᒊ+Iϒ{I}Sسo*/=oUASv yoC.v`CΗqc2*+55+:;,+1@ߘ͸N7-)603&^'v D髊1,4KtS;\H~ QR){kI=sΦ; nI ZDkB=68zg$ʪ2-Uק: 2 H%<]bU4b^7&9zE 9 :MX%w]ƿos,,ҚD @؇Xٲ XVE=rٖ'ۉ&+qإ;0l(-v2Zڇ?iY,݉]’+4ɓ:Bb)Ҩ>@jvH9qB*y qht%-t?Hniج%I%t1Tr (vJ:U^bp}^:"8 #vvXM;EX0Y$8?">AcpTGoõӗyn#D/b`N Qօ!Λ5F0RD͍($ӏB%?K ڨ,|`3sȡQ e-)U$ ֣z!hx԰u|\ G¸P&@ IDp8O?nMӷѩ@V>XsIkprKPǭ°k'omoHHsv]\ tQ6)\J?袉R2C8ŽRxXz$}/]'sN}XsT&]%뺙{|#^[YQGJ}DK⇩ X3iDl:lRKy cwm>4?;Ȧ] 7_~ mHh'%ڎd(7#pwp\+tե  lܖqQ@)\4kc,gDxN; [ҬܦIwPBd c<)K+"hꑷjdWRm[ %?d_kkHz_da.]pn[x‌)(=]Q<`~ï/Yccsf+4E /Q9TE1QX(uf1V#{oVt#4K/2vг߬GYU#p_֢Yp"W MU$ FⷘX.L׉d[qE$iwD *[B'|q܅N:!q J<_*>@I(81 h 'G'I? Ͻy9ϩMl#W@zfĭn)׬ Ct),K`)؝˒R'^z ?]MW4_u kX?tqn>ɼCI= E$#0,M~SO g,AfMcAA2 !^-*VHDzc*{wuƳ7&/ekd`]5H|)$67.laj̧v %1{D,&qPѵ7C"BFo47 Ke_C`=..h{!gAizϛmDƞ(([g<$ ,}݄`C$羇 b6LuW)P!cHasd_ C w]O'@ru ΠA=^$A}ݶl1R|=SX4|=Dy4ة_b G>5Dv28y("/\eƼ~rλ~;^mV/5{16yv1M49fH܌ړV-)< xF?6Kn9$O?Sb]k޳X54k S" %DW'e0FT)ݠZnJah>#5ZLWMQeіuNlT]TS0܄pfتX9Fz$h?"*t`WFz4?3/q'5 }f;yOPe!kQU~ @ݷ-}=|֗F8|܀@\>#R Qsm|L̚N-(/RTK J2-?X"\x b|?xsa;XB'-bf r 9Пꊫڬ5N 5p`5XHD-YDxWg!zȆf'nY>da5&];UUEp sӉUNNJ30C/LC*p齤\7 ͮi!^_H9-=D٭}K38'τa\t.ɟѼqO2TQ=¾ Nًh936/1s/h ݖ#@аƱw~gY*~ FS6)ΝoH_tM BMA ֩B: 'RN5הY$K}FUKRGuΎ1ɹ8l$vxJ3`qC+c`,g4~hT̋׿p\]Q"ۚ @ˀ|#=A;*s}ڑ"w,l\q⑐=ז Vz.IW"_MS6uxj[$U&kTtBƴxI$q![pQUK;/ՌkFc]~fkwyTvKC)kv顲|Kܷ;ܾ9v߫pX>rqdf14}{ֶ!zehAFay1 5dYLDrЌܓhPh;ۊ_PCҎEXh]$/?ɏՑ ^nb[}YR)?Pģ&z&3S)J&7.ttq8=eͣ}GW'']?2@jmCЍ궍:ukPdWDSQMW0r&NRObJo=AjVy@R@(8Hh',OOm8oQ;GȰ{(B GIj J٧^tcw`ŀ,ffMU9K2p_Or0Ȏ^`Wyܱ~o";!-ScKFdFW. u8wooQYa[dU1nzsH cΔ"`KL5#^Rr/ERS4/N&݂^TiUKd;>| ~vyכ=xF /u9"PH2RCk@:"p!%hҪ(EdxiT.$Irܟ&Н ";Dl+;UvY JW0/>C-@%.O"`c>*$0sG|Ƈ,UJFik!Y;G,@W3+pz,L=#OMH^UC1Cg_ V(͛@}# QQ]L#f4dցHZ,bqhn\xU3nJSJ%W

.- <"YJ`s|Y+駂U]8ZaR8 P wli)c*lTT2hp+ϥ73;@ҪmhZpNgAC",Of;'滑S2}UZ8I$9:F/&AloMK#KoHާR߄RQͰ!U$2쏒}Ȁ{ @VcK ?TJJWD9S`Qu^oj)- u[a[dz:?ix}`W5b #+ڽOEh@i̘ٞڋx# Q 8TFN.p.55nť`4h@d?>UxߥpYO'BKŊZ@? ?+ )\{KP,'h"K&viiG-&#FDj|e)?iEd7 'twBu/h$lI,?Ra4;u.aR)M'VoP/^E'0|")fZC$-o)jP]5*N5ΣL͚ ֩]b^LK_Iځ>8%Ǜ̊ïk*#yMTo<~ų~{ӽϻ2W'?}~)XAʨC,Z C)}c-.,%฀iʮYX9q}51|&JUQA$nEv3sC(jUM qk7]*VR#1N=nBl{c֘k9'޷Nxšm̪|Sa]5J Y0y7w==f2&+~!#QIoW t/RB*!gd_` 3;I]=+?P%H#0px<~No_ ʨP9Ptk!z^¨ ș/0Wpp/}-?Nb7I. aI/Qqjd ިby%~ֆfޏyvU"gF}Iwaý@d7y3&44L.9oZ߶UϽB1,w֞ŜNI%h {8kk=UU3`To 9Ӳ72Zۃ>eLP| ˃GzCXXB[#ld̕~dDk9n1p֜k#ۻdVIf,v{\@ͯ3ɹdvQtmI[RGPf R~Kt4.s׀`IJޞZh.ET}n駐VκIl4-^dƶkI1z~" U#Mga.+NyH>nbIXs2Dp*Pa7hfa)1;M 0kF+רBiP"ASd҇0u3wR Q{ Ȫf`iRuP%Q{ \:w!١݊ڽиXM^B'MLuޔ̍M $'èYfi kV0u;]?@ސQ*y8 ->`tWžUWv^uNqdsb/,: ? 4y3p۬i_SsTAaaӉ( F0/_o Qݗ̞~nm ;}z Ž:$%P*9MÚ|WThh/P"`^з{Pȴ㴹ǒɄo9Sx)}DRTE'Y ?yxFߺ+mێ@ Vz3ꯣn@PX2si{.dƒڿ>orC%:Y(=8 '"ڥ ,l߀aB@mbɇ JBhaw+q  'qm~G!˟0 4|!xZ&dHq;&D}tD/ZC;qIx n[ DYI@Jn~ @+|WX]S_J) }+}H ~"^Ѫ/!n~?WΌ2}+He¥~,}}8nl螫wȞ7QHp$Z8:Nj3^Er]BI/$4'/z}ܵ1kIWH=Ȍ'&EHbB;"&$.})$G[p5l):Bv0ٵx0 Q*=>/@8uf|=Cu*՘3liY(d"`}9~5hb,EcSĩ(D<%„=mDu Y\d< (KpKZ᛭vM%$EMR.d =" :ؐݸ"OLm ?9kORDaFnO(T]B-hnC 4(6̈́ZfI@-gwW -xG{-;h{0oulB`(_z.#h=wm!v1nvD'jѸ!#@=Q&1/`k] ƾ@s֭zWJ03ms1ݳZk'XE"j+9;Zv'3(?\Sy X)zqiUΥPߡ |3$[`䨩?" U,L,Li.j)vwl>wzG-Nif-S0IywæXE{~^=@+M;c1KFEdJHtf>GRسe>3~"#LK VHdw$PrNo(9זf'aonzmQQ3z~`@Tp0#K̖,+icJZv\/ϥt_끏ϰ?/\tZAAg[77&o\# P÷x%ggvWj{ur`Du\@4!9;p|Za m"{pEF:3y؇?,ɔ3z/~we:XGo#/ck$Tr޽ cWY얹]>}Zeɀh(? s,Ed_b.V2^d2-+,fW7͕v9|۔%(`V̖G*[t%`UH!Flh-f=G(e{J'f,[~T8zxWrwy'R֌I OjX!K\ wk=27u#6?pW2e^f^Z:)a;!"KJT^䚋)9tg*Ğ p7biykR=T ߀EB-Ob} ?kG:O7XYLAK0Z((  &ӢDaѺC{QV< s(\ nYq׼?%(w rPI4'h#HKZ{Q?A7K~ "o뗶{0N^6%LtB?=ժwGۯYSU#Kߝ=WY=;~.ȤS*y+ΞIoLuӷNR-fQbPfEqSv,@tPlf~]hӬAe|H7zb^HQ? @y_ʦ) (A83ᅞݠk!v.8=|BSvM(չ~csJ,8qm>;%z>;G bN[ }B5Z?|oY&ީs"θrF½*[;VDEZ7r}8[J$@wNTO<nHѹo=NKk/EAm P<wanctV0;Q5'p=h\Q/il_^ڵr!҃l>Y%MܴӭԱvqmw:bwChnIX< Ak&qDx7lT Jd.Inp\كs4!}%?㬾/&\V7@gd;v͛dɴ 5c"rݥT[F*bTLmWY}3 &fTg%;,{xciX(1:iDȴtYjppzpHk0ˋXƏ'iQDݎɤ=dPy&y )JQq0r-]{K0W# HiNŨ-O9\)[MܮFeZδ˟uvNZ h}$7m@3D+ 9=4 o+ftvCc +?}BzU{y$2'~\-BQ1Knq<^뗄 .n)v ˇ8MiO0 nWI^#-w PZ  $mk݀R$My km*ߟ-X5N[ݔ Wn5)"ԋ$1$8)váC7wf! G52*T_$QC JS]\\b1Q Ӎ\2^ {(pLi},ϡbKRWQݖ [7)%85A %z6'<7嵖hCR3hCms`{dcRAx1kl'P_jG_Чn[}:PUleԭwsE3y9b~؄6q ZD>4Z"ɰ(8"Cfo4Pв3\Mꥹp"B?Z!Os\:)!,tF*rO8cVG8}HQ%=Y2[ܪ\2:Rhn=j, &B{9!O[l X5-<.N/˜,,(cNݣTA ա"xb] &(ojqGkB<<{?m*AK͞ ʒ>!qE#W?v,x7J~&N)2TpM5 0=g+uT3"sI.j?&P "B:TXQT$kœ焟4lB3w3cp"zV-`I&̗46$~Ee{C4^ AqyG* ftQ/KbwVB/AipL"ŷCFYwluh]oUYRmp2-4g `4W6~M0\qlicul d5f#mTԦ"xUUn(#!Oɷk3y1BWߥv^#ؼk?Hb,٪hI IiVX! dRZC,}[cyrĵkxFPY就%bI Ho#Li:|RGMnd-:1cFD /RP%˰4f7y(^އŒ{*K}ױm3tӊg%|#3lui~R> z8d[P&D/aDBzQ)f+/loP7zvyPZi5Tez|$<<JmsdW,: KhaaKFWAab\5cӼ̅9ی 2{;0azY aR3k%VmsL%{slAl5ϪOnV/L0Dgrx (nt/bB4l<&8n-)UqhËīēiH:\s|s:+~dd }+̲lxCb/iE h@S':;}c] ӲI ' WMy[̿8c '9O >,tcJSу-Q V6E:a(+а@렬+$Zu4 ڡU">t<~?Û7n! H yڇ-a1jYg{(vt[YYULePI p:r~mΦ\}f#ZNv.6 0Ds]È` jg?j뛬b-p4Iu?qbj!2)ESrvl^cGo(w9 o}-e+\6 MgG#̬ oiQnu[`a@%g@Txá]b$CH~fue57_`H3?ÿLcVJiyby#"zhUi(vߴ3;o;Bup֞釀2Cnok$@gr~5GY~.RsY])B?la6NS?z$xyYbKBƊzb}~!VP@f;垚/՟"!g 9Q_E=@I&}Зd;_]*g*o|2 ?NdݚyXmcE%P)n(sU҇ˠoc)D^wחAEf0GQ^pVM+_$ٍc)LZF=q9~"sD#jŷMUbWD`W--WRٛA&6z$fJ9e04P}@ާTJ=É7nF DKt#q8[94|@Ͻ+I$W#0`8VtVGh~~7ET'?Bv5;]=OOYzIRXF| Flel8_m Ly/c!%ڜȾ@h^{tpz!WWS1TI?$5J]C vb>C >C% vޫY +ٍ6)5Z[xֳ/,c 2I%eRV4ުx* VX}0 .l.Cdz1ԉ`׹ڡjbرv9=[O'A0k'<51f^~*ET^c[%Np'=8wpdZ Qo-^5Ctt̐kTT3>t^K.E?fsrH~vP+Jל4GE2ztO5قLFŦF rhSso<ҌtBHmaQC@bVt>[K@s! ȁS-T1>l٘Ndeh 15HzN3X RC^:ϐQ8,nw7eo9f(Mye*Q]<ـɋeJqx@zL\thWT%͑\e>*p!oOч HFR}GGN$;7MGLm ik0mj? 1bQ]%6;kFP];Q+~IB|%,)G!tؙ?@R!;pJ3ALwr3zYș15? $LMfuO:=@WdfDLn '}*XpP#~-j/K?5f<4 WZפO Ax.t< dptOm*n}=I UPcP)'ߨ Fo߈^AEk|9.5Io|#0KcK rףC㣗5M;O4C T<푼r&=[ ->̧w@Hdc]IH<;#&U XU+=kr'4S[bMH_|mRХXcm[UfyyR ȢݱN1܊̈́UQOT;T|kKPƿ,ئC"'32]7@2whwA"0(u;hKMT2":gXz"^!_r맭xbD X4 )r}t*|&_}2> ܞ@|Oe,7ׯp=V#;6m"{!x7n+i(\ l<+Pi72$ࠚw) Yi lh8y71`1̽6^Fa ٘z>nGMմ7s.'$B2 n"9 s4 ' O/Ђc^06Ɓn rɰhMykAeN]u^3VS2}e, PѤ*BhhzܫCjo[~$ 涒HݯƗNMG)Hԏ ؊%1\aIm+75c3`M#){ lHlEU7D 4;HU;gyЉ @834bK5Ş:FD1׼}[LJ EE7_ŒL{JXDԠ1٣.Ls߄jb]U.ogwа­t ^+'q9wH'_Q W?u!t@b 0OxX }s[D !G+aDkؖx-*2m! :nMpP `&v7-s ybוk*π-<e!y9;MvU8`7fIP؁v%=A˟z/GI9 O)i/BYkBKÕso-$мUlHHFHJ;PV^6X%-2αvF/>C+T y yO>&$r,YW~Ǵp7zM=4D|♴9 u chLvm&xa""~PAУ^đgp#LFaQ *vMV#V6m+4cFtۉ1=:Oﵝ}W[Ra6@B5P82#^ן!8fcj/ݸg?S*$Nx`g ?w{5E S+0{͗ā۰7EQZ`/q|0J`sDz8rseEЌiftX`a\oNqLV>pjݻ3gZ|JjA&U^N&]%),W|E'=.{g&s45"팔VLv=K^5®QCMQ-XfEY!1zٛ+p)rqyTYlu 344|*ڵ\na WXcXq8%:6{3vL+At:ՐݒS16d_E6n0xxdK{z@4מ;`rԚ(WNACRPMU,9)ndOхRßuZ46]E&V^-\` .-#݃K/'} t~<ηګ" 3]ƃZb1eP'5oQ嘆Ҡb^Tۣre!b VʼnI+9LF#6dvosP,2V$$s]_F!g`XdžRr-s2" z=T2ؐtRdT\P%N.jLո&7N 2%a@k}:ïZu=&@rY5ϔwB)qj!Rz<)5;%Μ: :re.N՘cw([5er>+qYDk6|j3.* }!>+%M?s;|qy FTRwoS8*Х.&˛v }8Q 2i[P-4TzEsKŵըub.31DJ8Rd(|`;(iCq'Gz~o qO|bq&H\E}+ QW>@=lSw"0$#nf&?BI@,nԲm*]bd3PR @ØҠ[+X@Ēߨ$L,{k+rpDLR H"y&~{t1D"Ko>]b@XO ]P/6cת|F5m ?@.|$&n#%8ZІKuLYl]Zh9>4#(Ո-hG mkmJ6 h?p#?KB] kL,~Oq5^͞"-8#8EV,?["$%'i:'z!=z"5HځeimTx u*Vu3➁3Ң>-~0RzԑT#kB) 1_3mQNSq!l;tONӕ:uiǐoO40%\0p ?/nƱ3<"53{SX@'PQ^YQgA>?qj2Ɠe ɸƆ1Um|:^ҡLK@mv駙c# V>}k/+Bpp7Xg=ieR.FDuv¦MF[av-=?/=4_{@[FA4 $苮 ^0ewq?Gu wVjpʈGhX%O kl=  _S~,Pa7tsm=S6*/PuԲ0( ] A)ǚGL@^!i[ G{d1fsG̑(T'*-o=,ݕf` j<ޕ{=C(qnTK\ c)n8J73jhZ~Y*f *ah^텺 j~VJ;D='դ@f{lAN :4҂ 2䗽7_u:pLa/bf: OdߛnPF{F Ð o ɺC\d{Ɛ1+K/.!咠8:O<}w)?Lٸr&Wo&[oBf \ZHÏkۉp#"N7I%9}ܲc҂g]1sʮ {+SB044vO븆~3]JqӜ QӌZyY4M?FMݻo7: ,ꕡ)\Zv$t q QK7`MjLnqbʏ!&"y+!S[ =E[%ޙN!Ӂ8ёw7rm=='^WU%#&JB\^>ÁCu/N3nbxT)BNSMwJcT|^d2tZ PlS+8bq/tgWɺ] I"/ ʊ$6uh%Y@^Fp:oV7E9reg͞4nv>p=2uʦX$geFԻ[ qN&-ۚ4mQT?ny鸉x{j0@D1/ֳ<~Q a]^h*A@uDB4Fr IsZɶ̂(MځJhWh?z7w̖csXPAQh] $|WֽD(6]8 tqКͯFTٜ })Q5Z^% s)pE `a9R#P$d}%C Ƃ9?8t_/+u^ YBB ŔF3p?Rlb8yrb ^* ?1Fd+EPw)ļRHiVHu{{™3%ځSyR 5m*qaٝ->s@mN .]5jfI& n"2~@_1> DUܤxtdgwom v )Z}֨F,;ືeL_+<]A (|Iܒ co[%Ru  3 V2^[2TX[b˿}#- GQr7Ome>Qo)Gͭ0%Q}1s1c,t)Om o:[)xfZ'AMBhJH19e8 ej#AD!mX̖"[Ys!i$60P%`>;0ROzJxϋ‡аπq$nL+mA|;eUx!)МW#b?Ŷ|)cm͍bLI@9}?m33v Bl]>Jk9 VC"UnQN-[`_ʝ+A6O<31ӅhpFMuc0=C5㢂DՃs8 ! }$n}B 8(eGZ (7jVŤ~K >Fw'uAKV?c(Î9U.4# 0J+PsoA9Zc]wi_Z@'kS\;rP#ํK9tf P& i(&6a{h9~;X^=&W*IJ2`jqfm.oWVt f $gHa$hFbRߍbm|z)f*mS Iԅ |Xhg[Z2躪d َ=[`RD~ٔAXPeylظ%=4-Ƞ|ߣo 7":)_‘mT|Fz#ns}Ɋ$LzdU:uxBf[vAN=iaQ!҃QPF}dI+{tO-(\ENiNws"Eo]0WP{+mGI`Sz& @z%oZk[/dV\2Je||u:ժ@AF8卵Ӏw FGahs/ Oᤊ U NFAeS߶U p=H?EW4d7EQ|`q6Cjt 蔜 %CNk,vꈐBn:TBOOU5-$.tMxìr&REGxDi) 3cj$f:Kj]ZUv#jf,HʣTE^b'ʜ0? B6>U^x+]4,j?'~ȾhkI6FoI9_xk:Xo뎘6g֩ ʝgN7| ŷ+24,(MٶR`Qȑq+Yt\E*P Qjy};:r_FUcr* i\t|(MuMl(W";ciC֓AaPa͸cT).1Vv/N|a}'̝tz-}\\ ݏ1oJQDu89Wㆭ|Z =vڿVYM|jQ|7ftQSÝ+mA@ ַ9 }w8C+[=e 0>ߎA5mZ0R, ,|0Y#2uvY~ S; _PZS~rd>_۴ *G(|5u4V\#hćiL5K4>t7c{kh$J GX긞dG؟t Rf\눲2Wֽ"8 %*'AXu(0Afp]KLe6Y87#7 X`(+gI/$0ldQeq 6T-TvQtPeN~ {-6Bz! Ne%/>FG +6O :܏xՎ?R5.p֤6ά3#12 ^!} ǖb.Ml\&Ki%K)^TdY+/"uX.8NV|{ÄʹÖF{V4o0}LKѽ5DϹkUHܧΫ .`hڕ֪1h燊0ӎ/N/azh`u?@l@1*xxgwQoI g"vRDd~寉 Ŝ>;,p,PA-_tq(lRxO|ڊ&MCm'|F ϧ*0i|'^!!sY A Y&%`a)%QwmH$Z3HiAY]y2N!1塥q;\[e$rOEW*(\lp̏[Ꝡ G,(Ӱ|5νh‿2OH3?u!⟵B'B2xz1mdu.@.k(q&Ǒt8'4křQDJF wZĈ%,Oo`bא ~ ;pxh`p1= ި!',JSYjГ8:83,3e1V=&y¤GθpVE- =ԛkr P߷K~Q;aC'Sւ{CĉI_U1R=cyLɼl8lRꉁX.޼ZSlh3az Xi=a:QՏHbhٌRVU=Q9"VL[e-m:8 e7;YZU -eLv7%cƜ/$k ٫vJgz ! \R^6a(U.V "` ms=K]AtϏ=UP-/SsK$48u&.d^ţ0RFi U@ !UxtX#ujVk<ɰ-WNy43UK619b7)"eiEXue.A=T1n{ݽ: hnyXutU0#{tU}:@5Vg@-Hն&b5_sbêC<,IuSxr6HspB,*k%q“Pc`])bV1<^%+h vmXG ,j"7 !v45uh^APXoE"ΌiVþ콌3]'^S yf⭪B=8*|T>%;H3`%HD#Hro*#תߙW!)]} y?fiw#/hPQ+ `7L/Q`&]q3u` KDڴ{b5/ig\ߥ_`,*Qx3TWKECX﮶qTHL:=hB)QF-́ ]Ηi}$sĻ,jvArC.aqe~]«0> ];KAo92#,n49|#mRQMbGXwޛ{ܬ'=\#ְ3p1hudtҐ]?`~k֚*w{(؁$%4% W-ԯQwMLdp-K~?ٽ e.+,II̷݄ڞo ɄE־1_`i6з]vx>X-?!u -7q qE@]i* K7'7yd7)']?{c! "yXWA4"SU)873rY?x4"}UV,~EX,6QۛkKa] kjY9truuYg>^)ˀRjG[j4y-!6mKحٿ5qD >Np}~]pQ~L0=(Hc 6|UvG`rEExF;aJfjglᒬE5‰WB᧣n_=.m! !YNS$.:&Nzߐb$nr86buݙopsdZĦ!sʀJ A`Db6wٗX˱=rz%YaD5 {afmn{Y!JOI&K+FN`Ofx:eJ/iBj,]a1kx0yk@x&<-;63De_AdL>[e[ɲ\xӥtz'V 5)d蜄 rx9C8/FM}.& fDՅ1 \&K T \9nf?EgYjEkS3%7M~wl]_6x,*e+U*wҌ|%xy&]:nQFcNV7wdȹ tHJ_Ŗ{ϘQݲOzO?@$tƭ45MZ5mF^i/ '%`Bf.CT=턍\q][YY?+c,F+ 6H\ m*?8'^p=P_333_>yErwnm +D4ŕJ#xONSҹ[ܒ Rcː,lʨw3sByJT%((Ӯ -S޲o6KL8,qs~qe [;Dٗ|wQ+'ոDxT I*K˫?a+<Ū<2ԫǐvrwss{X~lgaJd$ [Kʹ 3ͺz_IV<)9"Ն.#Wmw|bO?ZVDm"hWa)JܱuϽ:W8̧Zr}$R!8XM!XMڠ \x̴lPMN02 >ـ{9=5X(pYqEw_n<_ŒnvC1"%Tz%Kۿ~l|r3]eZ&ڍ sm/8Y䍴Kr>ԤО) sGgBg:4ИZY a1#US J t(K+YGpG6"BPE|4Or GL"*k*re @h΍3Aq895. CYg! K2* gԛ.bg-(W}߸d'he9S1qawnqWD*+pPj @[NW#7YI&MX =^b#a9< ':uF@ʠɟ\̈bmtl[ψ?U&/"bWJ$W繍萠 #Ўe#eȘ \wCI3)8>(}@6[xM4oJ?9Ԁ.hb|EM 2N։7O'3 Og$ -RKg)UDQVd;9;65Be.Dl=K7` bLY 6m$[oV֣Ktqym|yX8(tۧ*8;7>2KKJjTcR ^LsW9Ց6WlGZ*wWG3vrW6hoBV744p%ϐx4!BԎ 5/0LV^@ ڢT jR=f(rw3߻XzZsn pTӖ`,ьSȐI.xg g}Gt'sD8f̈́y!I[ɥof8lʿk0|d1[OnZ|4 OfJ`8R8[;;`AُbD X~@5Q_rgfDe71"& b] oQ)M[Xuֹ:HjL {@j56&[*̚ΈӎWN2 g#e}X>TUSjtIՁ؞>WD!WCJ]&rƨE !O#Noﮏs| .xe6ʉT^zA n-zTy 3`u*eOwoW yhK-fo}cLP1@Z*ZJ`G:6]w7)=$RSEkQ *BΊTRlM3ŦYLlvPzW;J /l$y#WCg2ʢHqxTS"jjg{eS)ԵZiMnOJ>yX iG%H:uȔ3Hkߠ[3MPnA!z܈I1pxoTځjE{?Ug4OS@cԸZQxq x'uBN{YIܜ,.M]ȱ`:~ڏxP 8"LNhn'>؄E'g\'ڬw@j *ۛsvQZMi_O:h}mVwG&Muc6*nH}TG:*uU#tW"W\o>|cLFnTJ%w&7g\?EW+U/;e֏>j ߧ du7F0IE5+1aN~~΂ZՑ&MW''|=OYNͶITW5ѳ3cx'$HOV8/0,Ia5Йl,@<k!aղzypnm\|*2TtodK!Yzn940uBoلE/jzпSӨ g%JWԽZ0?܀'! џ.ߌ\ dܹsF)S;xs31L'9ܝՊ[ׅnA1ZGex-| 0/ᩥX焁Gzlwk~cAɎAu/&)@9w+膸_6Al ;s(~~-[lbVےm{BD³nN>tK_stN_z$tx dW Q Vz;ෛe]0Ohfebcҁ(nC]rDw'NDIxlN)tE$,$(8Ї(C:-8>' (x fCFe]CWUEm:leldrˌ5ԣWQݲ @fދ@#TW&i)s1| ~ޗ隬e ɚF:8hHj5'_d21N^HG_? Hs۠JR(|e+ZWC[]iSBOHV]|J8f]lՐ9mdWSqUA6ip0RE QԢG'1j8"[+,U3DR\W4F=dIֽA>~A(k$NB̩);1%4<:yR  /9WzYe&_K•/qI(}GQ;7[V\K荫尘bft M fa;jaԮP=/a!q m ԔP<%4ٵLW,@-0(gSjwpswnkNiD=i͊1#R`?&(oX-uuo)-M!|#[ $HoqmGwO{Fga\\ui,`_C7(n0%t/ws;U^=e..8j~5vmkZ)Vhh1`}>ߐdXڶg$ק \dڐe?2y6MJp?xKSs^YxFj)G| =5΄Rʻ35>@a+J&qp@͉slYgr͜^%@S?a $XDͤ'z(!ˢ0qzyEmJ}k6AAy >}/_S)^RV=8ס4zO3. Ϊ(f/$žQ&OO5د%+S)=~Rc-a)HU|KSIOr=WA"MArr :d ~8ɵÀr1ʒR1-i.^/F(b#vBt0DЇ;cH˸8BMF!Q_Y^#:˲<|^~yT z8wseQŻw5PX?K51 EapdDa \B% liW/r 7wmh?ˑoI2C\d0ml暤RÄ~IkuHaoJf[\:/y3xz4yU`/cclV&ٺ܅k/#$R̵ڊ,'KŜ 4iИM{oRdP(_:!@WwfFe_TH. @-dyΐd?6󋨉cJ~:ͨte* )< ae?"A1釛U.\Nwp C)05OR%.|Uz8Nwf]tuTbVx6$LV/||7 KP6j0=dP aR6 zƮqs-Ci%-|MS4Pfَ^_Y|0 K>Y h(Bp^87%;דlPyuFu"gj#[BQuu5 D4*Yez})JWs!taqTu[ܛPLlvG/e)5#ف\A>{a`Rw2S.Iu|6#-7\i(i`%s3~r{R^_y~Z*ژ8:kYP^{?Glzr*[<"\QQ_/H_wߕk2HOPSf;iYGաĂGpf_VFfI[%Q5 q8+e)Gʏel2xMEsPO۳߈ TҤi93F/yᢼl^uhDsY{m ]I}}uJa>Piي[>l8uUhIL"4H G{IUkׄ\yby[* ?c^Ϟ1@A rF!w ԡ5#nb +IQ&!'N.2+#8J\kb\ ̆'KS2kGeQ99"lH3S=ϰ\XԺ Pe@rF T3./1=O<\MP쓭}4m;hvuI0 -ݬ&4;`>J~Rĸ$fM>*&yP~_r鞳YnV5 , rsy:N_dU6HEgG;]x<>E&pVQՃcK&ha2#!M th6oqO,[?9C{|S"p+芼D/dg2#.Ew9D-*oqX}YSx$/7~ԓՂmV`>ۤ*Bٲ Gb&x#H Y'lM!td7h1;~1;-F@d` DE;f? Oj-=OĦ'XtZ"Z|7N\ihV]~YCU|_S׿ˇnFvN kȵ_e+sfE]P\e4[FO\eZőT;tb賘5lrvmI74sJUƜH=0u`0k4fNlzvyD.Zz{֔fa6ޭGPՒM=?L۵txTXCEwn}+tCU?;YԪͩg `-@kB/1Hx SD[G_;I5cɗ?S\,)WlHbsUdA u/.uP!+ $,^>7ۺ"7o FM4qWY?%i!6jͷCl~hIetI3tDIIf\Bpy'"atf ʎ7V#=]&KH'cOA(0vc'PJ+nVAd3 iz7cD ݘ÷JCҪMh_,2) ϲ;̡ f %@ln{ŋh(L%G!$nj$%5)3SqQI2 ktof[:&*T.hw?Lg7$Bpqd:/Eppbֲ> Ϊ8 >pݽi8;u('N/,Z㤻OĵLN%Σ1ţW= HAe4XI`?ʦzkh^Xa\箑z1"PM^v6y寲K;4p7;ƵPI``4iQGKP |+a$^ztQ2 ~ E+> sJe*UCŖ' `C=#yV(y׸ ™9 4| "ɏYEqf$ۣqje :>2 BXwrJ7(I"G'2ͅ* hr)=4 pݕB5 OlF*;T{.(~F#S{[dz "(V]z|"- dv:L/D4HQ۹x7ؾqhJ Fy:?tιziޓ'`T2E0t 4[(*(aU#?`DMi_FP]L9I5z˥a!ͪ3!V3\4/`#WpGʁu%vp$A}Zx4Y%gi=gm}(V< Ud8gb$;o, R/T$_+p"!Q/Vqy]XL(Ix74c$Ǻ'lGf96zULESjSdi x|.e}hCMRf[tV?Ձ Odf̷e 6 ʦT/ojQQ>D. U[DDirJOӊj Tj-m@4 g^NyuZmP  ]QC2{>m<&={ /LW›z$~g=YN}=1!?s@7vYM3`yvyMcP"Qtc\ aKF~ :W$*jn+L%s^+ G4/0ZM_O}3[p}?J%^0A Yx7Wxncf\,r9rƃA쭃WPl6X[3qQrĂW~C}`;E}u y,W>G`"+$ n6Eud@a/ =3=%IE*GKr?EMyO{>Άgz}$zI,kϼ~"96 ~&A')d8q%cX&@Nh΢_e#i91ftX|J0[偿6d1(1ڐtwdDXrH =5Z`UNȭ>mxN3=9x+G8,g(]; g^Q{4!֏b$)cV!+tShU>"Ǘߙ3_Lg{΋,JJ jn06O/$Mi̻՝hj c |@o#,bxjygD aor۬ dtK8nuѯ7b-fj;|4M+ 5os$wzT9M+cKGa5{e 3K/ڶgu?tKkp7C=qDEkCB:J8mKUϓz79tήQGɌf2UDZkq?.]ӳ Zݛ:9?BJi0,\F_FL51_>rJL~H Pk+ M[Qau, PNåFY\>@ Rc5'/.!^!-jU򌷸1H ?.w\jU.uHITZzu,ۗHP-h(TMo02Ih/XGh"5*g{o'O3>?{:Mːc]ǜ1n6<ғPԎq9T<,CD%lŸ{v%8c"\7eĠtф83 ٣-N>}Y35c =A ұKY. Q8[Z um.]}nPQ?MʁPZ mv@FMA᳕0Dɰ(.SF 6 lTPggy\9|׆J>6# u‡ Ta#%^b墾ku~BYҔ46aB]6`+v3.{X`C\>?_|FJ5Ī.=ieJ[iY]o]eډ|yIGeM3!& :*ӭ<ݚ- R5(aGFnPfN$xzeE 葥3qhj11Zۨ۾KIt,}Ч|(#kmLB#yO9EĻA1<X9WnctNTvMFq3L < q5A i]rg-a+y)BѓEs+h$& O*;~D-S^6t;JA}\%,kTf:DIFKTNk~RkjzDPNةdRמYX՘Bqx m`D[%cK\l#n_n3#mYW)Ÿ3kqk9NUߵan>vLkc^b2OqSI8P'/;a@[cV`u*0p(q9+?nKq~[Zz} $Ug0A`F9r^|uw]AvZNwna=jV?|\-b6' ]nV>khB 1:A 芪jAZt$ɼI fxNvuLkX;3~UxK`l[uRs9X'<ߠ1畑bb?,_f빶t ޓIϚ't12dɤ)ӡLP>zFU>Nw$j-0t]  d OlN#!]šo%>&% :e2T U:WhMzzeǎXL(NUIJ]ѽ;T #/+@:A2(ߕQWzi6QR5|B]牂%;ӑ};^PWi|^/"Zm4J~qńh0o]!J}cOk25g@҆;廙,m{Ei$)veTyi6pB9nu.8>ԊoUQkc ʩ`F!}F8)i"հX-@i\̋ZϠ$QQ,ƒP荁+N&Jh1+읔Bz̧r?kw Ŏ8«HР~5{xg$&jێ4B[!ܢg] Ak 8~\&k>.Lr.ۨqY?}Ӕ Wm'̎V4z>,]ۚtvVcXפrh|}>ϐ 4u3LJG9MLpyFpx(6h|=K0؏y!kJ#QIz@ʸWtX _^UHPDC1idY0/噻g9[KƁSLMN+T~&0#g*?A+ <2HJ Q3X$?{D7Uasd6L<`܉9]?7 N[X팀mEO[NE^?JDph Z#՛spe咏NEEUiƕ'ArYqkqV/ysI2 c3F65WՅ{_[+2s3WL?']ֲ'4& ;DAIJ. ʵH{HQ7Y@`+2:X/jAM:(Z/YjIbo8іa+2nt ' 2W e+=mh`vd{^3邺,<hmpl : sڏA- T4$ӒHubeKçj{Lm|@De_sz j?xe-jtr;OBO|a$]f5z:g8ÿVq0UIXv$G T,R|T?ěbFݕ lO > je;n#T1իMY9 !.\1Wlԇmշe/q/?I`F+-_RSnT# qR%%)!g/lN??+ƺͰ 7Zr6R3VxéfH_6IjT◂X._!Lc_G~$=L+1Us/NS6KRn;گ8t}fe s!vQrP. l:YeGcFn242G w|#㷦LQқwG%4Gb b;d#.*N mʉ1N_88Ư~SPu=&czB#I'K?YHt'~ \xnP^;>5iQ~8Ak ÷IDB2 O+g4UIG3;\2dska~*;ldn0 ߅K\D،&g6:ROmh̗^ -~Owbgmezf;DؽyLH xWY͏;2 4Mo7۴}Os!B&^u%=Qa?YJnHT֭G[I,Q]#4Iws{%tfm,dZZSs}~ii]f]l"f;2ܲY6Ⱥ<>OVHz m;9p)A1nVc7pq'VY2:k`:SeZC3hSi1"_6ۨpS`_}?l5,PB&r*a% ?H.pN;d}ļ]br $AulKmt8R®IƮUrpB43ZH=b9rWf|Y=Ċ̊ɻIԴaJ{L}*0]k]'I3bVuez U9_2*[&'pdp!>gC@吝 SS" mH4L|h~`ݗZ%v̫Vݶicd>՗'K6p e &gI<R/ȧO1ݡ_鸙~uD#nx%4fsg-ggO8&"',05om>QBudՊCƺ 8QR&ke2d penM2~jBf 4(nSPK)|Ą1CzF5g@:29cL]g1jf:~Mk{ڬM`lHrǓr$0ngSbZ&? :vNC yB_ T|k@z7HE%DF[TX K"^ 8cO$7&r`xŌ"ZOs>3¬YM?_#8|**BЁF+2f<1}.;62o͗q;ljUHXʢsک-}i[ťB+臡Q2m=0}'38w̖-r}^bLu1 ~nB] %dr Ϊdٌ*$/VV1cWZEt8wa#{w|kaCGf,mpȃq.j=m%>uu7ɓat;XN }~.  l[];;Gw*&>C~\|#3LoDJe+GPF}S~8VFRF]Ԭ`%urGXxK<W>/l̶vhαvBq~Zqv 9c ÂD_@/_~ϧuj׻WerjHhЂ w̜,6sm66O0=dIBY3(Hߌ=ixdWkn9Z$f+xH[e.|aQ7,2` .?%<+#|'1t,;vWe .H7;\q\H]d+XUޥ&]ü?T`udgƘKwb-bI.WuŠWj,959iXy$ @-gn 0"9:\_-GÙɀ]]HԶz|֞s~(m>M10HH\Ɗ3NH԰a'^.nh^6^J̼Ď[ntoɃ5Sl)ZR` ɗU;̬ bUG 8dm2By=ͩmG_g}!<6Iaǃ '=Ѓl{TYod +D͖yV?y!M0MVO,ǗH:OC {(eowc)uj) #.5U O0]ME@li 0D|-evraQvE0WKUUq w 'qzoKyF&iH*w-|\2LLo,QQ9}r^$T>EѺ"B^z!YoBWhK-ᇝЌ&:KE"@R7<*IfN!WNjscXeh4oHub QpX: z <5<4 uT2SdP W*^2<W֩]Y&eeÂȩ-9'"}OEp|AB2沁%%R[iό^عhѷx~?u.^(h{(l"gb5Z(fQv* I[3fZ9Do@#1?#$Nڋh֋nrZmgyf 'E|/$ߕ$Ž!.0am"ߠC|_8zPWqHMAatbAN L:9XJ gx6oUYw$n)Ie#/حW`77I>bG'e@2E9:eE$0/p!XU di9 U}FerE50a]D743O+42`Z|4óU8kXcT=^Q}V5Zi ͮNkL5⭐N5-y  ;:Z5Ki"F1= 1/5d>c6ܟ8%)dq-Re: ]F_#a7EB .: 0&yғqqoax1?~V9pupIIw D[g^hj0]cE`r͢( .^}fj҃XʌmPu35grI8Skܒ˝/P撺f(vޔ#[<::o,]3YyLt/gPEcQ~d˞tG7/=0"Y TT7jk8Ix 3qYnUPJZ{_.~u]'!0]fg>Z7qH_(H(M0KCpZm [.]pf,7|KլtR %nW2H':~u"؞ k 0MtZ*[S\  3\ġ_M5ћ]lT9`$|xζr#!`bФtaP̻ĉ|YA{4y6u&.پfCux%ڞ3o̢K dWydiXK*43`_Wg>_ Z_CI3v| s@ʴIV̸Y*gǗk.vJj%JI*eA$EPQLJ1hDN N~_Zpb YD)MBRm&z۫<ɮUVӪ薬m}D5+D(0#e}lw6J`BiiP#F!,Q/]EM k􅼭SǙP.Idz@2a'[z ^?R jy#<5W?ܖll3zrٓ p Y*. [S\6 R3NkZy=ol!!jҵV[%EgoC~[CǎY܇vbC dUiauSLT-t,83BHhG7T~u꫽H7M.|-sHr5f_y!}>+ը2 X0Zad[9-Sp@c<\2,%ؘWie֏͗x$($$>*lӖPƁ6-v, 9Ss&וNKe9PKǤ!r  Ƈ oZY];0ٚJPUf?Cx0odS>H_۹TC*S^\Ɣ(U{壟ɕNbc,pMS۠ua6PJ)B%)X-0H!a6;J d򎱎plzѩBDZfILsVQ bfjΒ:,`W ᧏4Fk L?h6oC':Zz=((<%jC`/ 14Q\T-T`F(q}C|1TC )9!yhrB3ߢN3uEC*!\ 2KuJ\#c2cf_x!cVښu@..qÁ@ܒkP{m%7Xq9+U+-fppg3paM-̊u`=?˻#vOsޖt9IE,by*qtFnиe0X&^*m#ث7qaJ8,  U9}Mheϯ9TVLMYve OLo#~G;o^)"lrT-[h}bSle"0Kg䦽wt,XqN),?*&| 5g@R(i i` WG&g?dXuf&bٻOd8j-gߪߋ7EPh?\:XDjmRJc`L2<:ު%x'N?H##:%'YD:ng)ޒHBlv5 6[ה4Z7dvA_z#dgƚ ^i i%, MI5;s,ΑJ.=wT'IJ i }ڏd?dZ7۷|&NG Y:lt~O^O0Xk6۫Jps}Jqht I|-E9\`w,*xOJfqp߁b @_UJ.Bрr#7묪^KJ%Ռ^ƕxʌ~[]ԎuÁeZsxJvތA̖=1n:9|h6܉BBTt}پP;FY һG/#:)(uVÑ[Ƅ$=JW0Cuۈ{ OA߷NavdR C'3JEưƠ161o](\R/oَF $zQ/^.u*jPdmbq{WmM/381蓓B?Cʲ* ѯe.$-2Xzl|"84F1;uBj/~6*ϦGքNb vG-A)pEvli78U6 1ds!KΏ?8iaG1P{ڙh_܉ qhϴuRvO*OJdRތ(M%ƇAƎey[EZM$hΐrCXP2/iE?~҄P=1ir eZGvwOEHskqpu.e#3xqR;­$xJ,xg:]S5|J*qԖ* 1X鈶EY G%`/vRV /$3ܽޠj$+{ >Y{k4kf*zX]IL]`F]*RpcG7DžKKVD4 s_ی,@ۑ86u ePąx__8o%1KGM/n> =5,q J7*^C g},W5r`ێ!o\ԖL8m{>nq3h<B[f rl&622iwsW dFj[bI76e ,tYp*CN??"$1$Uު>qFk>xC 0EuMWP<ѝSL|ĹH)HDZCsI_“K Cπ}٬ַ.>J ̮[2cKZ-њG|l2čxNVn̈]LnX'A~k3ݑi)Z?o"8z,&ycÐҶΦBX4@2vп=[Y833D8ֺ\DF`O ׀zaVGpLDSƸ &%QPs`( P9å$2+S3<8MMXKwBv>]i,z 7VA QX~ iȌTArV4YyHUUNn ]99q;3PO9M ` r 7}H7?GM4dqW}-QsiKT%AY7E5gƾZ;PEߏW2k2JQ d=̮7&,}m;/|}ޜb= ?Mb_:w@:V1ƭsm;'{uO:i`q[aXXOtҵXE>lUD:tKhw6ksc]xwft>b$WSL=`yu0oq!mLZnx2 U pEH4UP M+zJY:׈QlpYMgtf󣨈HAm>`N}i¦_5)8&T4\WuSQeF?&Slyuu*C>!v!OͥpPNn&Jy9 br霛Xy:cP4zm;28L/]B|PP#CBYQt^ 6.Gj]|[ZkBp@ wD\uNߧ|%͍%_!'o{ n?G0∱MC%<~\A9N/xbU(t=l\6ɡ?dF\- 'MDtZC'G qyDЋԳ^  "a:۹x;c|tSV%Cx" H_f5&#ww]kIr w= "+,k(C N-k\6yob J)7ƯvukT}J 0E_\oGjsnIa~yu-訷(d{69mtIQ(hiOKH|L9 QPp9k oX]M8qǭ%{lZpNbF!dPzϓZ'4ek9iQ s4TBn=XV>)icO8'ujnhPm4^^_ꢶԨR~ 2:,> ?2ާ]lAJ (}I e/쐦m 0nj4ލ98f9h = ]m)*|j?(<(u#RV-Nt7@ظ&|^ֻh;upެ+Sek`eVu+q{y,.hRުe?Xsԓ!!Ik{!^jnV]$5ڷ(K2a_ɒ9;dԠmWrW_~>\$H<(?vUOK ʫiԫ^+˸#f;<1;gaM'}{8#V! ߥ)@Jm(GZ0CBFI]L] ܷ9vӄ1{79;ų7]z^T鳉s=>잢yK[Hܴ`> Co.n/"CO2$ZT>~kj`w^ O5W6iMsf'nǻ$Lw3՛ *3}<}Z"jIc׻' |~IӽNƃ6Nvk4|o纐SO %!$2SL1nS mSQx6? |Z*VLK ]U%$e-rd:'5 G#i {h֪c9kSTu^\|_x[m5 G E1"D%iÌrTz4#=7ojzh| r3F >TRRѯtaRfF^=d)5{ O B@?c&d FљڦŻ!LbSҍ$O*0+ e%F+j欼@;gr+jfXO>% ,qGN91f(H|-cPz6$ph&SfLj+ݝ b..Kh+(>e>O;ox]I35yեi1iE .P'aF!S]>/Lm^h~ .9m6O%@E#ӇB3<{"wCA,-J+ vU,lkO[$ ]86uD 1\'O y#>^L}} Ϛ 7U( ~dY ?Eid7 4Fk*jk`NbfC^Y ӚeB}enIu#eY {|`MAOK !Jjb) ;] p~d:{zlL#Lv6RI5!W*b fAKRu>} w۾i I%MY@ǀ)+0l-YlzdY9[+!T)yŸQT AخMıl𪝣o>".z|KQ&Mnss!!AA.>B*L1*UfSfSnTO~hbo-BPjؑ|_ҋ\fl5̠XO=%m=; V ;AB,R*,'Gsִ>)+]}xD@Ʌ[k9H}S2L'"&+.Y1/P7l mZOI(0Ӑ۠.ȮhX+A ,O9P4(xB0a~#uIxwR-=K;xi+XA_+@_3bQ3tqɉRb>٢.ӟmrU w,bu1G֟/_2ek_ݡhIE}ٖ2Ǹ,oÖGCFkcf}~IّOʣe ߨ$ĀH>CY- LdNW^"XբڢQ)x) '"eox/ Ll7¶,$Ur(#t+K$3~X:"$*; NLB%"9EhM-rKnVEښзČ0w/,^}EqO.# +<q]\hhK5KԞ,ihDdbf2g" 8(oZGoil| _p KqB|.‹즏+teyŴ5l$j~{n꼇W9:]6S7#kmj8.R{JsZͲT 6~Ax<MP~{ 4*k 8Mp6zH@ 5fvsqy:1m?j+m V5]Jn.ٷՍ>_?"e(LtbOWYK. b+g+GDSӞnMRu"pOںM q79}̠E^PL5jf>3)YO'ʦJ{؈\Q R>mV.~X$dRuMm*zT$4+^nZj6adwrk ﷍wMBUhk'"Eeοo~'o- ؉|SUnX$ ͬD/cmI|l<@:!l^_]cf`ܲs𖣞nvղ99 #VsݎE֛1Z텥Ѩ)Kg +W%b;xxZʄ+hN&<\Dp}6'evE=_/7^a"z+Q13ۉZIٴ4dݳ^zTu$-M-6w/a N'3z2ДVmd.?1i AtOd̔z&",3wu ,$NmG75i0U0oZ ^SL[T Sv󱋦Ϳxb@ؼ~U)q>|?vo~Zdv-lEpk.aq[x`y {QWsmV0}/BB)֩Y HfdV ?Jq'})r ,mZuۍ Vl;8i'$*M*$zgkXd ,:~~zMEO2VYF[.7,vP^iΚJ;d:y|b<}eިM;sV:N0Z &s@T MढmD?"t{?5ⵗE|{q7->%dsk X?L1k`uF\ @'.6?@+=4y"P1\dZs}VvIWr}:%1Syr./,seJ ѲGQ<]uhS>ە,J?" @"().5 =.p}z ON{9aZHi‰(4G!%i jJVE_콚H澈G~ ' ;6MO8_\Hc9KY8a!rIЌEcЯ7_0 v]wa,SӨacK+b l QL/ ~`2113kClS} +!TEX2ߕiΚa0s^z{rAWZcR2Lg*Ąj;@%ʳ|$X jnqFqh 4q}ŞEBՙ#7.;"[YS5VBp)O8dSt3ۇCa2A#5PVKJ+[ذrjS%5< T*>b*ya˩ D"X&ҷŒg<TTqQ0,d` j[zp\!lK﫩*/A?lylIQ21^Q4pB,昛8TkNXwh/j]mʦ:g~,{\{[r ?DaOaul!larx!Q >V|  Ev8'z2okJ`š nS&:Ӯ_h@. }#'@|FVeO Nn'tbZu*mTd*vm\X]5s`WжW2c&^Sm1ojXʯGٴYa]Y|&;") /4*hmw( nu[Ll'T"rRo7egsȋgk$`98V6ä~c X5*L$8Gg4 ݄!]WtҊoi7 r^Df?Cv-J\b/ =|!\ӝb\B2HLЄ؎0/#0Wn#"&Wsbțov:ZȈv|E|.&h1e\}l(T5!1:k= B$РYk1Ťfv1xx]Vm7v l~uūq.~~ZiݓvG}'7|]쑂|X~OfЅ3@@Xz0uVLGtrIjddTOJN8HvJRj QD+pb/R-D{^s)}9 Brbj* T'/|SD8C!OUd$oI@7N5B [ts&Ý#!إ }܁fyVVہ@TQZZձBvHsU2` L_"Zbxio~ei/+Tu^DXL'hl~Km FL8})Jmsrk:ήF>Я=1SxDuϯ&mA{ r͒IJ9qXY>J.վ1QUXYɆFC‘ 95jZިnM AŮr~tɹ(9r7lˍ]61/At"I֖eGK=?Lf]bj=*UFߤW7?w,(Aj k%se9V3cehWe\@č;8,ںȢk 4(t>:hf̭ڵ=$ޱmoIL<4tvw2D/ sZޒlY9F6l\G/ љǰ#*SVդg}[TwʱUM۪Q.h8yf:u(HT/2O1˷ٽHTLcATiޒ0 k ]ufW1#$sYD"Lw\*` J)UZj}'90')@%B"A-gOP#(k[ U?|cΘoJTk+fh WZ\Z2rJ l18F9KcU4)A})S7 ~.skA۳>=?DG& ޻Cd"S h ^3 l I \ֶԽ%Do (;fZԮ)"6W8! S>d \H:f@$i/*RPixdžgg!r?ߔ`j3LJ*#.,GkH:*}fV֦AT1דg @ p#_}`\@GVbx+nlLڔR&^'[$4*ơ/x^N*ڣ!J@~}áu:k|'P17ИG##-\`!a DRm2KLKm1c+qN:8]Doi6ϞBxƲ=blL X!Bq!Hfhu0Fؤ]N.1#99xz.l0 MV{_7 WP;C[KհhQ ,ƺdҡL$AX6Gə(E[7Zu`2}{LM_"?L^XYn[nWDїա7J?N7k MSBUW<>al6&5r4qᲡxg`6yCsT:J )Ji9fW=)gЗǨ&|)krm("2b5#I8Axg'T2X_NJPϏcqtPq贾E;n]C.@nˌ8яNS?(^kspB?!1\ж*VbCT%9&De.BU5f!MCf0Kr߿yز+ ;1H};ē**uȿ8 iS{XfkJTXۀ~c×#y^a/"HfFGy t@]o7X=ڞ. XCYuq ,=;cF|r\Q6) =F79@[)WO3Ϯ,}2T9lщѸ#d3r^+j-Uٜ^sc[>O%1=졏8Q19ޔ;[Audk鮨bf%o3=f5]"/UkiUhGS| zʻ~‘ŏoӏȸݩ0RGy@_$lP zG,VO!riNW{\ŅcuB̓5Ϩ;S8ޕ#mA&5gbڋ{N<^@7w& 4徖xG<=OP.t}ӬC9CGnpH9Jکe>$Cdg9N`sOuŌN0+C l}!i:vE'>I:woTY_}+2ږd5[,צ3QeY9F'\[ |, N6@ PL RU49m8WGS70eڼtsU(Pf76&!ਓ=/ K;;ɫJ% 8.Zq\pM)2}w-;bͦ& OI.uB1W1Ɣ#q݇PC!V}l\f8Ҍ+WH !,&2p9xN~@Y25d$&UxeQ-K*njvrvͰN`lm?jI|TЕ}G^.®dҿoUvL9WuC^k][ŀ $QXɭrT72kKL(.UBNOSr_=RAE8x`gӖi6]/mFcýL.cŝkxSD-J [XHFON:B'Tun۪to {A *]B'G{'pU%-zB&C>C/"Nl*%6H)&/)n`}(OM'JZs{ٚ*u;#+)E2"uWOkv7 &ޔ=aSk&vTNW0GJQg*BR6ULtzhD%֑v9:wwjz@fO 6_h΃}^DrXU.5w~y*\6N3wV .2{ xߧ]<N ?|(i^>u1Oy'U@kdҗxH!b8CU&I c'٦+r\q+g)WˆJ}RzˁRJW/\>H?;F/dÖ?~5ed[&9˛_V{2±J9?A %3RwMzK$ /x8ۄi2\+cgۤ2ƾ*}U6ިLxUDFQK5v"jQBcXe5!y.vsIi˞r# ڥ]ZӛD y, 駭'I4 J!omh PHibGxMed-v6 cy]&Ϫ\5@t'nȂN'qЋ_N8Fiyڮɋ`WOByS9e&x=>𧰫(/0;2`R'O8Rݎ΁̪(J$b_`}{rX{dkmNۉeDQV8"dIx@]qJQ㤥}Ó#jyHٵG`(&t ЖdWK}k<`l /5$(v[pzZ;pAln9=b(cQ&`O'@"qy i&@@I$`AUzƜ(IV(HY;;U-m 1ExI齼Mj& 崼n>>o&ldi}^Ⱥ:'i+ 8(Λ?q#Q. ߊțs뀜4b(jlZNq4BBNryg܈`T` SVR` fˮ )>pa+81ӗo- ^6-S+?Um H8B`q_;*әŀpQ."3Oz[ɖRp \K0[A?(YIQxrFE鄎64uٟu(EWiI}\=J{{+'T3o~!]8Wf2mO"@nԍ!t+rZHѩ_h,Vԃ!൭ RgLsJWN!?Zb $fO3U*pl||!(& G瑐&>r@E+;P?0@}0e_ M{R\I^Y;HzczAC<]E$d|X7l+%[xkѸѿ ,o=X^f(Q4=>ΟJ3Pژ}j&Tօ^?Xb?s|sr@:'ǔ:Dp$%&O*LIO]R| w^`ʹ52!7TOm!^hL 48g4ib\>?ttw0~V!Z|v^z1|ι ި>_ ],j6']>IZRh,n]4-3 ۤM8zʑ#;Y77~#LVhH-x-|q9DžŹMEPzႩ w$)%q zJ0ob3 '9?iy2!WO8*!櫑K,l2" 7LIT'A|0N 2eZȜ9a1q`/bmK('6KQCVv!4~۠OZ,*JlGBp?#OELDPtEF($7DFL'#D(-^=r^C0;2'b[oWg[U/y@ {#1i7 YZ=r i1O!ɨN=ԏlsĶX"ږҸWM?S9a77,H聊oD}^j"DmWgZ#s":ـU;2C h+'ˬo3JCpxAuvMcB<=tQqY@$H4a;"O!<\I0\Kf$U ^XF|wx7D?4>՜.7ga7D\u۾M3oi7%DȐ"Sбu]|0< b\{" &8gkAyBhĉ[f\8cب2 H3FJMNۆ$&T}fkQ/g KKd+S'&,q0! ewZsQe9>/ڈpˋ|y\yh2*dlgH5hM4)`|Un<0$|(œMz?m:4 ucTK,P&ނ0 |6X(C8)n~_J9y#;)yy$bH 4S?rg;)E@V3en VojQ§INS`Z MMUHPgUobjgx=.ܭh^Wq!!N*C23`^J8O(_y*7n<<*3Ɍ2bvn` Kd-M;^s`&g5_5b!}oqf댹pja1n٪L!7@Wdl#Oi !3c:,alAe*#VGҶ`7Z;H@kueg8f} {zUM?uzw7& 9&!W^q"3v2pcy.2hqྴV("l-7 j+bmf=B2El~&40{:k-TUX$75QFO-) q nb4qH#-񓫚=us2 0龓e ܵ!S_KHEfB$C'8 -#WO/Yw=rlקh3 @qEםoTL^]`"YD$9ٳSLMcI;)&vRg] `Rb+O[wA2QYR 94Hߐd֠,\mqih#=^ڠX)Ԑ}g 7g-,myD'uC׎Ac طwL D[& MEbӪ?W꽚mMKfc]/h^ `Sr'E'I2EN$[s[ꔺeôQ?%%XBf9V]g?X [OM%T~,I HսS4$q:!zB!ƅI<-KmIHWbf;jI*OYVlT7<ζ]oF2#j۝/bvLeEK}ᱰmnH&?o*yi!9ɳ@-d, m.{Le[7P!+gNm T݁q~gi8;]"ͭeNoqAG^`f8:-|ʋJ9A9">3uq=:L>tWRA"3=*c [:|]?C7m=ٲ$Nڦj̬}ώ &j1;v,qy\j'H 5F8^tޗ4ek `Ɉo%Kf*Н1G?CSi>u"ۇJsh# Dǚ8Ǭ[DUtf-jo:l8CuWBZ~.,4 "WO/!۔Vj~m8WP+؜*J7܈+* X-VQ@Ҹ z2J n*~H!<KBգb-&?`DP!ۧW0D(WdC;KXk>lւ9aA0RoPQ.i:_1Zӻ}PԼ8] [5ӴxU+pSosJy"M7ȳH-s TkȦ ,vC.IgpJ*ÆrL6$:DzSjPQ3A~g;ҟY rIws.P.Cx|Fa.v)lnkR`sC::(O)~]sF{1a**s}9zPpR`3U 9]c:%;, 2~|֤حdrЪĤצ=;ӠM;Eрs2j K"5`7e+V#e$ΤPD:bf[j i3 M6Ea;`BYɫw6bUI GyN8 |ZU!]Hajk~',Z;W4G԰ +/W{4iWuudAIZ>;M!.K"N\S}zT ?,pzUuקZ_S6*BFh2)?'qiU.f18I^;۰|ݥEܸ3Fc춯ڽYjGd$4#KLW_s5[U-CJ:1fPWPʃƍ24j _zbmz8Zṕ&Zc+?Q3ؕ0[ί_*N n +t>,_c;R`y#5TE2~s KL? -&@kCZ;!iq4; ;wqګ`y(N\ubڲɋ ̹ 2Bc@X_vk*c7j[RETS.ƒkѾdK i@1>/˼zTԂ6eV2f@Z&QG꒲ҢrUwVroeUza |2m,yVUX-@p ,"%X9;Z )-V{m.- 4HFwI=@#P<{B^dӳr&qBd^#!ӍAU^9&*>7 jyNx̟V^ \s!~u~/ŧ 7:q7X-wu*0$UIe.X8ne/C8ٮÖjw>}Oq zrpEHSLHr1iAhn ۣ1͓\R"vߦDL4?WO?mLZ4z& d2B/sd9df[I$[>#_ A[$jE?j(N.h1^,)iq&aM_p}IeM ʲ;~L/d߯%uܿ_杼,{&ޘ=f&T6{fEf]Yp\=A>pa쟆֊ eWㄐRHm&dT`UΩd:wI ˆ0JD;3Z<e(2]M2~m~|0M/D|pŏGt,5d\ rbrCfݹݔ@fIզFu=ʃZm$nǝ&y)ˎ}ޝ_@#Gv$Ni総t0wp ?ӆpػ)1E߾f@%L֤'! %tNYndpeE f{MRyףQƧpS8F_Ͳdv`,{(ܻYv|!Lj(w@tT0'34T㮈sqЎ[kk3j2On(J>Z'ԃUXcSN5kQO '}MG,/5U?SV-)m[Ж[ӲnD6 ݕ!~., )^Cnf80ɺkctb{?(o."Aj1{#њdV<6LUU\No~sX?¤S8z~@UNxz׮9fg 8\ cctأQJv,7?T;EQF#|l$` K?d1PܸRBtrTn*q48 a<ƚBwb9>)@^#nt_o@^.49n]5".v6CHm3 }菪#g76 Q9dPCXUb+u+TW*( 1 gIRlR2/3Ug,Yv=d5@`(+låP8|xG;fn9h(^&}0m޵(~Ќ5NR%"eF҂NM>2* cRn)RDչ^aGZ0^63uvW1GH+29ҋYBEeB)lԨ3uϩ&oa: \\ATs!\=#@;p4#M,g{V k*2^ѩpiwkKCa B! /n_kVx_'`kOS4zg9hA.?6_IšsFQs-CYl2 JCxQGVD~JȽ6,8+(WB٣"TZF FUePGMS{˔=EpQҏݛkq9dw@/z°Q*h&|5 ѭ7 ;]nYKh}Њ7u}@lS3wTy{B'}D0w;pcS*ۥŎ-;}apUNAEVoN(~&]Xȟ1䂠0G|+,!jIR;'8$H/ggR7S$[PEnFg$QEF})b:Oi#g JS\iϠ=(DŽ'[˰K]6|::]1QɀϘZ%  #:.o>S+MUƢFmdrW<ġ '\6#Z)7VޱX˽񩟍YP1ύE($0a2Ӄ!˜hN2z8|p$rPYPye禶ިF9MT~Łڣ~QF ^ :>6wsY2^5@%P2}iLqO?7YNǥĘ[2JhH:~Tdv"&ڿ׊͈IqZ2EHwo !]B'(;EeR,<rYlONz0H tHM%\w iN(a ^ԃ?H2~s=o 3<13-~{\UW1u/s.2An EW`_xi8Uh]n,O7~?8xd :q󎼐ȕ8^_i-sR,Ԯ:ǶR>#1=MmT t,Et`[N0nfNg7J&\_hhZm#Z :_豪r$3mbT"fs#6)b?`O^Ts]h6I2J0}PVҞ&ElhJyNUwr~āK3LD.$12c\pA ApO<@s?c\r-!-$ovnlܭfL^Y3b̉!f6|EHδt!]3ZXR19GE äxOgi17'jre(ny[tc.վCE(t"'@Jfxm2vݒ63įH\K? KKʚ)cYyxQO]bSvöX GhV=?_0RQ|49 .i9'QBb;A\(v31"7? Z1ඣ뿔 7P~hMA%&dw0<-Jn\ejT7mx}Q {B/%_u0=#`cIDQKV`Tz .o*wB(QR{4ޑΝaEA|~ 9*uK7My!3`I._Ȩ^wL*Ny>!+pJ57 0{TA)hxWC$;"< LfmN͖uץ.Lכl #>5-y>]'PlR_ÙRը]niIp5jt9yG؋&]/clһ1-3 *s.@TIm5T ڬ:VMnݩZGN$^OOWaOl吲bϳI .lӷ}]WeZވk!\4M+Ps|_yfRy3%1/>  <%q /%޻kܽFq/QB+l+ Pv"=eC%@_:ȴo: D]QN(D>6{K3Q='h,Lp|ṡ%u|—K?rQ`|xJ꯹0(7M3( a)xd:ƴ UCZ i:$;ZTQE1ڗ73k}a4ys7}0P0ԍIȾP=Ս9صG0hinF@=b߃)R=;T`srK苟Wj lW `]7-zX3|?-쭲Z^bجxl,5 LSi;+ٴ0b Ov> Qwɨd-X⥙>Q)*9Ej0sٝU]<3.BZk+N:`Z>|I:籇m\"uE%犖vA>U fԭᎄR¡'Tw6]@nc֎wD^ Usj5wqٱt;%vSJAo_nت0g{7Ō,vt5I>U V>\ &wr2ݰeh>J$Ɂ47m 8B#eJ|m#Xy%9}}zQtDS]M"q JֳwB[JRcMOhv"gÅ1gdH׷ cRpnZD!js.O$eUܥxK) cJڡJ\;!g]Z'O2)2S !vUjF/㙑jAVO7:YLX 7s)6W5q~pM E L3Ү"6\.yƒ %r~x=)( A~.ɓaDba|zrP9 b6odŁ"$H2zlKWkKġ.vK=O#Cء Dk`sd*j(Zd^KD}KxȄn-.߉Vq ZJQQ(&ޣuFL: ?VyCv&c IPЩ ÕqG-/ ,vt8r|$hбݟ2 XNo)jW6[0b[ô;-g^"lg +䫨ze"`'\\֓$CKJͅкN1E0> p]otxɳ7R+[șTvט_D0B9ծDB^UAP'X_ Ory( 8FJ)wb|:Cby*I?k<0V?up6]Zԅc~p>90ہBJz4=Mr=ɁC}*c+\.6_%$\uӖg|O(L~2-ҘWlÓlgݱn9XY31 ]e Fl h:ϹDL5*(NT%1<<CfاC qŁh&9[~QٲAgWgl_>}L3e԰չC/^W((9B9V;Jl!)A[ <)VH9 I@4ȔcӴigb׊cا>z[$ rXe *'i=hץi KC,"oknD`ں[ܘv-gB[i,,~2ű(ӷfcBxI`oOfq, gB`b~^OcDnG[KC،2{儖 W_*|bQ1Vn2#_l?/ưF#?q/~̜knZ Nm]%A#?A U]ALt),X2~+WMd)h>˓[ U ,9uj̧!~gez| x`+'Z 4I EOD@lO쏫`xqHnhUTnd}#Q G/^?L%Mg&aʀ0aDd׵]>tXM@n࡯dlm,9a̺;Y +0iSUmƋ{gdӵ渰X}RA`xq7y0h1mXD/Gu_9*~m0HZ׊ s:(@/Jz)C;}C1QYG'BP%bg ҦeuMGSN"W?M4iok&!`ŎEE$ɚF2-O{J/|<\%w=j}^n \U>K%|m~%݌H˭4Ą]CWWQs\ 0>*c&BX,7if?7XIRҩڤg]E'W秗)ђ.~n[iBw4qB1Gks`.k0KBV0\ϗ-:?%uob.;jh}{(e.̵T̽Ra7$Kssq+|2RaY|n}.̨0=x"3&맪造M գl{2t0X: =A@e ߊMm_NҖ}n<ݙI&P8K7^ |Z=&I~}[WXvs}ﮉ%{SdL Q[<.2:c axڊbc z]巉`.OXߕƹT(rnqSg*8wCkL54P0=Ҡ2V, ީI@hH翉'V}UƊ/'ǓM`TBìc/Λ`hGIb k{3c+ŦI`ZM,Ԉy'MI`dA#^R=(9y&w+0VhmhڡBBhD!1aӕZTۥ#:w;oo|S3Q7|Ra;(pB"E|vHNBmu8Q_Yza[%Hѩzeklv XN%ed}ߒ{{aC|L lP ۫gu"R*N}BIעwUxQ: %{Fi9FQN5m۫RQ: p`+\AtJ|Mz.J Zrx/:6@o3hJfM" w-#ت7t8fxtq!i@ AzӸa{j ED# ׼c<22|$ O@ p~ ORlEdq?\@4 栥vԅpnn6[J uRF0p`\=%b9ltةNq~z<Ř^0pB^S gg2 W0k0*y-_۲Y춘`{ALtlr} n~+kt,<]}!: }ZZ8 }S TOV}zlymvdʍlN],aHQ!R{!N/d9nUz' (`M+4H1aY|-;IpB+jA;? D2,1Ƭg>}\Zy[3yu <ƦW|e3_9 i qiD1+τ|x@ .FKC <>"MRl=kI6(P%άcim#QutW"}-X6F%Wmk5}Bu˞CDfVa#-mool.nBGMHMM`9s@ ~6F؄-IbHn|U9C@h((*Iӓ7ѻ Σ]с-j'L?uށ2֚Bi kA*eՐC^Pw:7?Ae @lG]T1d^'aSh6FaTv]w$| 7grØpid/41Q<ܛ7̬(v_%#cO>r&/Wa[94Z%Ȅ'XV&~ZZ&QRmH8wf 'Yɶ(IoLT/RZ$z +li,5 "OV2fbDlِ5M|D ȵw2wgUr֕&B慌Q2>..7ì:Njtԏ-cAzMw֦1]Z2HIۢŦh9Q| #x/g(aW\DrsdƙEtPJOi>*Os{S+(Փ˞J&,Dl*v?P3pAуecrRtSHAdw?iV>ǚ+s"vd9Y%7y4u'z wr ѳڼw=a)9^2dG0ҶmDݝ&P'{KRqpAklpd^,F^_jNZ3%qz& !9m]@d@Iְ;/dZ yku.#,q\lOg$,[MNtDDN:?YVY ZLӯFKrplhx53hq8AVV¡W>29y?E| k8[wmSF3(B{fDJ?ԳtP̽ w.km}?}V 5XrGSt:Fq|)uᡃ$唦v 76mM=tNIǶF:U G$xb:a Xw dW3>~s4EsOnVٙ(XLbuYcNt9)MxKZ)6{ xYƊ.CSW tʊ,E:zdD|ŕ+ҥB2"P lF 9G_ jL~"3; 눱m)°R ?6@G }K1Q˭Gþlp8LgHvu\212%EPb +SǞ=n;ߕ BG刢>Nutty Fx*p@4Uv{7QzT׸FšmOj)PЮp-? x;jsCB$r-cta=IAK$ 4E s'ن^ԩkbd@&j^.. Ii鋬..$P{C735p,IUߋ.eRTH*KL#:p'è\h"=%ЍCmdݰ=84+o qBE gXv%^66͡- { ǦvbbW-t*A?IO0~Z oP6P]X~OSYׄ&s&gx\mB6nm]+a!^\z 6Xo|Q' A\M`[LDش"&V2j6g8s$,5}Q&Qo~nṗhn]L6QM"HY&lM:Djs) v- a;طM°9ɿ A/I`rlyqa߯V/ t,NV~º#;PG^9T,}E|m!0"2WZߏ- PO IЫa~KzuC(S| xJ03KcPfe!Ҳ ;ĭ?3A|FZxo-u;n7nKGX03c1^me z!Һ^GVnK#ӝdħ2\4ːYDsMbLȱй'Iʲr䝾9BП3]DŽ5Ȯ!ʍ*g,/, emEV/׍ ,=vIvDk!;ɵ {?AOɭR{@i Le l꫺+_(Ko޺ 7': Unj^k8a~?f"G;) &uԴ]n'lHI7+~[EA5]_悌HBr$Nl仒r~B h[Р{Icx*,#ǐ@r#ܞ|7#L:kw6 glkr/{uÉݤ+3.{(K},zD" ;߮XWZ?p- 2kF]^/;,P=0$Ԍp| Ə$8u\4,Ɩ y8dWM),FNb.%yБyQydP} 7k`S(B'[`",wyM@}7* S80Ei/DZRL>~_$C&Ez<'WT1s DV>l,X fgyH2l,@mg+ ʨ0JNR~{ *bwFߦFj ڰvuxtQ n5buu d7%prk"iZ6( n\d۪H͞]Y+!ʸN:YI)ލ0_>3+jd1mX+ JK6q?8j&Űݩ$~3舘p7չK Fi T̔"RM.1d Bqj=hy޶׻='୶ѷړJr5. {e0uw!IIݜG DZgGU4gbfx6#,!Jc{x#^?pMJ,_'+[4^ܹBs"D48 ie4B0PK* Y>5}\9& f{teIƸ$'0 =u6j5V->O3Hy?Fś[R< :I2rֆ)@.W gx~#?SnK?)Fv%udލ[MC41'i1j۴)1K ;PEIL'cO0O9YvɽW薪YUwbhxV&Q64_٦Dʺg;K.*ZjJ(9gM= -"O㫉ˤT OP[G1GŔ s0#k9wXTo_im(x}|J)M6b]c [A'Ke${%ZMbȖw#8am+%'1߁FgRo X`=u7U=?s$ [ ]#,xA YOt8`tBTog+yP"4NNtü.mMur5ا쟮9DLo^|Tw=ﱢ= 'ԡj}&`szRwjH}>e)D+."Mu72*L7{ʲ\- gc<'( Nn\jxugN)O꽄8x0m_8ֻ'Fjg܎}Y mI>݉z7!=N;ͶFeg1!u]HXGT)oW΃SYW"^X3[/1&BSPpQ^au>ep^=vٴ=,H]*jÖNuXO\eu^ :M윭Ajق*p!mmk1U~eA&.ZO7,b#/oErc]41,cIRor(a\l1̥M 'BH¸ၙ8DxɌ y :[|k&VHA4ƻ1 ZEѷI?#(‚ "4-Jgӥ@R>馨B)=bPcUv4 bQ5+Fg~ndfRj Tvf -Fcď&~()6уl"J@/W$JΈe?ԝɚKv%f|v ._:Uni}-A6;l)G(gv=NUi󙩼G𤖕RGN)&+=Ao,B&al_R{ `C#7(O{i%bljqRBp%g2_<80-л`}Hz^뼘xYUdGQFV@ ~jղ󉭔8YJ^i!j'݈_fw{Pe+^p'*wgن=Àu%H1)pï em*hMh6ܳG)&9&D`\y< ``_yBz|`IԶg`i5,~ypE_s*j _h-YSZ[<3-m@'gIl*s~~Xʮ s114VZbD0Y$O#!tb 6f5^?[w8&&D-VΚiNk1F(Zrz&E{!g[qwN5 |QTM)kN4}eb,Ie5Fޛo=R.|{Zd ?Uw@MZMG961;JSk(ȸr yV ~#+ztʰX/kv+SΔK $ =OSeiCo;Cʏ &TlbNh9|f7K]]>NmB #R6ba@Efp:J# qag|S0^(aǠI+.U4 (ġ!`x„Gl:[3.r.5.Γn-N!Y.k~ϟ_o̬EtjBے,ДaM`nKL`W폼rg|6 7`ZaMipѦ *ϛy$=64=Nzܓ \c~nEa"%D`1}Q  g7_gUȲj˕,-}/l:q\zgsS ʐ6%1xf-2`#şl,/xU魺&>UB 2w4!Ir@<*'vn dܩvnuJiQ LEe衔 w$ .SLtu},{zA]' *|:%SmpL r9D3 t]< s~zikz ZQJ,R+406$1E:NjP!Y^1u;Z^Ā@xxʌ~ϣf!'1wjkeeՃ$m["yR_ $%Od<aN^SjЕ5+_lyq'SlXo%1H̯#5ksUr<ѯNOOÇiR*ҢXSd\͵w+& ļplŒvD6CI lE%=Uιj6R8$7B׈2j[D}x24a ; d?}G{>*'^>]%< ԸFc5m kĥō,k[pЈG ^lRJ z^]3Pso[hm\/XǻKW]%Dp: VnI[= ="gT\C 7|:6Փl |'Y^ı2 v-hlU1)C6J GO[E%u煵{nﭥݵ &pU48QJ8"nmXaG](M&*pĭ ތR+euƮj 1:m'Rf{}\uT2 %iSQ;)Qj5?yPQ @$? knU@hEMSl(T2LQM 33ԒonoDRA4EGIL %B_u#'JS-aOxU~Vr P3A׬ٟ$-W?lf9vºͪQv-eǁ38`d _Kܲq>N(|P>)e#TМ.[w֫x|^6}+х H a.*ڶ0F]0R~דwwcVe![ɶ1@6J1?l뎈C ^{i]z"&2@/.RsA ؆oW3?;BxRsDo+ȋR$: /nڊ_?|],;g` :^~WM<'̆å9O܆ZZ}Mbmp0a^ɇ!V/|C}Y)gN8OeS=s zav _ m5 FFG3Ezl\:ٞN'G۰l{A6םs7~I9q~4p *| ODH=L]-w8GM6 V*+9ъCdJApYL|hm"|_^U&.kЯo:#T*8Q%W*^vW`j3,g&r(8l'U5G*OJU+C~k  ̰+ 2i:Z(_) dEұ6z5eVQL)bF Rxvvs@NJU[jgdP~0Ӌ\_n=Ӝi\Qim{K_y/DU~]gnŁHJ\Fa,qmHvzjuug9Z]7iDőӒ 8lZCvE H2dV\%2="!oW;m6b3^<%*`)pk2d~tBZ_eW2HB}0%8i\i@/3g5btF>Չþiuۻ-G S=:&|u(Qs("$d77®J*ua @k>?)V0_3~!0h$5lFba ٽ]SY%|dPJ\'+aFڑU? (g$Fqp] .;uٵ)ViܶR+m}O|f}Q6Xor~u/U(= )L$!PڧAMpђq(Bykj'YY MζEjj b_ܦkQYC.쌐ǀ4vD l|iR{ %2nc9o_3-oe&]`)`mqTar3h)7l,OrZ/ 4m3[LخoN H(>$N9SP x ;ReAX?+5aq.örN}=Qc2igL(ry[&jj`BGby.{گ$7yj z5̑pM3ܔiuW7ź`G5yFljZŴmw-| ~z_Z#)vQ`ؐ8k?#aY#oZ[-|;?J*l:*\ڊ)jB辣~-'3Q`TrRK71EWOn 0*E_]^FgΏl +z"E7km$XA7梓_TM;՟AR)9$ZZo^ί86o?T}ِ,d~iv>mD\G'Fl:m38nא蔡69Uxd/|r4<:һoCi]C,,3''\k\rf7X:zW!6fl|ӱKyKbYX६qx!zDFb< >+$TKE@, |6@vPRٖqkdžD wM~]=KNyX5ܢN%t80$3HeUc9Uyg^[z[_v wP['OkY6, qg+Pu^ɪ!p/PG \D T 8l+)eo,(yiQ7E~ٓ{:zc]C3cC*9 |tjZ\a.H^F>c`Rs <:xy΀'+ q5ڜ'::Y5=̥QnՃS ,ji{5oYoJNYl4G3xU\zH!M>:踇ЋꬩKYёF-E;5 跏$#I$ds?7iƵ}ꞓnBP籖%d[ԯ'/>l堶.\Y+Ad6k2SoLMImꟸLmy ?F]Ku<^:+\M*/*hATcw"I0׌ V'߁<mhtvў㳯"u_>Evw3ʈ%~כq./mT3$+뷙ޠjj{' ^8VtY2ٱg< HBlu3m>X?[dl@M'Ģu«vk5UXfy˂7 X)YפR@V !kչy ?ʻQ=Ó =A!YJV=3i"(`WI7X֥1]j]{XK ވ\SRsfiUo 3U^'2l4 D5#OeԼxQV/d3K:Y፫3_=o'9PN?xzܤT|a"GLTU1 pK _ F $*ɡttϩ4  *#Һϼr:v#O K\d>Kߝҍ @eNL5.jȀY{p:h!NB}<\k.aV~^.~ 5܀M5']&aYG̅>>B<8ZNO9vhD̿mKχDta *zDlV`3(İn%t5{ئBAkw!+;m7&of)G'1H;ȧ ͼ #4>SȂrUZ^HKtZ0 ͇7>;3Wvc)BD83d0X@(,&y$%OCq[6Hش'%9b$-UN~k;STgsq<ԱSw%HlcX鶦GC‰@!<]o(("$D3WXvM8f2dK:pTm[n5BҾP P.˔簵 ıАeGLF301=W8qd3!0}cU y5OԸtw_2! lɑC`*!50\ƊkB:?k*F=Qxn=g\RU>آHY51%m#Te,,CXc>3 _x0Z=f,IUzF:Gَhb%ḱCү*#( K)5s D[O" ׊i:R\4 3%,ёT@\h@[Wapu!13#!a0DFb_8WOq(YdZ8#:Rb])? jVT:1~wt ;Zko{<8Pk#5uZnPxK_[n* |xoL]"-CBBabdԿ&(k)!u<єaryn S3H b_],Lf3 3N0 $t3$gg)϶5.JZ>ZǕulp@r0?%w(KzU, ]E1v◔SO.y}ٖ|Sk6r%-s3`EH:.:؊/&%4y!6 :ⱲZTǝ~udokc E+ҹ ufvuxA `As5~_b݉h~IǠ,S$'.V)3&2Ob'Yq ;H f Xs cCu冼] gğ4״Poeȃo>s|:# U1[V@0f38?N Hlo{ڤgvT&韍,pqr;n AǗBb+2N'DVBG@~ι9a,SlVNqr !z937g8m7_m9 y!_O5?8=7o'k0Jy1u,CVoGm..;}m7BqI&ώ-iR`֨ν38WO(l$HV(7瘤L1 ;_Wx0kXWMuf6 W%_.z"K #DV˼hMTc;F`xqo{]̭CAۍJQYcn}^{S9#ożV)Lx: [4kBחG,r#13C||]lr3Po-̇@_WU-[ٵ{|(i٭+Q8P`oN,$k.xxHMH<տwqzCPԡBn9/q`ӥD\O2t@79RZeaמa w+u4B7t$1sH' Z&INrnI:FhXŃ<L#Q^ho4G ̝UA +$϶b L{\W(5$I<ccE,I\Kn7q܉Ҿ9҉>c0z2h/]9cTw@uBkL=!'s]Qt;k:XsAaA<+c]ՎNA_Lф?ORETIh VYH zG#Xr?~śQާIsj؅&oZ]Cj0N |wQ|by$SȻmzIl[]҅&ixz4s+g/D,I?)%xXr j4H7A&Sl`MPN8ﵧܟX\/Efҷ[ GYlj\-p?`^sYx8rLBE'CVj+`:%bMt^0$2o!+8D_sb\.~Ez<#ѭh =)hc,|-y:SRU{\k/ ʩGdTYNڴ]'}n,l*mr[LQ: t?&׵sf>)P^,8}M,\s6|Bi6nءw@ sDY?Lz|܏ZVq$PM9> ؙy'=֜T νxl0,=r(s5'&I܀"1Kk!K`MyAɁbXVW/v0B?}׀ǵU;6ZW(}lK}^BʩH3ӳTf׳22IQ\0ͳ}kҁXHA<^.`I &%h64}tu 9T9{3ZdBVN7-85؈FmcֽC lYDzOʇL<A}y_Tqlm)PW|uy]q"l=/$~ (LRJ즚FZC="iJ Ƭ+:-r[Gx@t,1pOL+&WZ[k rh~8*[&6Xyr2rl@߼)/b{'cbBSQS?DZ` KX9K=Q_sޜ▲trMHI:H ?DK#˜)B.3%a&V#|0=T`` ( ,%0ό#t[ ,SnrUfhAj!Im-'@,~02i^80YJEW֌wZE1G}ԖMk;uBb(.x~ߍU&$¶]o"I RVFܫ9gZ7H+^6T^u NfsڙGljؒ9Uԁ&RgFCV)b@ QQ98oն g-%*sP",~;:;(wt-Z&릉D7˗nuG4a[Տ\ Nci-Qb&T/QLMAKBO><VwÕ_Qqv];:g?E,ՐAMMAw8nC]6u{ `_8̩Na/}7fBuR/Ή(C CLN*ml\$?Ԯfbol qEI(("JgnM2FW>Wp7a0x v_^;.D`EU,r54$K(_iїCgٛyjIt1YzzjX8?/fG)%땚UyIP&Jj62w43"I /yl}nŅPn1&`[lٙKaQ|6#V!b~|27bZCID=ٰ5 K+_%Fi Q(6ؒVp(,FVu[.1tAp ܺ(&#J O6҂jԿ{gL./SPXptjlqxw86URˌga'bv&F'!n{ZOk:. pL|ЫJQq6 8t֢gIeD GA.ůpPZZBѺ̸J-V6E4!?kfͷCf7aho5@@$h-kB%Mk6A+ZqK@(Rd?6 ԔѨc3VpuWk ;?^g׀VKij+ sQlހJO͢{@?qdVh"Vjouz"155ʥY!QIZ'чZ%|jFO]2 y°'37lbL=6{Zĩx0 RpvOAkCBQd-Bz:dxbO.oi]"1sMHdܘP̹#%C6h(.Сc[r VUwntde}A<%x/ q܇6\}h뉱(%Xy)P2pvQ=yڍ앎ZzI`)8=^/05W{ \,1a)`A =LgH)㔈m fq`To -޼m9q)T[ )TѤ"-.T ח 50Ŝ0 *N~VXJnx"$n>/Lh{wOC 뚜?nq)1>iH!;9kS$XlyfX.} <׷(Mϩh)XghnNl@_\A+ o}w ƪ H4qs3# sd4O`D!]OwrHPy "߁@N FĚ˿W4i8>%¼{`s{d;yzxɑa=\H0NN>R\"-U/p*]7} IAPѰ֖,Ӽ v9Ri9%M~A |# *1+ZaKyʍ۪ i/FLx?P,;]d\L5aҴ-WGZvC:K翑n:D7#ۉ?CqOݪ=qzMMn;jP]hv{N1*BȰ]! G }@`Z@? RSVSC+(yJMEMUEq<0INIg ^:5ۗB@g5İ6go(p|QFዙ;jY1q>\gqU҃aLia-MjC 8W-TdP 7} iNּ&. N?ghI1(Nx`QC6V6(PQW1XJE!vec#L]9"Z1D0fT7u"nAc}ʭݙsU(%7أ] D_vT~""b|7 E*KpƗإIN6>1틉dٯR׿}haPO/]>q[2{rlQ b։)HEC%лuU)OHFwp L4œ@j &4~1fP/E^͵a1}$e>g h +)ҲD%t4H}WeMy]u 0$zHf,#@ﺃ$Оt{c5ȘcFz*M& U/po|N;x4x{'׷V ]J鵜oT_n9PLAl`ڷn?xU~ u7 ?,aOܟvyz9U0l$5OyKd0EK<ԘB5bJ5"vp6QeD1&(+뷇_C[b')M>CiHD0sӼOݮ siWc+up@;Brdf@xEp,5;7yn=y~_TN.X/@PGݧEO'E3b:(/JC.C]Dٯrd~ k,_ё(:9o=> 7rhUM?>Ya8c7 75Z|[;!tڑ=Ȑ% e!了V(Yxˆ&u7Nj$^ ?iiÆ{ $6bz:gP`lk>1=E5+&6i:I^YIL"pcBohhXVdg>* ?18Wi.$+2fc-`#2 p6`9*aSu4/^.f i0䕰Eg_̎jJCK389N&g",WMmdaONFܑ1LGqmҙ蘢\67|T!n{bss-5#n,1y#23:4xHu£yGGW/eԴ@^Ȩ5ϙf@æHN\vsp9`ڟAhE,#.PaVhqyG&RTcUK >ABӗQz#WCcU0Oh!2Ƒ/Izfð˨ IJ&6 "T o8S'Xd[P}hLjz,>a9^ImM;_@A#+OFG.RZd.lsp٪a<(|z`Q(w$C{: lԞOJ֧s%+buT),JDt3#*q_\l+ =v`a'9 Zť_˛#ykX$ %=M!,7ףP~li5S%#r&O_eiZz*Mq3T&;"MWٝ#"t䧇1 tFq垨P#rЀSADj<2,~y GS}ZP4k0ATPhA<ǵ/ 7B}e̴Yjm0R#jWEMHהiP}ABg8NNqZìDr~GW C!/fP5xpI g> 01X -Q 4a^EhOT 862.Z#{PA653Ț#y̭jIy/wXq`j>n IvjM5/v=r!zz@>|IlUjk/_]Zck= z!Θ]8HF&h[@21#O5m$ٚ6FD= X\Im6:=~ <qt.>I7|Aqq+*V1v"ݞ|F5R svF#J'U р+Wt. 8 vU~eH߲_ l#۔$ߎ7yϭۊHp*We`OQ^4кLYL85yEY?)͍6)źM_Dɬ<dJR$iCM2P'gww9i A{? );\*?ѦHPθ?aV4e;fC3 3~g?b=lv`gU,^""ȣ=͋tWȽnejTk.qxX(ϰ<5T6膌z@7Lvj6&WĨOԃ6eH.]˭ZTAku90/ia\^)pNG''-im/WGL7qS84L8D,tfn9gʒ o*Hp k󦞖Jrȳ iǂd8wǗӄth(k`9VHBf|gWЊY+$*6sAR .¹&-'@~Lp7 _30rM]\|Hϣ\w`l?K^mƲ遲xLI" l`\9%68f g E~+Pz4_ZLr HXlp +h: `$C)mS~GY/q#KL,S3yP% :6z'M50?,W}9ѿ4G]9W.bBƹj66]1 Xo&z'om ʬqAJ' dl^m ǠT baFixI0K.FN/ Kb)v6:~n 4"',ms|3=`!뼰 CnI%8wL}iU8`NQ}-rO>GGg:+nQI ~?8$ۄ$D'蒘]3R",>*+}a\vVm|Oqr'qZ% [G 5!tM-$fuc]oU,ZN1q{@tnDL8&V9BHTN=_t~L7bd l9^N*w W(>tcPZ=ҒkJD]1╯Ma4@e༯R9Fw}Ќǜ>43̪bra]A 'WN?dF Z݋?f/n!_vʊnUܮ/q(S 11=60##^/W#% Ю*ЃA|M3ḑw>?=)H-/CP"1T-?$.)/u d;L׹$Yх"!~GX?|zg6\$1AG Vj"&*i`^{zD'f0oկR)00fum➏dst.pV{C3;yanS@H8&cHqB^R۔d9y8Xk4k.ӵj E pA i, NqM"?W|Ԗ4!`@#mcj(K .f>m'="o]kv\?? zԱ^ROTؠtJ}B>L̉ 钅NCewEc0St4VT) (IJ:$Ȏe ^q6ySs.?H vd"' VڃRu[u`4^!޴b.66|TGס #t[&T ֊<70O%4z/U^p+ suITo5 OW%E|c;c+=&tyc"Oo$iYa#mQmnEUihfnv*gPm?ڤ k.£fc'-a'd`&]/)?3[k둺z O*cGKܸ<6ܓCw'.&D~>qƽrr"eXrqdOE ͩOX4EM gV{-KrQr~ \yݤ;Sl޹RCvӯY_R[JH!E#-(,+QFk"89 ,K'/|zTE@3iLn7:pb9? ayCx AjIe!0Vظ0=JvH`TS)%̼:'~x#E]>@Zaq0P:ZUG>",u09ft6e+M;*gլ6u6_tMXyNpI |wǨFG+4!juӵfJ+8~d3%Ne1qbxi\?N]{MϴlHQZ\pkH(wWpanԉ6Y}gU6U ᰋsOWͱ_>!jdpk%;Tێ[TL9!k+foP{O,s?Spujáh)/"5d! Ԋr:匒G>}EۆvɰUVJT#DH$֑+l#*  z+Ԏ,$SX.Ot 3~Dhgn0~%^TUR#cVn<)zVB%R}Zzx# jEQ%Y.?ͷB˵wBlOf9u~,4 PMHrEƊE@zyt-jqm'Zzmwش7.J6.HӔOgqնwv e*68nOc ;]#̡nXZR"cX.Sh 1(0^l% ( Q5jEP2ZxrBK,2VȲ>v ~gp GXFU5ƽ%c. pD(٭Kr^RԪRhY{]CAD=zn׃60*}&SgF7j1}kvd}q6#+KN>C&[FbGEҬ @?r&%=gN +ĎE||6S|!l&-h9Bcx~WTLC &cTari2"B}~+'H̸p>F50' hn&|Ոij춈B@kŹA Io HcSIHn(`E{\^aw>IQ&6,O_>.bٴvjpʪye)RN\SٵM7ch̀}w4zX:168S\.PԳ]srAfYgfVjſ/mA fb2mLhU>Vp/z PF2:֬[{!r8G/.q13YHxYhɗ^&oA'"~j5Syc ۚZE0r΀=5=6=;?@Q=S\J8:_5157=WϤ ̲Kz0DJ[0ϝ06#VaZJ/|/xuZNeQ}ߴǺ#([*V aEBq׷N !|P:`;jBIeT5vս{ 0ǯ٢":Rmyȋ~k<ɉ'M;Og3 :Ƃ>>.]ޟ7*rQ*\ԲrJZ7X? PBv k%DnVDZF5M"jeٸn@E4EjcK]>(BjCS"TOm\m NЩFt\Us|5geidzX;o p߬cﳂ1ULؠ,c`v0{Cp+~pu衞uY5!Oxޏ){=y]u5>=օYur}pA`QP&*o{h_Qôf@GLwΙU\ӌ4}s$|v%;`>j;<)Ckq9U o ;u$OSڙr Q`]y60XP*5* &bz5Q+ Mqڕ#Y\ZbyXF'1 \Kxk~:lR_G"=q4ijP6E[Y={7Q-6:#1n:\Bm1~f AMy>04-cYjn:bcw/ (* o-PxegǍ}1 \=_!ԘsR{D99G4-t%?Pr[Bw˾3 hz$  `_xbI/WY%׿Sh4UjňsO`YND6K"6M{# AE*- md_`_$7kcMX: Gq߳*S, x% z"\F0k|hz# Wa)q_<`\pz{F. O}&%L-T,z}inR?B$Z3׆PX8M,t],OeB^X>5.|FdaF9i F6RWRLb uiho`F5Hp1kjk zA_,ii N3ʹ/t9c[,+g6i(4T(/2eaSߓ`O``ٽ5kM_VC]|dr it%D)[zy|(@ GbÑňE\}: xv-9o ؈ic0 QbI9֤IlscJ ^(osk/?J KqPW{@ez |;h ,诗`0,xUSܾ`D4كiqTu vض='gl>mVшaW oHM݌.D1OѺH+me4ɔy4gvxCV:ewYBO^fדR @::"laU*;L m(ap-)ZɞFϱÅPh5hT6A%!&Ӳvr(গHإqdn/L18D e Qz(_F4ypx} Z↔0w^c5+ML?;QjM:AvRQ8P[(vxKAkmdګfVͺ Q2g Mc{v۔WgN9KjʨRB$=?L幹ⓦ> mV^4+B+_qk!%ktDnǻ$.ȕLXT?bل w囋sZW،R8-׍79:qE3 H{o[ĨJ" |_4UwFrp;eo_IuW ySx.m7:>+Ƥ' C<$Tz;LWFIԽy1ANnnO)| -ޔ4sLw'z2l" MT v?-ă^`ԣ4.fYs]{0y JprͨLRu:b4B&9u폭wv6/(l8זK񨛸E2"I"LeSOces gh:2 ^rVGɇ+Ùy|n?8MN/dyfu{%)%BMF3: !>x7&u+P,?Ȍ^'- rAe ~iZt?lAVAr˶(Fm־9CM%<3fB3u, M Tml^Z""<鱜NdkFnR<(p.<͘X4" H&]WY3SURuGʳ6eS6w`͉{t$eWhB3[61;7F_ڙ.92U7x0bA* X%A`z=cWu~و)ڟyNԢ ,mZz X%*87@Sd뗇nwr/ʳL#IA9ƞvh)}܄!s3qREFb]IO hC${5#e[<`8 MO l^N) f LG[(b7.6T,tJ9;|%9-^I1\ c{=4Wl `y4=7q۳5 k+襞[Nu8ȋ/WNy+k{35yu|L|k;xTΥDw6C:5u/-dQ}V0~/sśRjz%c4_ ʃ7mI.ը$ &n >9t\ެ.LԖa|5>t6)ua^ !a<+d.r#287)wA$n]*/9g X%'c6sv]eLR`W>Y!4.neCovfŧckh'$caAk2'hx4A}'sTosWB`!ހNk AȰ'g-i_޽ v̙@mkQņޜ@CdCy! DIWQMG*>t4W1 _v@ E2H-StTPh'V ` {P8bF"cTccBivzQCU{xRalC55Alrtr)vjV{"̠!Ѷ1r@.5VK|(tc蛋 n%݊;ݧe,Q+x[}n`=K˵RZ~ kg# 5x `oy#֞O?$ND::@[Αk @#ݎ4YvmU?!lu`ALNx\)?G~ss|oR]YͭRS`) idYRG->6E]Ŝ(݋gP,6 a~{/^?}jRpSLmOYь$eI*{j {mdPsӡ|bLʯђVwWGFuvTI^%mKU3±ב5c[@n&IH/Qu*ti(zo=;ӊZ. RxhNQt%(֏ҥ&J(\Ε̵ OQi P/)[iʖc*O l{B,5_֊ ]gL%´ZC{EFϸÇ#1 l 4XvjJ }GIjYBq&aVBVG3,v7\h%ntA4G}h=uB {s !PdGG"z)Ȑ N^ez8e"cKón(>f(H%_e(~X:. N›eq<%PՑ+[-_,PSZ5(|{WE|\aP9Y$=v/҂+BחN.tJx'z㳏HXu.u Zِ\,7~v1 M^2 Р8;B]Fh"@Fz`sHqZ5@Ŕ~c%\<һJA@ξ}ˤa9aדՙgߠ&JTߟfă,N/3'aTAzofGNut,jA,A70lXu3F!vՈ qs*ude7JQMqzhp_ ߋT$ FH9[|kz =+$oWVk<>O}D|]幧Dב*+~gQC.w8DXG1Z.TWvK}DEѭIyi\G&Xt-?Mł"~AA,,?L90i7q&?6,̃?mX PyeCĥZ;p?a3lBudU yM+R YZ