samba-devel-4.17.12+git.455.b299ac1e60-150500.3.20.1 >  A ep9|j@+rS0)"(Ā+^9.\CsvjAX7"dya\xNX\0W5;uR[(v+5 n#%ܟd:+ 5:x9*U1鵈O^!ľcM Cw&s36^׼v^̲)ltOROjLu xx~Cy1Yq> 8E]+ںX OƘwca62d63e587a914a8d6c0db5dd181a0532ac3b8188462a857eafd3b5b73eb14552db44efcd5151495e5b0ac7f623cff5a97f04a1Cep9|.=0 P 1(VΊ"VBW,yNMR{꩹ Dͤ.C >p0n^5AbiD6nΙ5 W2}jj ex])]00"݃7gt" ;#즎hgRGVu>3pS{~MB%QR~;=lSyoYW#qY-ಐT U`EJ쎀wEOj"q>pAl?\d) 7 e/ Ee|      #%'**@,@#./40N(0t80|94:GBFGHIX#Y#Zd[\]^ b9cdbegfjllu€vĀwXxXyX)z XCsamba-devel4.17.12+git.455.b299ac1e60150500.3.20.1Development files shared by Samba subpackagesThis package contains the libraries and header files needed to develop programs which make use of Samba.e h02-armsrv3SUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/Development/Libraries/C and C++https://www.samba.org/linuxaarch64( pZA!1P  `F$2jENTv |H)KU +l8E2!-_W +g >{v&HI!E'I:l hb Z=1y< 423^4&66)6 *P',;BG\AA큤A큤A큤A큤A큤A큤A큤A큤eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee57f48e6acfed5fa9841df0f458c77820b6e24ed8279bb23819c0698df22bbbf19a87ebf5c3ecf098bad8fdc2e0c08317efd3ecd4947169677feb755c5f86b325aa97c3dc8a6da5e8d196a73bfb4bae250089de7237665a3a6dcf5512c71503695cd7da44b981f9782081d3d97dc2d2f26726208f56b10bceaaae6e1a3b497bfedadbeb001dcf7b07dd529150e13f4c2be0fbf2a1085fc98dfbae723ae2c0fbdff53c103d9d508de1883fac4df0fff12ac27300409f3a1c8edaf31c05c054340a5b06b7fee673bbb2b85d2ec4e18bbfe4399a026d33da440d82d4220ed9c4f34d2eb3fa3d08c46d646c8d939099c8ab6de526c5fcc4531f5459c5229cc13dc4e119b53b2dc706bc9d0a700cc75c452d556f21146257ff034e2c678b64f5e07c602e3a21a55901cc3c7a46d6560c167ecef63390fb04b124e508eccf8156fd650d15cad65b89f0dc698f29d34f8c2b5e364384100c3c88ad557ee6c4963c14db8366156e28d7375c095735fe583c41fe10f68711a286dd7616111bd0ba9a6c39eca72b30f0da89b141671dac7d0b96636639545a74f12fbbcc745e7e2597d71b4c7bcfa6e9c2d3666eaf6fbe6b63194f9d4b8991619ced1de631f1d7c854271bc4bae9a0923f6085fa06e1576222d2b02539f15dd733c4fdbab0559913fd4308cf2e45f1d76df8d2fe7405deea4c26e6e1ccf3951c59a55836952be0923e7928b37a9fb59ad8153ae7466cba7121015d8ba2a3397624d5c86c144bad688c8009bb1b523b57a052b7faeb0db0c98b19716729c5617e60d14d2ec82d8501ab67a71e8a09b87e376224e944e12a2067e9fc485ece8ebfbc7d5cf0bf573e0500c5bf24c38a14ecb5e00e24e7947b8517b8f39a652b5a4a7cc6ed2dd04dbc35210090e571af576c5ac08f897ec08b3d0d2d5d40952aa94d082f5550483c051b99b33ee65aad7a50a60ccf805be82f6209c702e0e7f73a5ae774d0c68b57b28dd1821c1ab067bcc678b898c16d290afc34539c478fc1f6b47270a45b389de9fb9ec0042b98e789e2e76a17d01c1684441f27e27f5c54d7d8d1607fb9cede012344438922ffecaceea8800ef2175f1046485790f995229035a56992eb9f80f586460519b697827df8285c4ebf06595b743e148919677ae2a40442c80549d7aba0bc0b696ca55cc095723a52645cf7513c55934096218760deb28a607b5e85f82db7c1ab580e91df20133ceaa62399bfcfa07ae216642332bf119c5a28639f3e6841dd74e2c9e572b08d30aeb39fc07661c716fa5754bbdcc81c51641392b56b7391a1b73267704fb68b6c66faf214a17a498a79394902aa0be51a30cf07128ad89ab5cfbb6004265e32c0338f01e95f47cda607f72abd98a2031f32f45a1470dec6e13f4c8e17e93041953c7a33ac4dadb193dc843bf0dc47196230f74fc5a9c4ac198965cdd04f212da25ce68b9aaaf7fd0c04a54c6e8d0a669473db406601cbec787638d1f3738a512ed8510a624b853e77a1ec3e692c9b769d3895ddc8fa2eeee88323d449c9c29d4ff70a69687144c1c22f535fdbd736e9f439391a7a571167d4cd740923c16ebfe2ac820e071af1cba5cae4b019dc46eb22b6fc37174d15ac7b72c723c10d44a520b2054944d0606d29c16714a4196910a433f607fed4e35d63918562c260077a6a23b99eb7ea40a5e790a7d97b17c8adc0fe8152598db810a35a439e0fd2184591f449c79b6bc5b5468443920523ea943440534df04294b940ce1c00c0a68cab9a5eee13b0a18e6e5b9d87693f25c1f804ac1878bf03800367d25438369395e7f2006fb647db68043d1590be759478e33b123ff9a54bbcf1dd70a08cf7093429356beb606c5ed820a516e25a59308b64c51800097575f4c0898fa531a2f005b7837ddaceb2598db386c1d34c1a777baf0d741ea2d153c399b4b0fa22367ee1921737df26ec3e9fea81c7f525ee4076db13008901c9ca9f404a6db835aabe1a026f6f3e5c05cd08a28a339b762c6189d4af93a1b6a87f9d9483d5833fd883506b51ecca8ad6df0baceb27177fb6499a7918703b897a45cdc7605a9ec9315a0f82f2518db30b753b0d4ca10b18a94c382f3ec70dcc443437b2dc9e3ce610ac30bfc17aba981efd38215a457355b1f19ee2e93d26cfc3f6127d4e633b9b497eb1d0b62a3e7bcba01a70028c6c46fd518f9a43343f6e0d70498ee53f056d93f84fea1eb1df4a7c2bb8a671480afe65f9dc7f671e0e15cd8eea8e37927520f3ac8ae6b63fe8f7aea81f7680951eec3ab67f4383db52789c38b254cd5a9e4766b17aab8a99813258ebb4b147bf98c9f0b9ac8e9e07ad86cc4811fd17c0ca05ad6fa67befb082b2cd23859d7002fa75a5794f15fad8157402985d19cdd5aca162d3dee041d414bb1f368c985f0179da56159324271c6b8847c58bba2365840c1acf956f394afcde8741c7d3eb9c1f0d24e77ba69ff7eee8ba90786ffa6c5f4ec183f16ec4fc964c65b35a84e0be1b1f830b8494c8e895196ab132fd82e055cc808ec43d0bf84e5bcc059302e71c0e23a257f197463a9ecad24f59aa597f875a287795dbd2ce8b56438e84f9976bb4b587c364e2b03cea9ac7bfe92f670c4d88fc1b382789f66d991a6e526f4093a1972e1391aadde980420a1dec670f3549f87169c890fba90086de0d8498f0fb36921439a3568cd3a29c34bc8fd9c25772e9da56a85c2ac6556a1b670f184cdbafd64f9ecba9bc73ab227ea87f6100858f987af03f7dbbfcad01f857b4576ffbb67ed2f4c6cbd9f0a9cd2192a7cd36f8201ae7dc5c1bb59244752a7c96d0bcd9f3e3ad075aecf96bc9006c8087a428c2cbf46832f58f5a9a8a1269d77685a6ea46e21b05e9d22e79fff5ff59e2f6fd5ef7d80debfceff18478a8d8bfc97129a347643016f7f38b404e7b071fc5e57d257dd31c8b5896339d9865c986dd8b9072188f24462e3546515147500b5348f0833c06ac2587e1c560a57a924744d428603f832aa43148df878f81961c305f36735369d3c770d8f8ed538c1703fa4b17a0fcebbdadbb296151403aad79eb3281fdfc400b8e6af775cd8eeeec7fa786bd0c1c686c5562fc60c40b7f0fb213627e0208eaa36a7262e7680bfdf38ab43a302de7a5ee1b18fb5e5a69c693660e5ab407d1696c7b4ac8f6ed075a178fc967e2e68e1bac448bf37478948a1f40401d26eab7999a7accfc4e3458700c80b7ffa79de8087b1b103eaf092bb75fa328b4dec48f35949c3f779518d0e830d9f34a33bef4b8d49477a4a648a2d279c88584caef10d814fafc233b2ed62e1b088b7b99fc6b8017b38dd73cf8dc94a4e97837ae5a7631da503521a5133a57f0445a4dfa2427eeb926d7ece4119a01cd20ba4acec5db90984ce61844ebfb044780a402cb880b08cb0e3b6d709b17117204b5ce3a21b987f0c33c9147e5197c8e52257325852c5c181908a3f4082b5520d1cf8599ee8c813afe666ef2dfead421ed60bdb56fc8cf1c2b45f62646b3c4d55f0d69ee46600e42c4ca1819bd7e814f21ea857ca7a1cf61daa69affa14cb497273b24b2f9adc344da28391ae7e27ea058e1909f8fd85bf9eb7fedcd7dde1fddb48b6600c8b649329e7835d3359da4ca8a7a975ac1b65942966bb94d6fc85d8657c215c02163e77e2af95aff8ff703003f5691ae2280c0809d15386619c3aaf0620e8697c3c0e01499827ed51ab3cd6c9bf061bc036d81e478f2a5d3b978ea9e5a40d9e8f73089c8c0c93fcde2df15eab504e1d511a2b2009a4019f88db548d9c50ed6fcdb23248f129a0856164cee564a983429b6811e4be898c348327807206370185960ff3717c956f9a10aa3bcfaadbe145f7723177bebe2a8119752430aecb7121eecb4e1998b5a24b456197855a143c84f2ecaf31540b1f5457c0a2fdbfd8f53f9b9b10183e7f054bbc45a184ef06669ec0e325f82e2a468b3fa49a6b9241fe4b9dc7d8a6cd2e26338d04c25404fc53d6b230205d0351470ccd8809d4ec02d86007929edab0432c4386098ef7d1c09bdd8cbd6e9b0ff02a77cf2d3de460ded50b04f15ae58b86ce48bba579542df1b00f69e97fe1427fb1031f6930e7c3b058c09850bc72e8361579d8f0b97ce6c33df91db1edab5412d88550bfe89e5d34a73e8be26c6cd20a922ff73294bacfd6ab37123f9f6304ac62b5f3f2c020b7cf90ed8279bb84b70e146d0a47d12743138659271122b65de007d76a54634fb3fa657a0e6c8a3cd600d4be43800c4a74bb5e41f57bbf05d01629d0cd9856ca1c5cd05b52579c70d58b6328de9543dba02672487939e41e910f508c1dbb0923f0726dafc2b4fac411ed2b40275fe0fec3322730f62b84daf91fb23bbb081489863168493d1d893df191dd1a0597fa2bc7c08eeb7f3e7aebc136e2d47f375bc7a94c423e7e203a958d533bd8eb66485f4ec646e13c06fb647a15154029fcf32a2ceff7d4bf511libdcerpc-binding.so.0.0.1libdcerpc-samr.so.0.0.1libdcerpc-server-core.so.0.0.1libdcerpc.so.0.0.1libndr-krb5pac.so.0.0.1libndr-nbt.so.0.0.1libndr-standard.so.0.0.1libndr.so.3.0.0libnetapi.so.1.0.0libsamba-credentials.so.1.0.0libsamba-errors.so.1.0.0libsamba-hostconfig.so.0.0.1libsamba-passdb.so.0.28.0libsamba-util.so.0.0.1libsamdb.so.0.0.1libsmbclient.so.0.7.0libsmbconf.so.0.0.1libsmbldap.so.2.1.0libtevent-util.so.0.0.1libwbclient.so.0.15rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootsamba-4.17.12+git.455.b299ac1e60-150500.3.20.1.src.rpmlibdcerpc-devellibdcerpc-samr-devellibndr-devellibndr-krb5pac-devellibndr-nbt-devellibndr-standard-devellibnetapi-devellibsamba-credentials-devellibsamba-errors-devellibsamba-hostconfig-devellibsamba-passdb-devellibsamba-util-devellibsamdb-devellibsmbclient-devellibsmbconf-devellibsmbldap-devellibtevent-util-devellibwbclient-devellibwbclient0-develpkgconfig(dcerpc)pkgconfig(dcerpc_samr)pkgconfig(ndr)pkgconfig(ndr_krb5pac)pkgconfig(ndr_nbt)pkgconfig(ndr_standard)pkgconfig(netapi)pkgconfig(samba-credentials)pkgconfig(samba-hostconfig)pkgconfig(samba-util)pkgconfig(samdb)pkgconfig(smbclient)pkgconfig(wbclient)samba-core-develsamba-develsamba-devel(aarch-64)@@@@@@@    /usr/bin/pkg-configpkgconfig(dcerpc)pkgconfig(ndr)pkgconfig(ndr_standard)pkgconfig(samba-util)pkgconfig(talloc)pkgconfig(tevent)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)samba-client-libssamba-libssamba-winbind-libs3.0.4-14.6.0-14.0-15.2-14.14.3ez@e[J@e6`@eSd@d.@dd-@d@dd@d6@d@d @cvcvc@c@c @c@cctc5cM@b@b@b@ba@bascabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedimstar@opensuse.orgscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- Add new idmap_nss option 'use_upn' for those NSS modules able to handle UPNs or DOMAIN/user name format; (bsc#1215369); - Avoid unnecessary locking in idmap parent setup; (bsc#1215369);- Add "net offlinejoin composeodj" command; (bsc#1214076);- Update to samba 4.17.12 * Weird filename can cause assert to fail in openat_pathref_fsp_nosymlink(); (bso#15419); * reply_sesssetup_and_X() can dereference uninitialized tmp pointer; (bso#15420); * Missing return in reply_exit_done(); (bso#15430); * TREE_CONNECT without SETUP causes smbd to use uninitialized pointer; (bso#15432); * Improve GetNChanges to address some (but not all "Azure AD Connect") syncronisation tool looping during the initial user sync phase; (bso#15401); * Samba replication logs show (null) DN; (bso#15407); * Spotlight sometimes returns no results on latest macOS; (bso#15342); * Renaming results in NT_STATUS_SHARING_VIOLATION if previously attempted to remove the destination; (bso#15417); * Spotlight results return wrong date in result list; (bso#15427); * macOS mdfind returns only 50 results; (bso#15463); * 2-3min delays at reconnect with smb2_validate_sequence_number: bad message_id 2; (bso#15346); * samba-tool ntacl get segfault if aio_pthread appended; (bso#15441); * DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED can't be parsed; (bso#15446); * File doesn't show when user doesn't have permission if aio_pthread is loaded; (bso#15453); * net ads lookup (with unspecified realm) fails; (bso#15384); (bsc#1213826); * Regression DFS not working with widelinks = true; (bso#15435); (bsc#1213607); * ctdb_killtcp fails to work with --enable-pcap and libpcap 1.9.1; (bso#15451); * mdssvc: Do an early talloc_free() in _mdssvc_open(); (bso#15449); * Windows client join fails if a second container CN=System exists somewhere; (bso#9959); - Fix crossing automounter mount points; (bsc#1215212);- CVE-2023-4091: samba: Client can truncate file with read-only permissions; (bsc#1215904); (bso#15439). - CVE-2023-42669: samba: rpcecho, enabled and running in AD DC, allows blocking sleep on request; (bso#1215905); (bso#15474). - CVE-2023-42670: samba: The procedure number is out of range when starting Active Directory Users and Computers; (bsc#1215906); (bso#15473). - CVE-2023-3961: samba: Unsanitized client pipe name passed to local_np_connect(); (bsc#1215907); (bso#15422). - CVE-2023-4154: samba: dirsync allows SYSTEM access with only "GUID_DRS_GET_CHANGES" right, not "GUID_DRS_GET_ALL_CHANGES; (bsc#1215908); (bso#15424).- Fix DFS not working with widelinks enabled; (bsc#1213607); (bso#15435);- Move libcluster-samba4.so from samba-libs to samba-client-libs; (bsc#1213940);- net ads lookup with unspecified realm fails; (bso#15384); (bsc#1213826);- secure channel faulty since Windows 10/11 update 07/2023; (bso#15418); (bsc#1213384).- CVE-2022-2127: lm_resp_len not checked properly in winbindd_pam_auth_crap_send; (bso#15072); (bsc#1213174). - CVE-2023-34966: Samba Spotlight mdssvc RPC Request Infinite Loop Denial-of-Service Vulnerability; (bso#15340); (bsc#1213173). - CVE-2023-34967: Samba Spotlight mdssvc RPC Request Type Confusion Denial-of-Service Vulnerability; (bso#15341); (bsc#1213172). - CVE-2023-34968: Spotlight server-side Share Path Disclosure; (bso#15388); (bsc#1213171). - CVE-2023-3347: Samba doesn't require SMB2+ signing if `server signing = mandatory` is set; (bso#15397); (bsc#1213170).- Update to 4.17.9 * Backport --pidl-developer fixes; (bso#15404). * smbd_scavenger crashes when service smbd is stopped; (bso#15275). * vfs_fruit might cause a failing open for delete; (bso#15378). * named crashes on DLZ zone update; (bso#14030). * winbind recurses into itself via rpcd_lsad; (bso#15361). * cli_list loops 100% CPU against pre-lanman2 servers; (bso#15382). * smbclient leaks fds with showacls; (bso#15391). * aes256 smb3 encryption algorithms are not allowed in smb3_sid_parse(); (bso#15374). * winbindd gets stuck on NT_STATUS_RPC_SEC_PKG_ERROR; (bso#15413). * smbget memory leak if failed to download files recursively; (bso#15403).- Update to 4.17.8 * log flood: smbd_calculate_access_mask_fsp: Access denied: message level should be lower; (bso#15302). * Floating point exception (FPE) via cli_pull_send at source3/libsmb/clireadwrite.c; (bso#15306). * test_tstream_more_tcp_user_timeout_spin fails intermittently on Rackspace GitLab runners; (bso#15328). * Reduce flapping of ridalloc test; (bso#15329). * large_ldap test is unreliable; (bso#15351). * New filename parser doesn't check veto files smb.conf parameter; (bso#15143). * mdssvc may crash when initializing; (bso#15354). * Large directory optimization broken for non-lcomp path elements; (bso#15313). * streams_depot fails to create streams; (bso#15357). * shadow_copy2 and streams_depot don't play well together; (bso#15358). * wbinfo -u fails on ad dc with >1000 users; (bso#15366). * winbindd idmap child contacts the domain controller without a need; (bso#15317). * idmap_autorid may fail to map sids of trusted domains for the first time; (bso#15318). * idmap_hash doesn't use ID_TYPE_BOTH for reverse mappings; (bso#15319). * net ads search -P doesn't work against servers in other domains; (bso#15323). * DS ACEs might be inherited to unrelated object classes; (bso#15338). * Temporary smbXsrv_tcon_global.tdb can't be parsed; (bso#15353). * Setting veto files = /.*/ break listing directories; (bso#15360); (bsc#1212375). * CVE-2020-25720 [SECURITY] Create Child permission should not allow full write to all attributes (additional changes); (bso#14810). * dsgetdcname: assumes local system uses IPv4; (bso#15325).- Update to 4.17.7 * CVE-2023-0922: Samba AD DC admin tool samba-tool sends passwords in cleartext; (bso#15315); (bsc#1209481). * CVE-2023-0225: Samba AD DC "dnsHostname" attribute can be deleted by unprivileged authenticated users; (bso#15276); (bsc#1209483). * CVE-2023-0614: samba: Access controlled AD LDAP attributes can be discovered; (bso#15270); (bsc#1209485). * large_ldap test is inefficient; (bso#15332). * CVE-2020-25720 [SECURITY] Create Child permission should not allow full write to all attributes (additional changes); (bso#14810). - Update to 4.17.6 * streams_xattr is creating unexpected locks on folders; (bso#15314). * Use of the Azure AD Connect cloud sync tool is now supported for password hash synchronisation, allowing Samba AD Domains to synchronise passwords with this popular cloud environment; (bso#10635). * Spotlight doesn't work with latest macOS Ventura; (bso#15299). * New samba-dcerpc architecture does not scale gracefully; (bso#15310). * vfs_ceph incorrectly uses fsp_get_io_fd() instead of fsp_get_pathref_fd() in close and fstat; (bso#15307). * With clustering enabled samba-bgqd can core dump due to use after free; (bso#15293). * fd_load() function implicitly closes the fd where it should not; (bso#15311). - Update to 4.17.5 * smbc_getxattr() return value is incorrect; (bso#14808). * Compound SMB2 FLUSH+CLOSE requests from MacOSX are not handled correctly; (bso#15172). * synthetic_pathref AFP_AfpInfo failed errors; (bso#15210). * samba-tool gpo listall fails IPv6 only - finddcs() fails to find DC when there is only an AAAA record for the DC in DNS; (bso#15226). * smbd crashes if an FSCTL request is done on a stream handle; (bso#15236). * DFS links don't work anymore on Mac clients since 4.17; (bso#15277). * vfs_virusfilter segfault on access, directory edgecase (accessing NULL value); (bso#15283). * CVE-2022-38023 [SECURITY] Samba should refuse RC4 (aka md5) based SChannel on NETLOGON (additional changes); (bso#15240). * %U for include directive doesn't work for share listing (netshareenum); (bso#15243). * Shares missing from netshareenum response in samba 4.17.4; (bso#15266). * ctdb: use-after-free in run_proc; (bso#15269). * irpc_destructor may crash during shutdown; (bso#15280). * auth3_generate_session_info_pac leaks wbcAuthUserInfo; (bso#15286). * smbclient segfaults with use after free on an optimized build; (bso#15268). * smbstatus leaking files in msg.sock and msg.lock; (bso#15282). * Leak in wbcCtxPingDc2; (bso#15164). * Access based share enum does not work in Samba 4.16+; (bso#15265). * Crash during share enumeration; (bso#15267). * rep_listxattr on FreeBSD does not properly check for reads off end of returned buffer; (bso#15271). * Avoid relying on C89 features in a few places; (bso#15281).- Make (32bit) samba-libs conflict with old samba-ad-dc-libs package to satisfy installcheck.- Make samba-libs conflict with old samba-ad-dc-libs package to satisfy installcheck.- Remove non functioning ifup/ifdown samba-winbindd scripts; (bsc#1207414).- libdsdb-module-samba4 should be packaged as part of samba-libs and not samba-ad-dc-libs. Additionally no need for it to be removed conditionally.- Clean up logic for PAM migration settings in spec file.- Change with_dc default to 0 (for non TW builds), ADDC feature is deprecated and will no longer be included in >= SLE15-SP5; (jsc#PED-1122).- Update to 4.17.4 * CVE-2022-44640 Upstream Heimdal free of user-controlled pointer in FAST; (bsc#14929); * CVE-2021-20251 Bad password count not incremented atomically; (bsc#14611); * CVE-2022-42898 krb5_pac_parse() buffer parsing vulnerability; (bsc#15203); * CVE-2022-37966 rc4-hmac Kerberos session keys issued to modern servers; (bso#15237); * CVE-2022-37967 Kerberos constrained delegation ticket forgery possible against Samba AD DC; (bso#15231); * CVE-2022-38023 RC4/HMAC-MD5 NetLogon Secure Channel is weak and should be avoided; (bso#15240); * pam_winbind uses time_t and pointers assuming they are of the same size; (bso#15224); * Heimdal session key selection in AS-REQ examines wrong entry; (bso#15219); * filter-subunit is inefficient with large numbers of knownfails; (bso#15258); * smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories; (bso#15252); * The KDC logic arround msDs-supportedEncryptionTypes differs from Windows; (bso#13135); * libnet: change_password() doesn't work with dcerpc_samr_ChangePasswordUser4(); (bso#15206); * Heimdal session key selection in AS-REQ examines wrong entry; (bso#15219); * Memory leak in snprintf replacement functions; (bso#15230); * RODC doesn't reset badPwdCount reliable via an RWDC (CVE-2021-20251 regression); (bso#15253); * Prevent EBADF errors with vfs_glusterfs; (bso#15198); * %U for include directive doesn't work for share listing (netshareenum); (bso#15243); * Stack smashing in net offlinejoin requestodj; (bso#15257); * Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue; (bso#15197); * Heimdal session key selection in AS-REQ examines wrong entry; (bso#15219); - Remove deprecated if-{down,up} scripts; (bsc#1206444); - Adjust the systemd drop-in file for named service; (bsc#1201689); * Paths are additive so do not repeat paths from named.service * Prefix the samba DLZ directory with "-" to ignore this path if it does not exists- Introduce without-smb1-server spec flag; (bsc#1205104); - Update to 4.17.3 * CVE-2022-42898: Samba buffer overflow vulnerabilities on 32-bit systems; (bsc#1205126); (bso#15203); - Replace obsolete python-gpgme with python-gpg * Upstream replaced it in v4.9.5 -- bso#13728 - Update to 4.17.2 * CVE-2022-3592 [SECURITY] samba: Wide links protection broken; (bso#15207); (bsc#1204499). * CVE-2022-3437 [SECURITY] samba: Buffer overflow in Heimdal unwrap_des3();(bso#15134); (bsc#1204254). - Update to 4.17.1 * CVE-2021-20251 [SECURITY] Bad password count not incremented atomically; (bso#14611). * smbXsrv_connection_shutdown_send result leaked; (bso#15174). * Flush on a named stream never completes; (bso#15182). * Permission denied calling SMBC_getatr when file not exists; (bso#15195). * Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC; (bso#15189). * pytest: add file removal helpers for TestCaseInTempDir; (bso#15191). * CVE-2021-20251 [SECURITY] Bad password count not incremented atomically; (bso#14611). * Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC; (bso#15189). * Flush on a named stream never completes; (bso#15182). * vfs_gpfs silently garbles timestamps > year 2106; (bso#15151). * CVE-2021-20251 [SECURITY] Bad password count not incremented atomically; (bso#14611). * multi-channel socket passing may hit a race if one of the involved processes already existed; (bso#15200). * memory leak on temporary of struct imessaging_post_state and struct tevent_immediate on struct imessaging_context (in rpcd_spoolss and maybe others); (bso#15201). * Since popt1.19 various use after free errors using result of poptGetArg are now exposed; (bso#15205); (boo#1204279). * Remove special case for O_CREAT in SMB_VFS_OPENAT from vfs_glusterfs; (bso#15192). * GETPWSID in memory cache grows indefinetly with each NTLM auth; (bso#15169). * CVE-2021-20251 [SECURITY] Bad password count not incremented atomically; (bso#14611). - Install a systemd drop-in file for named service to allow read/write access to the DLZ directory; (bsc#1201689); - Fix use after free errors resulting from using return of poptGetArg exposed since popt-1.19; (boo#1204279); (bso#15205). - s3: smbd: Fix memory leak in smbd_server_connection_terminate_done(); (bso#15174). - Disable SMB1 for tumbleweed builds. - Update to 4.17.0 * acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr; (bso#15126). * Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1; (bso#15153). * assert failed: !is_named_stream(smb_fname)") at ../../lib/util/fault.c:197; (bso#15161). * acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr; (bso#15126). * assert failed: !is_named_stream(smb_fname)") at ../../lib/util/fault.c:197; (bso#15161). * Cross-node multi-channel reconnects result in SMB2 Negotiate returning NT_STATUS_NOT_SUPPORTED; (bso#15159). * winbind at info level debug can coredump when processing wb_lookupusergroups; (bso#15160). * Make use of glfs_*at() API calls in vfs_glusterfs; (bso#15157). * Possible use after free of connection_struct when iterating smbd_server_connection->connections; (bso#15128). * `net usershare add` fails with flag works with --long but fails with -l; (bso#15145). * acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr; (bso#15126). * Performance regression on contended path based operations; (bso#15125). * Missing READ_LEASE break could cause data corruption; (bso#15148). * libsamba-errors uses a wrong version number; (bso#15141). * SMB1 negotiation can fail to handle connection errors; (bso#15152). * New filename parser doesn't check veto files smb.conf parameter; (bso#15143). * 4.17.rc1 still uses symlink-race prone unix_convert(); (bso#15144). * Backport fileserver related changed to 4.17.0rc2; (bso#15146). * Manpage for smbstatus json is missing; (bso#15147). * Backport fileserver related changed to 4.17.0rc2; (bso#15146). * Performance regression on contended path based operations; (bso#15125). * Backport fileserver related changed to 4.17.0rc2; (bso#15146). * Fix issues found by coverity in smbstatus json code; (bso#15140). * Backport fileserver related changed to 4.17.0rc2; (bso#15146). - Migration to /usr/etc: Saving user changed configuration files in /etc and restoring them while an RPM update. - Update to 4.16.4 * CVE-2022-2031: Samba AD users can bypass certain restrictions associated with changing passwords; (bsc#1201495); (bso#15047); * CVE-2022-32744: Samba AD users can forge password change requests for any user; (bsc#1201493); (bso#15074); * CVE-2022-32745: Samba AD users can crash the server process with an LDAP add or modify request; (bsc#1201492); (bso#15008); * CVE-2022-32746: Samba AD users can induce a use-after-free in the server process with an LDAP add or modify request; (bsc#1201490); (bso#15009); * CVE-2022-32742: Server memory information leak via SMB1; (bsc#1201496); (bso#15085); - Update to 4.16.3 * Using vfs_streams_xattr and deleting a file causes a panic; (bso#15099); * Add support for bind 9.18; (bso#14986); * logging dsdb audit to specific files does not work; (bso#15076); * Problem when winbind renews Kerberos; (bso#14979); (bsc#1196224); * Samba with new lorikeet-heimdal fails to build on gcc 12.1 in developer mode; (bso#15095); * Crash in streams_xattr because fsp->base_fsp->fsp_name is NULL; (bso#15105); * Crash in rpcd_classic - NULL pointer deference in mangle_is_mangled(); (bso#15118); * smbclient commands del & deltree fail with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556); * Fix check for chown when processing NFSv4 ACL; (bso#15120); * The pcap background queue process should not be stopped; (bso#15082); * testparm: Fix typo in idmap rangesize check; (bso#15097); * net ads info returns LDAP server and LDAP server name as null; (bso#15106); * ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link; (bso#15108); * CTDB child process logging does not work as expected; (bso#15090); - Update spec file to fix the optional Heimdal DC build - Fix external trusts with MIT Kerberos 1.20 - Add missing samba-client requirement to samba-winbind package; (bsc#1198255); - Move pdb backends from package samba-libs to package samba-client-libs and remove samba-libs requirement from samba-winbind; (bsc#1200964); (bsc#1198255); - Add sysuser-shadow requirement for packages using systemd-sysusers - Use the canonical realm name to refresh the Kerberos tickets; (bsc#1196224); (bso#14979); - Moved logrotate files from user specific directory /etc/logrotate.d to vendor specific directory /usr/etc/logrotate.d. - Update to 4.16.2 * Use pathref fd instead of io fd in vfs_default_durable_cookie; (bso#15042); * vfs_gpfs with vfs_shadowcopy2 fail to restore file if original file had been deleted; (bso#15069); * Reintroduce netgroups support; (bso#15087); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); * Update from 4.15 to 4.16 breaks discovery of [homes] on standalone server from Win and IOS; (bso#15062); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * smbclient -E doesn't work as advertised; (bso#15075); * The samba background daemon doesn't refresh the printcap cache on startup; (bso#15081); * Out-by-4 error in smbd read reply max_send clamp; (bso#14443); - Fix samba4.blackbox.net_ads_dns_async test with bind9 >= 9.17.7 - Support building with MIT Kerberos 1.20 - Bronze bit and S4U support with MIT Kerberos 1.20 for Samba AD DC; (CVE-2020-17049); - Resource Based Constrained Delegation (RBCD) for Samba AD DC - Support building with gcc 12.1 - Use requires_eq macro to require the libldb2 version available at samba-dsdb-modules build time; (bsc#1199362); - Update to 4.16.1 * Share and server swapped in smbget password prompt; (bso#14831); * Durable handles won't reconnect if the leased file is written to; (bso#15022); * rmdir silently fails if directory contains unreadable files and hide unreadable is yes; (bso#15023); * SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on renamed file handle; (bso#15038); * Need to describe --builtin-libraries= better (compare with - -bundled-libraries); (bso#8731); * vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback; (bso#14957); * shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes; (bso#15035); * PAM Kerberos authentication incorrectly fails with a clock skew error; (bso#15046); * Username map - samba erroneously applies unix group memberships to user account entries; (bso#15041); * KVNO off by 100000; (bso#14951); * Uninitialized litemask in variable in vfs_gpfs module; (bso#15027); * vfs_gpfs recalls=no option prevents listing files; (bso#15055); * smbd doesn't handle UPNs for looking up names; (bso#15054); - Update update-apparmor-samba-profile script, replace non-printable delimiter with more human readable separator as sed can accept separators that can appear in the input data. - Fix update-apparmor-samba-profile script, sed doesn't like multibyte separators; (bsc#1198309). - Update to 4.16.0 * New samba-dcerpcd binary to provide DCERPC in the member server setup * Certificate Auto Enrollment * Ability to add ports to dns forwarder addresses in internal DNS backend * No longer using Linux mandatory locks for sharemodes * SMB1 protocol has been deprecated, particularly older dialects * SMB1 protocol SMBCopy command removed * SMB1 server-side wildcard expansion removed - Add python3-dnspython to samba-ad-dc recommens; (bsc#1187101); - Use systemd-sysusers to create system users; (bsc#1182847);- Install a systemd drop-in file for named service to allow read/write access to the DLZ directory; (bsc#1201689);- Update to 4.15.12 * CVE-2022-42898: samba: heimdal: Samba buffer overflow vulnerabilities on 32-bit systems; (bso#15203); (bsc#1205126). - Update to 4.15.11 * Allow rebuild of Centos 8 images after move to vault for Samba 4.15; (bso#15193). * CVE-2022-3437: samba: Buffer overflow in Heimdal unwrap_des3(); (bso#15134); (bsc#1204254)- Update to 4.15.10 * Possible use after free of connection_struct when iterating smbd_server_connection->connections; (bso#15128); (bsc#1200102). * smbXsrv_connection_shutdown_send result leaked; (bso#15174). * Spotlight RPC service returns wrong response when Spotlight is disabled on a share; (bso#15086). * acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr; (bso#15126). * Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1; (bso#15153). * assert failed: !is_named_stream(smb_fname)") at ../../lib/util/fault.c:197; (bso#15161). * Missing READ_LEASE break could cause data corruption; (bso#15148). * rpcclient can crash using setuserinfo(2); (bso#15124). * Samba fails to build with glibc 2.36 caused by including in libreplace; (bso#15132). * SMB1 negotiation can fail to handle connection errors; (bso#15152). * samba-tool domain join segfault when joining a samba ad domain; (bso#15078). - Update to 4.15.9 * CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). * CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). * CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); * CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). * CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); * CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- CVE-2022-1615: Do not ignore errors in random number generation; (bso#15103); (bsc#1202976); - CVE-2022-32743: Implement validated dnsHostName write rights; (bso#14833); (bsc#1202803);- Fix Use after free when iterating smbd_server_connection->connections after tree disconnect failure; (bso#15128); (bsc#1200102).- CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). - CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). - CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); - CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). - CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- Update to 4.15.8 * Use pathref fd instead of io fd in vfs_default_durable_cookie; (bso#15042); * Setting fruit:resource = stream in vfs_fruit causes a panic; (bso#15099); * Add support for bind 9.18; (bso#14986); * logging dsdb audit to specific files does not work; (bso#15076); * vfs_gpfs with vfs_shadowcopy2 fail to restore file if original file had been deleted; (bso#15069); * netgroups support removed; (bso#15087); (bsc#1199247); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); (bsc#1199734); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * smbclient commands del & deltree fail with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556); * vfs_gpfs recalls=no option prevents listing files; (bso#15055); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * Compile error in source3/utils/regedit_hexedit.c; (bso#15091); * ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link; (bso#15108); * smbd doesn't handle UPNs for looking up names; (bso#15054); * Out-by-4 error in smbd read reply max_send clamp; (bso#14443); - Move pdb backends from package samba-libs to package samba-client-libs and remove samba-libs requirement from samba-winbind; (bsc#1200964); (bsc#1198255); - Use the canonical realm name to refresh the Kerberos tickets; (bsc#1196224); (bso#14979);- Fix smbclient commands del & deltree failing with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556).- Revert NIS support removal; (bsc#1199247);- Use requires_eq macro to require the libldb2 version available at samba-dsdb-modules build time; (bsc#1199362);- Add missing samba-client requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.7 * Share and server swapped in smbget password prompt; (bso#14831); * Durable handles won't reconnect if the leased file is written to; (bso#15022); * rmdir silently fails if directory contains unreadable files and hide unreadable is yes; (bso#15023); * SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on renamed file handle; (bso#15038); * vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback; (bso#14957); * shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes; (bso#15035); * PAM Kerberos authentication incorrectly fails with a clock skew error; (bso#15046); * username map - samba erroneously applies unix group memberships to user account entries; (bso#15041); * NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES in SMBC_server_internal; (bso#14983); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Crash of winbind on RODC; (bso#14641); * uncached logon on RODC always fails once; (bso#14865); * KVNO off by 100000; (bso#14951); * LDAP simple binds should honour "old password allowed period"; (bso#15001); * wbinfo -a doesn't work reliable with upn names; (bso#15003); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Uninitialized litemask in variable in vfs_gpfs module; (bso#15027); * Regression: create krb5 conf = yes doesn't work with a single KDC; (bso#15016);- Add provides to samba-client-libs package to fix upgrades from previous versions; (bsc#1197995);- Add missing samba-libs requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.6 * Renaming file on DFS root fails with NT_STATUS_OBJECT_PATH_NOT_FOUND; (bso#14169); * Samba does not response STATUS_INVALID_PARAMETER when opening 2 objects with same lease key; (bso#14737); * NT error code is not set when overwriting a file during rename in libsmbclient; (bso#14938); * Fix ldap simple bind with TLS auditing; (bso#14996); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); * Problem when winbind renews Kerberos; (bso#14979); (bsc#1196224); * pam_winbind will not allow gdm login if password about to expire; (bso#8691); * virusfilter_vfs_openat: Not scanned: Directory or special file; (bso#14971); * DFS fix for AIX broken; (bso#13631); * Solaris and AIX acl modules: wrong function arguments; (bso#14974); * Function aixacl_sys_acl_get_file not declared / coredump; (bso#7239); * Regression: Samba 4.15.2 on macOS segfaults intermittently during strcpy in tdbsam_getsampwnam; (bso#14900); * Fix a use-after-free in SMB1 server; (bso#14989); * smb2_signing_decrypt_pdu() may not decrypt with gnutls_aead_cipher_decrypt() from gnutls before 3.5.2; (bso#14968); * Changing the machine password against an RODC likely destroys the domain join; (bso#14984); * authsam_make_user_info_dc() steals memory from its struct ldb_message *msg argument; (bso#14993); * Use Heimdal 8.0 (pre) rather than an earlier snapshot; (bso#14995); * Samba autorid fails to map AD users if id rangesize fits in the id range only once; (bso#14967);- Fix mismatched version of libldb2; (bsc#1196788). - Drop obsolete SuSEfirewall2 service files.- Drop obsolete Samba fsrvp v0->v1 state upgrade functionality; (bsc#1080338).- Fix ntlm authentications with "winbind use default domain = yes"; (bso#13126); (bsc#1173429); (bsc#1196308).- Fix samba-ad-dc status warning notification message by disabling systemd notifications in bgqd; (bsc#1195896); (bso#14947).- libldb version mismatch in Samba dsdb component; (bsc#1118508);- Update to 4.15.5 * CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target of a symlink exists; (bso#14911); (bsc#1193690). * CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module; (bso#14914); (bsc#1194859). * CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks; bso#14950); (bsc#1195048).- CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share; (bso#14911); (bsc#1193690); - CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution; (bso#14914); (bsc#1194859); - CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services; (bso#14950); (bsc#1195048);- Update to 4.15.4 * Duplicate SMB file_ids leading to Windows client cache poisoning; (bso#14928); * Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error - NT_STATUS_BUFFER_TOO_SMALL; (bso#14932); * kill_tcp_connections does not work; (bso#14934); * Can't connect to Windows shares not requiring authentication using KDE/Gnome; (bso#14935); * smbclient -L doesn't set "client max protocol" to NT1 before calling the "Reconnecting with SMB1 for workgroup listing" path; (bso#14939); * Cross device copy of the crossrename module always fails; (bso#14940); * symlinkat function from VFS cap module always fails with an error; (bso#14941); * Fix possible fsp pointer deference; (bso#14942); * Missing pop_sec_ctx() in error path inside close_directory(); (bso#14944); * "smbd --build-options" no longer works without an smb.conf file; (bso#14945);- Use pkgconfig(krb5) as dependency for the -devel package: allow OBS to pick the right flavor of krb5-devel (full vs mini). - Do not require the 'krb5' symbol by samba-client-libs: this package has an automatic dependency due to linkage on libgssapi_krb5.so.2. Automatic deps are always better. - Do not require the 'krb5' symbol from samba-libs: samba-libs requires samba-client-libs, which in turn requires krb5 libraries. Samba-libs itself has no need for krb5 (but get it indirectly anyway).- Reorganize libs packages. Split samba-libs into samba-client-libs, samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba public libraries depending on internal samba libraries into these packages as there were dependency problems everytime one of these public libraries changed its version (bsc#1192684). The devel packages are merged into samba-devel. - Rename package samba-core-devel to samba-devel - Add python-rpm-macros to build requirements - Update the symlink create by samba-dsdb-modules to private samba ldb modules following libldb2 changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba- Update to 4.15.3 * Recursive directory delete with veto files is broken in 4.15.0; (bso#14878); * A directory containing dangling symlinks cannot be deleted by SMB2 alone when they are the only entry in the directory; (bso#14879); * SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used uninitialized in rmdir_internals(); (bso#14892); * MaxQueryDuration not honoured in Samba AD DC LDAP; (bso#14694); * The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token; (bso#14901); (bsc#1192849); * User with multiple spaces (eg FredNurk) become un-deletable; (bso#14902); * Avoid storing NTTIME_THAW (-2) as value on disk; (bso#14127); * smbXsrv_client_global record validation leads to crash if existing record points at non-existing process; (bso#14882); * Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call; (bso#14890); * Samba process doesn't log to logfile; (bso#14897); * set_ea_dos_attribute() fallback calling get_file_handle_for_metadata() triggers locking.tdb assert; (bso#14907); * Kerberos authentication on standalone server in MIT realm broken; (bso#14922); * Segmentation fault when joining the domain; (bso#14923); * Support for ROLE_IPA_DC is incomplete; (bso#14903); * rpcclient cannot connect to ncacn_ip_tcp services anymore; (bso#14767); * winexe crashes since 4.15.0 after popt parsing; (bso#14893); * net ads status -P broken in a clustered environment; (bso#14908); * Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before smbd_smb2_ioctl_send; (bso#14788); * winbindd doesn't start when "allow trusted domains" is off; (bso#14899); * smbclient login without password using '-N' fails with NT_STATUS_INVALID_PARAMETER on Samba AD DC; (bso#14883); * A schannel client incorrectly detects a downgrade connecting to an AES only server; (bso#14912); * Possible null pointer dereference in winbind; (bso#14921); * Fix -k legacy option for client tools like smbclient, rpcclient, net, etc.; (bso#14846); * Add Debian 11 CI bootstrap support; (bso#14872); * Crash in recycle_unlink_internal(); (bso#14888);- Fix dependency problem upgrading from libndr0 to libndr2 and from libsamba-credentials0 to libsamba-credentials1; (bsc#1192684);- Fix regression introduced by CVE-2020-25717 patches, winbindd does not start when 'allow trusted domains' is off; (bso#14899); - Update to 4.15.2 * CVE-2016-2124: SMB1 client connections can be downgraded to plaintext authentication; (bso#12444); (bsc#1014440); * CVE-2020-25717: A user on the domain can become root on domain members; (bso#14556); (bsc#1192284); * CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued by an RODC; (bso#14558); (bsc#1192246); * CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets; (bso#14561); (bsc#1192247); * CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers (eg objectSid); (bso#14557); (bsc#1192505); * CVE-2020-25722: Samba AD DC did not do suffienct access and conformance checking of data stored; (bso#14564); (bsc#1192283); * CVE-2021-3738: Use after free in Samba AD DC RPC server; (bso#14468); (bsc#1192215); * CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability; (bso#14875); (bsc#1192214); - Update to 4.15.1 * vfs_shadow_copy2: core dump in make_relative_path; (bso#14682); * Log clutter from filename_convert_internal; (bso#14685); * MacOSX compilation fixes; (bso#14862); * rodc_rwdc test flaps; (bso#14868); * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal; (bso#14642); * Python ldb.msg_diff() memory handling failure; (bso#14836); * "in" operator on ldb.Message is case sensitive; (bso#14845); * Release LDB 2.4.1 for Samba 4.15.1; (bso#14848); * samldb_krbtgtnumber_available() looks for incorrect string; (bso#14854); * Fix Samba support for UF_NO_AUTH_DATA_REQUIRED; (bso#14871); * Allow special chars like "@" in samAccountName when generating the salt; (bso#14874); * Correctly ignore comments in CTDB public addresses file; (bso#14826); * Fix transit path validation; (bso#12998); * Fix that child winbindd logs to log.winbindd instead of log.wb-; (bso#14852); * SMB3 cancel requests should only include the MID together with AsyncID when AES-128-GMAC is used; (bso#14855); * Prepare to operate with MIT krb5 >= 1.20; (bso#14870); * Heimdal prefers RC4 over AES for machine accounts; (bso#14864);- Enable samba-tool without ad dc.- Adjust spec to use pam macros; (bsc#1191046).- Adjust spec for size * allow some Recommends instead Requires to be configured for cifs-utils, samba-libs-python3 & samba-gpupdate; (bsc#1182847). * remove fam, undocumented and unneeded.- Add missing build dependency on bison when building with the embedded Heimdal Kerberos- Update to 4.15.0 * Removed SMB development dialects SMB2_22, SMB2_24 and SMB3_10 * VFS layer modernized. * Add the ability to set allow/deny lists for zone transfer clients in Bind DLZ plugin * Server multi-channel support no longer experimental * Improved command line user experience, unifying the options in different commands * Winbindd no longer scans trusted domains on startup and will use enterprise principals by default. * The net utility is now able to support the offline domain join feature * New options for 'samba-tool dns zoneoptions' for aging control and to mark old records as static or dynamic * DNS tombstones are now deleted as appropriate and use a consistent timestamp format * The 'samba-tool dns update' command validates and rejects now malformed IPv4 and IPv6 addresses * The 'samba-tool domain backup' command correctly takes out locks against concurrent modification during backup when using the LMDB backend * TruACL support has been removed * NIS support has been removed- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2.libdcerpc-devellibdcerpc-samr-devellibndr-devellibndr-krb5pac-devellibndr-nbt-devellibndr-standard-devellibnetapi-devellibsamba-credentials-devellibsamba-errors-devellibsamba-hostconfig-devellibsamba-passdb-devellibsamba-util-devellibsamdb-devellibsmbclient-devellibsmbconf-devellibsmbldap-devellibtevent-util-devellibwbclient-devellibwbclient0-develsamba-core-develh02-armsrv3 1704181770  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~4.17.12+git.455.b299ac1e604.17.12+git.455.b299ac1e604.17.12+git.455.b299ac1e604.17.12+git.455.b299ac1e604.17.12+git.455.b299ac1e604.17.12+git.455.b299ac1e604.17.12+git.455.b299ac1e604.17.12+git.455.b299ac1e604.17.12+git.455.b299ac1e604.17.12+git.455.b299ac1e604.17.12+git.455.b299ac1e604.17.12+git.455.b299ac1e604.17.12+git.455.b299ac1e604.17.12+git.455.b299ac1e604.17.12+git.455.b299ac1e604.17.12+git.455.b299ac1e604.17.12+git.455.b299ac1e604.17.12+git.455.b299ac1e604.17.12+git.455.b299ac1e600.0.10.0.13.0.00.0.10.0.10.0.11.0.01.0.00.0.10.0.10.0.10.7.00.154.17.12+git.455.b299ac1e604.17.12+git.455.b299ac1e60-150500.3.20.14.17.12+git.455.b299ac1e60-150500.3.20.14.17.12+git.455.b299ac1e604.17.12+git.455.b299ac1e604.17.12+git.455.b299ac1e604.17.12+git.455.b299ac1e604.17.12+git.455.b299ac1e604.17.12+git.455.b299ac1e604.17.12+git.455.b299ac1e604.17.12+git.455.b299ac1e604.17.12+git.455.b299ac1e604.17.12+git.455.b299ac1e604.17.12+git.455.b299ac1e604.17.12+git.455.b299ac1e604.17.12+git.455.b299ac1e604.17.12+git.455.b299ac1e604.17.12+git.455.b299ac1e604.17.12+git.455.b299ac1e604.17.12+git.455.b299ac1e604.17.12+git.455.b299ac1e604.17.12+git.455.b299ac1e604.17.12+git.455.b299ac1e60 sambasamba-4.0charset.hcoredoserr.herror.hhresult.hntstatus.hntstatus_gen.hwerror.hwerror_gen.hcredentials.hdcerpc.hdcesrv_core.hdomain_credentials.hgen_ndratsvc.hauth.hdcerpc.hdrsblobs.hdrsuapi.hkrb5pac.hlsa.hmisc.hnbt.hndr_atsvc.hndr_dcerpc.hndr_drsblobs.hndr_drsuapi.hndr_krb5pac.hndr_misc.hndr_nbt.hndr_samr.hndr_samr_c.hndr_svcctl.hndr_svcctl_c.hnetlogon.hsamr.hsecurity.hserver_id.hsvcctl.hldb_wrap.hlibsmbclient.hlookup_sid.hmachine_sid.hndrndr.hndr_dcerpc.hndr_drsblobs.hndr_drsuapi.hndr_krb5pac.hndr_nbt.hndr_svcctl.hnetapi.hparam.hpassdb.hrpc_common.hsambasession.hversion.hshare.hsmb2_lease_struct.hsmb_ldap.hsmbconf.hsmbldap.htdr.htsocket.htsocket_internal.hutilattr.hblocking.hdata_blob.hdebug.hdiscard.hfault.hgenrand.hidtree.hidtree_random.hsignal.hsubstitute.htevent_ntstatus.htevent_unix.htevent_werror.htfork.htime.hutil_ldb.hwbclient.hnsswitchwinbind_client.hwinbind_nss_config.hwinbind_nss_linux.hwinbinddwinbindd.hwinbindd_proto.hlibdcerpc-binding.solibdcerpc-samr.solibdcerpc-server-core.solibdcerpc.solibndr-krb5pac.solibndr-nbt.solibndr-standard.solibndr.solibnetapi.solibsamba-credentials.solibsamba-errors.solibsamba-hostconfig.solibsamba-passdb.solibsamba-util.solibsamdb.solibsmbclient.solibsmbconf.solibsmbldap.solibtevent-util.solibwbclient.sodcerpc.pcdcerpc_samr.pcndr.pcndr_krb5pac.pcndr_nbt.pcndr_standard.pcnetapi.pcsamba-credentials.pcsamba-hostconfig.pcsamba-util.pcsamdb.pcsmbclient.pcwbclient.pclibsmbclient.7.gz/usr/include//usr/include/samba-4.0//usr/include/samba-4.0/core//usr/include/samba-4.0/gen_ndr//usr/include/samba-4.0/ndr//usr/include/samba-4.0/samba//usr/include/samba-4.0/util//usr/include/samba//usr/include/samba/nsswitch//usr/include/samba/winbindd//usr/lib64//usr/lib64/pkgconfig//usr/share/man/man7/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:31987/SUSE_SLE-15-SP5_Update/5d6206584aa08ed2ed19252942a3645f-samba.SUSE_SLE-15-SP5_Updatecpioxz5aarch64-suse-linuxdirectoryC source, ASCII textC source, ASCII text, with very long linesASCII textpkgconfig filetroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, max compression, from Unix) #%'PRRRPRRRRPRRRPRRRPRRPRRPRPRRRPRPRRRPRPRPRmCTCUJfx utf-8d0908dfd1c31fe113be94c486f42a3ea51e4c6989f29f8ef558acce0119b98a6?7zXZ !t/] crt:bLL 17 !;b庥^-%'f MijEDWSPo\Ҟe`6K't|a:d,k2o¯1ĥSH 5޹3gNJwC`r5.2`IϺW3jGp6{`ą /?I46}P)+衮P]D̔! wݿI+?ib7L)EaH:TzN`9dC@yXk #V\֐¤|lPaor}P:xh .fKNZoch9;s3\ Ҙsa_~!58L@ҹ]4G2{VWq^R3}Lpi,@=w=Y ܳ5S!tc{ ١{z&p58<]cU" EW)AFܒm>?3MÃCmoeY.@U>V7)c BƔ U|kuFɷxISPt&WBj[֙X#v̀)BCM/~{)OI#6NeY?xfd;I4 ǝ?k =ϯI.C;6K,nstL=3IbJw/G_ڃ#;j/o#|gBVh35\AJ.:LQYY7Kjf`9h]MY2#'&E~' 5zLrA] _R6ޒN )L,;؄1tΘM{* "yRR:pz)`Vn{P &l8-Ў/[6hUFY!$-0Z}#c72s%Cbth6{ٝU#?Jܴ!://Ey:σm󢝭*ʔnzfKoz /2- 7VS\n;!w*gǜdaы=kiWVH͐u72=7jEtX82}ڰc̑x0 iרpƪ=]5 ͑7irRq(@k]oWLW\!cc $|#tíк!p@!d#4ml<{4+u$y K>Y%eR>u3(M𥆏ЩRDS&*+,o7}=ְ1hYZt*GLgJ-qhBfȇlPqQk3J# @qAE9ڦ7C\ ԓJ# AYq 54Exe8!qRYF0@-,L l 0Q~<_|36+tcYRuTOLA)Huxf(.؃GF;'µrznfKP 3@8S RHŎy؏mjls˜uP4p]UF=goWFx'(i(vpx;/!TdrC4mu_غC482$N-'SpM})<-j;+"G<f]UML/.bK+#:S +0~퓢Ud!aٶdG,t"Bi`|S,ɖI9's.̨5qtt_x7#:4|8Ͱ"0kߍDF]H@ALGAv$HDd+<wJqx>vd5B T?z&Z)JI=jMgwJ E֚*(n#zJ>.8\3tMt/)؏:K㦲4SE`3&Ύ|_6lB *6Pm_谮븅8r+P$ 7@p/j:֓J }τuiS&/W H@ݰ#o .*Bfא{K7n8YC⨂丈*v8(@ Wib^Ze yb{E@-T%#D%#AyNzSw4D mHkSo$A)#Q3-Cl D2ÚXU##h{Wiyʢ6HU?.~uJ: JjFF |[;\QrKJ^  o~jDäYD 0#։n8VVU&x'GF ^Z/o7hٙFp\7)T9ԁ\{,o9*(π^!Om85)0>ov!'R* +(U 0MBZ (Qq X%u>nZO7N,c1iٿGnqY47ʫ!ӊXs9yfu)Ln-/jʀrThRܨiW悟ƭM,,H=Dzի_<(ު`[ɏ[bhKX2SdzgW k0Kd]er)sWЦt7ÁQ{1FGN˦m>S/rb^Wڪчԟdh{Ia_-x?|I [ [jZO!) \!`]3qL D=~# fꥻD4%(vH͊[2{G1.fLíx<'arUvb2 P +?|W3/9>$"m19уҌ dl4R8{kcaq3gV[9܄No26l ? _~jn TiM+;lSI4]n)^z!4åfY .G¥^S%cT^d nCH'( K㯆t:|X-5v_Ō[dQj kymǷt;$̣.{ |gC5?Sƥ!fpµ QU-Q#ԅ/L%j/4aPH_J>r7 Ey+mzًaݝɁ!e[Ƽ ncIEikdgl}gmt٢GUB;k@ϕeâ'DּǚcUU5ՂA2CT?)mKe⎽;EVMo}X p.'xyM,0\,\t%5#/> M|鵛>)dKwɅVao{b~b O9s%k*K{5Us픡~G@uyX~:G¡g. dmmYB8NNm.xP7,V=Ԍ(W v'f*]FH2\SXwU%)E/ 룻y'/3"O6/{+4=S:Fm#ނ$(M1 yRk 苪 =y֤sMҶ&hQQ >ݫ\_ˊ_,/&ބ6ޛ4Lլ / |!ZYG:aq~ܯ{G *4+j_s69ZsHHSƇ=;}&&aVMFL UeG}bO$V(bI`n؁}Th`2d1yC|:Fd@hX,susvPHʾD4 ?VC-Å  tw]Um]FP=@VбῴIbO?l.:F!SO1 ͷoO;2\lbTEpKH*v>LZ!)"#qƊP?mY ݥIRiֲU4Obzh9 :x 7H3;l` ~_[Lw)+G(!7m-ECUzbݢLR )s0Io}R}*hٖE1*<| )9i&M^E~x&VC%,l5(ilNqw|edHV*ÆnFRa rC }B>[>* u°r3K8&Jl3&DK9=j,ٜ֬.eN`zԏΣoj"3EVϛ,'hu,ߝznT;biee5Ў_I%sENe;8 '-h 0h⍴MJC +vN5fST`]p.6^nX+O!OCmAU}q0gcbSZqۿ%} zC 6v>EEZmT7f%gSOqQ@k:@$3ghb6leegM|))‡YwׁVFL^Z>mr&1&*+ dN19q%iOwq[D{)? ǁ]I7;AnlO{?6$@ -ϣD( sY? u[}QY q|P%|y*ft|N<^XTQh_H(NBR]֓|Uβ( ]2L].1^ݪ^ň:85kb J gY %gf*[SFԅ?qY:!ZGѫ\ ƼBL&QM&}]qW_ʃ)ĉQ > 2!8cQq"]TQ(V5]~ѿ]B=VëUNo*/Y\$e˔4!>hyϧZq >-xyP;P\-/-F//f#=Kp8!F4 R˽A Є/ABe-{7r ޔktyB?L$m, W7Zݞ8eIV>VУX2ZRuTH KLxuHԙ uugxE\@MmK} `LiPyuM 1Q}TyEC@,K!;dUշ YL/;'W5 ͯ'Q5ݦ7sV&|(=WDꌎ-<l K70pOVVu@0QcnS e[9 G_[Slu;^) jN]*ٹ [ hLhSr[9S/f(֥ ]mΒgUJyWdhdicUH(1|csJܳ#pm'zUYJqje>hKZb ^C#DkCSPLcIDM=nP=Bk>Vw\^%*O|AuC~`U?wERVKJuG%OM.]uʕrwKJc}޿u?@o\LB_򠽍)QΊ?/ݖ.v )F͠ A&dqDPOތPR$JDz\%:5/Ru!̱E1XO6l0TlgtD'.51nYa `X`j:ӫo?0dJwW>x!uOFAD':s8'n 'NfJn4NXRDj-1,b $8UyeËKkeڡ 3KNLN,^) Rh#h# CJ):'w8=Wau \ ۤN9,޹@帋9]SʱBVi1أĦLV\)L,Bm!-?Q-w4ɪ`CYp=?BLL b3YgIIK]=] lXczWq#C W 4]3,sJ]K` 7ɷLVK:I,O3{)>XH3ԇ>yM|Aƫ1RޞL݊vIT[ڲ{< TQ mk6wS FR\.)¸[3YǼbk`oaFi6??,#rԯU1zW;]63 2JKx&PGvZix:OҬd>1eǥ7;7ɦnw !X/{,S'9PV,0}1!˶o<\lɮ۬]< rh$~Ed4wGbS"/h{44B%`); 7La+ƁpRfoNDpPkCⒹ(ӝ,v>mX@Q]y.y4PIjSb SiISJuMoRETpÒM8A#CSr&+YއT"wTSAP.e)mV){pr]^Կȷ႞4GE~f#&JHo]HS͡0LO7Y<8`C)zreJǕʛ7>x;P*)N1@f"3@yJ=h#_}`]IXu%5xsH z7L.][q MZQ@֯_qp()b'D=YO4QfR$e2wA#^vځۿTE@ E8g`?[_%k) jÅk|HU! nU(;OTrM"vS`/_3mϓ`G.tCh+ehfհ d[8ڗc;X(IY <ↅSf|{OQŞ8PQ<3"~<&Y8L/YYN$PΟAi>q_J\'r,J~rtxG5!6Ն"]ׂoVXs==oa"Mm\xB 7ϗĴC\ 9D0|Zv+곎ǥs%Y%~WeK3l-4., i漘ƿNQljeNJ+U[~`CX_QZ}&n6Z1j,mh1lzn"< (,b;\Nr5פ[&w@2.72 i=!G;R7{hJ1 TϜ!qdj|S2WQ>}9aW2b!ʎzʃPM8\KLIihOJlbmzl%VxPF{!e6+c0FtG9#qץRTPj!Sa_!075(cy(>)NqrP!Dy [{ol һJ߭~Wڞ; [!㋩D6n@L2'u~ k^=k1`8xF"z3#?ŶJެtMK\YV=[{Mb1S =*볲|`p6n 2rOoJV'wJҨp5!x,[$l>igR40@Uc3P#WibވB?˨QerP]Vcɽ8o N^(YtoJ9P m]l0u3SDq֝Ů[8{(OJ]/վ5P%0وյg -d؏#i tXA Eeyef+4B[#Zg?Vx3ˤ Z[5mD):7)CgT{z]1ps nvB%B+5AciG Z glՠbe1'n/悩5G{柁yglXF68p<}Xf4S٣)bgFZxxx!Zˁסc8*ql|.N4f3S1%3l jXlӈ 5x^`k1L]ܝ +Ee]#5FceA`ZS}9>53<9C!2ޖaR5hxY~&,aG Ui܋O"ڼ?MAȽ8EEv(|7:c.,#wߨIv[ hkʵ m"wD*hb˄(+*#*X޺~z^5. \A&A, *p^ПskQ?rerf)ێf9)lISTQy}Ч8R)K73Lx,V\Sdb3q6&K)gvB +C!;Mco{T鶨BU|U:* n`X hS;s6`yG>X4:q9!$)bE_~?AHA#QW~ȱwOv]K=rDrFʐ۩43W/v 3,jOU@ 8$S $fo=OyQKS (0цfl3܃zcߑIc}Yҙ>`gʀ=Rd"=#dS{4sxp J- P:3 s'̴}=2Be ]Af:*elGþMtITI)#VEU'9F4eq$zM] ^; M(m-%6  ] M_uaFlK# M&,9 ]aJ kv,eXV9*[0Zz9IȳCi8+ب>Z[ٕEJy< OXt\~z;ӳs"/#q1ƌNoi/Ѹ"EuT(HhG*Pџ^ІO$aA>lcA/=D.ߥUS؂l%S%ͮ1 I:߭&g6%?Ds"(mMmJZYȃȻt<(7=c'|*y˛S:ɭ\jHgȢ_]e\>FBL znwdqޞY X4 Bu`[JF΁ϭC =(7v,z o_2 Pkv`UK R'SGlD%ZC-z$o)H#vv\$cHo0zڶXZH!i洫L^oUt/ڍtgש3hY7J @vbd~X<*FVk`I΁Bȱoz64]s~{;Aa!%r |ĸE_X12YjO0ZS>+ͦv4-ϧp ~7ڲ0}`Y@|9Iʧ{e˖XIg_{ϋ@~F\}~ҦG@JӲC0c8A-6*A䷴21>/--:P r 5a*FѵpSYKtIS 3a P>;~rYD4a OU l lO/{ [ya8fFE0@H"5g>EDWOQh*JHh7hEes}7౬Z< 66IF8"}Hk^Q LI%O^[i$=}.;#ݰq .n2YSLt6:vzT(/qڙ! gZp97|F\IS$;Uu0"w}})E"w Ui>g$5vx޵qĥp^i A%GsV`nHXX)JӴW4ΰ88* 4/CbIϘ1}T$t]tc5ttgh k8yտWaWsZ*;nK O!He R#e O_ ԑe4ݮûc7pҊtaSo@8= =cUEW E3mRyʙf@=l&X_|X+),c $Bfji^Nxu+B>=Mȼu;UM5RR0'eĔ3p O-9I 2uڶaI{AoTqSBLHA.CPhFKCr aFƚSV{:$ϳ$f"nN+CX=B _ :e8c 7I|%K$sbcioE|8t( sHs1OȠ 9X02pdE7|GK0:Ʋ| I7%7c{,%:5/'݈ؖ JҴ/ӏVDfљ5zTT1:r2dm1oĮ[P$羻yb /G9!%Y X4$m-q.7# jOlAȀD A4'U3!5>Tk37]n˜KaK+(*>.jC|,UAV4Kվ7I)vfHHmϯ\ Ŝ`ݜIr:+UM3@Eyو3 _E[`:h&R6$;lw>,3jQo>u +rW$WGŭ5kăr?7}ibt;oE75VӶrNN%*#qsF͏5\:$W0m7GrB f!]2l2MĢ_8(3Cr53m$^ȉ]vͲHd#v6uTD&gb/pЭ2|ɣɛÑM Nc](+ ivU= p7Jk/M쫄="}|J_@<#b0{>ęDgkӎ Lm>@=7xc#P(Gk0jCEXq{& I~7KaXe={&3?(ǍfX̻%u|.*0J_%إ-kbQUNua'5yǏsXXgs1$ɖ VlBH%݆D͆NBXj|yV,RUNBp׸qG2H\ ҕ*!}\N8lZ׺`("3UrӒBK̅L'#/Kq硜.4flY?ygPjٮ:Q%ihݡ`# q[ޭikZPGhP!둠Д掃KN8QÛbTf~k@qX Ys<N%<^_(/!%j:*fLXܕ;% w/MubEqQq°Rq޳{a =Hp\\, `gٲi-;_ԥljb=xjO&CvzB3WFUlW&PC葯tԓY+@Pޕ*ݑ K3VƇG3iVlrQ!9`GQ:`љ MxFOCRrcxj2vEFXCNwHT:3:Z Y8#Dg/Y٣ _F>OwoOD+u[ ɂ [o;RA%5/AWi\HRx$:g}9{o*-oON/x bNN"ƪ[&`N93'F™l))W$`_~K$;wҎӠb3=3U fB} *jϳmEFg l٭a[~V8!=71:M56g0 @ɖkh5MFӌ2Hm$I|;{=Yb;W$ ']:gG"a9:(9E(FKdp<9_-Bm"Ul3ksPLINGt$ύm#\)d_*ymf`A+H%٠1޸Ѱm]nH\ յC^)̎{Fv W  ;GSa`fUsYݑ'sa|cDW*tB[ BNf}: ܫf$km]8oTtr'ah\R :ѭFS*~EEa <=8B\;/t!Q%')l7ɘdx}KP$j|$hnz@y[p`&*fBFJ_W&GOxHVO^i:>czq ni,lUl#92i$?T-,7uF+3]A(ḾƷ%xX>/Wf{_+4N 83\m>C8.ܵnE1PS˭Y/=t\gM /6++-P{skl U&R+ѱQ<臣+X,DkoǑ/Qn݇AatɟX!BKk!v6@hTQIGXn`z #$7+vlւjX)ђ0 D:|x8CMlY@c c{ՠg2rRT*h=:myӒFBQ"א;H"LDA%b5:}OWtKÙ?fun?gn!kC)[+'lSO"j%LY@f'Vht8DP\kv?(wgXLJ Si-XhvOV4}yP>:㖐Z@uz%%**(0"ڭSk ޾w.uOn-hF'XZ 93_-v7Hpcsw`BdqceN? $enH.ΜI}PڸY!+p:`)J7eq}"@ "P6J#Aj}l2evvЂ@<3ّlTv9Ӕ{@y˭(2$#\Fۦqdvdm yV0AN`% p NrUQYgp 02":٪B>bV<%A/׺ψrDTSī n )1ldɺ&vhVH[:45o{u W_kt;Ç+]~wHF3ro,^263rJf$XP_UZHSl?v>$!y&爠WIuG)6W/g|9o̥D}wJ @ [#qb^9ji[sjª{zU"mZӻ nTYif+ Y/ބ؊kaf;֘5ʾiwn/BѾFN߯-n˻XBt,cvFa pb{C Kjo|_poZAr  ?c:Q^ zgei.O,$]Tdi*u"=灩9.c]r,'>*mSߓi /,C' 16Z, wj9@]ddcjnj =DmIٺѕB؍F}A]t<bu;ҰM8F}^ͥz++ٸmfxq .˞%]\㳦҅UʶD6)Ez`LV(ߏJ IԆ%E(g<&ٍ8U#  l;l0isUtLE9CI;3u{\)dnx9"4-U&HCDj Zz,w0Gik:,}S[C.;z_>7+0U]wDgm 17s{ y)ok;QLm Y/cݲ5zioshhzN,[/wh )IH} /1Y="J,FT8CZ:sy׆շˈrF88fP:FRqeJ{XBAX;>_Y}}4mpm FUjv[=7iU<ڎj+\ßT$նnO31[ *jfʹf L? hމ};e]qv ݅i.U0f`H_W>n*L=^ ܳ k[;C(.=Νfa?(=4"[`+Qp[J~[3xNwպj$>MG 1OY}V[q~=묁p54^80| ^mޏ"lTX[N?rЍR<\azj%X\±d,L&Ă |;GpkB!2>T⌏*u*MԓgbHrk%`nx\`0mӒgpW%Ud}nV6>̶y)Kiף]W7"!EwIN WDMi9w ų3ԅT}_Ekn{@N\c4--&˕߯^*'R\x]wWhFCʡE`B&mp@ OR+醩Id[* MP2>&zrTd\ѵA(ZwE[oj6iߴ͵-D%Ќ\)Y T`w":Բ>Z.]lʐΨYĽ3"M?W_"LG{b+&|˃_~]ЕD8 fjؗCGAZqegJ9,|aSx+V0}rl^7Obgpz G _ʥƉ.D]*iC/js/rA d?!n2ܙZF6ud[BrEDA'_&ir⠤3nP cv|BQr5!t{kL q)^pP ` MC$aIiU^a(&۠l]xy%uGnJI7ؠ=܂5og%R%V^L)k=И!CF~YؓQ@Ft&}tm}Rs@ ,^z^ !KTsNXQR6FzU}*;]ňT)C f򛔍Fk8PG#$%H{3ۦC?W4}%RZ1WK-ሬt^)?b@}Md j rJt&j*Go ~xHf,D 8; i,Ճ5@ j,:FMvx#g*XQ;̍qPX 4T%/n}WS-2q{`49S,Ke춍ɗsh|_H\WV=|oH$ۜr ΪnY]Oأ@ˀ!d6tʹK@Fz= xu5B1~|93 @.'gխ{85GUōXZ!q:=688 Xe/ZAa5ES/nےenl*D$$V{Ѱ :Ç>19F˿ឣ{N8d$o K:GRm&G> 'AnB]cF $D=!!R.G 9`|ZiH&+S݁wQ]կ\_-w5y3Zna,1 >PLRj/^Wq9Zf9;ձ p~=U䓀 p; cxwŨ; ^C!dd HUQ1)QexhQ'\ud"{kWluytӦh%Hg6x|#\ANik.*[ss) {#CqwKh5xכk$E``F9z~Lև)7oTtڐ^K۝|Dg~SȦ?AuC ʾlTuUʅZY++sOlOH?:vyxp>o4Y:}[FؤM0k\KoaHltNF2v;eAХN%jKᙦD[]J3Liksڄmu(Pn+{ 2,y/Yk,6F.r[(y,Vvv6MrHxs$8NdR`nJ~>@ 3ٟ!W-6( s!s9^=M"J'D3)/go,g[~Ya S󟴩2,"+u#K l'p@Fi߄iۈt>dl~}Q2睇}H.D,Տ<} $n2a a+)I==N+h(@`ÌWqGk/{;llZa%=z =Q'Qi1 f勊q_ /ۗHC330 aK k7HyY|Be&KuH!d;i' cٷ"5Ei~>ɣ/ϙ3u.pj:-K"+ ЖGkXMrUSؽ$2h58x7j@bJ5\Iu ^H L=qQZ:C`el\oPXx`="Y)dV.'BQ`alu EUUJ5d(L|pX; h63wfXӓK+w tH\"=V1ofnS, Ј7dMIWә!ȏS>1ٶBӈxmq,}-BMuVOal7}S~ν㉋`/ʺD5:GBcL6&a:8f#zU+9%״%&Fz)rP7e9] Tc1'Rѷ"P}h1a@Lu4ӳ?`\JZ@ <(2# ˳p:eU=gA6ژs⣲ĭFl05VKD1Gg*]WNCKt8oA}즎SQI#WÿW?z>B\5)q?W1_/??5J~]8,^:hC*lz]3 b3N ABՌ>{${,{Z2/h?W\cU#l$o52b<4xvuґzr]7n+{щ62@[;ai1 [j#uL *$0VzYzt K8-NY?Uk,M-jfet7=!NsM`:OF͑/Ⱦ1SmF~b]Laⷌ:/hf 5Fmi@xg0&hq``IBiz0E;H`p'Ȏ2&EP7R Oy{;WrpwFߨ ;" `V'b9.>VE?Qѯ4dkB٪9=˝<$^r~HQU7 -:8Z"@iے }(?%Ǣbe,0sX4Ok xH lwX]dGxgLq险Xxfv,H"oy<{tbK- /eZo/2;|FL4l,QZ"B;Ì?s -@U,/;עJloy:snrEtw)O9u-,GpxRZ̝F K 9f\OR*fN1`+*^1CT1WVGT'Jժ Zt-j;) e/+8ppCi{Z2;ݕ. X3HW Ai__?]GMc|7MCDztqV 2_7g )kJ]uhg/{B;`2jqWOEȦ7]%Tsj@Q.ڙI/CIk&x*j!;o=}0V4_54v1T&1&Rv —g/M %:ޖu8tμ=OO+a0TAF@Cn ̹I !q[[ zeH[МueN y&'K0tn8,@T) `d֨M|xgTU鴍5쮡imk鄟?vi+lX;4iJfhv?rEQ.A wf.EhV&mx@5=>䷎ǎvYG6AQ'ZVr+&,&~!P&[V27\L“ۛZe_`<*fHiȝ[e8!828w\ &O[9)Y`2 mi<7r?҃E6tXڸnjAa7Qbfd|FTN}9:w3eK]1Fف+/nļg>J۲H z1!2;Yx_2daEYY/Aj?T%I]1$Xk&TOIM4#M1kKM:([ll(V?ikO<6,HTmDTr5d[c֭K3 F<)}FIoiwGbVLC8]iCC=ctW} ! ~g_Sz?:5aaK3gF ^I2!2D5ʖߋ*@ڀ)_7gθ:3y-в]d 0kSd(YYFI}HI+R--l"VV2b-nZ7g c vP]y` /jYP778OYvX{TS+Aťm3lEhH>7^P$tc< 696"Aױ{: ~yRZMYi[@ Xz-suΝY]XҞ|lm>0IT A!qt J8+x׿nz-Z⾞eRHmL.qb75ԓfZ2m3S@'eg#T[lSX=&=+ umkI-)-+J$:#M'GGaSaqARv 0- VH }!8qgYF6Ԩ4W7=` Dt QQ~oN[}Mlj"(RGTtT^ JZȃcfFIzR"ILћu-ѐ ˭Ɯ)0SE5E(iҚ\F)ݣL ϊ(瑩>bvioSWŚ{x+_u,IA$tF n!qnZ7_I鱪 ΘpUe4>d*4aoe۩Gh z&*! Y>H|.Amn&^~blKBW/kr&@no4,&s"T|l6bꠥFҋhsIpIH *B+|}E{4R8DWm2l!NsrpǔX.EbΞvI7"i$U a9k [] r츥3:~*Qd{gX)Aa7SV2,*wҴvzS(B!;n0T㡄 `ڙCM2=w #<3PlmD QEWUn&R('|:9F8mgK`4Bٞ;*!`ePu )&:ۙPsRD6psuGqNPjM  :cOu_1Aslhu8J̿l XVI̵T hV1ߋB{2eM^`@;5@5hfjXd3' p7)\U$z1G9ȽR|Q8`iFj\vVM%*ܭ.XO)]ӔD&~|ȬF=@<"P| R>vsa0 =tXE9HY $GgyXmޔ**wvI?reЍV. 2nwcUL [m*ԘbTRr g'^$9ȧ a -!YH#Eڦtnv葤 {э+sՓyh[ݬbɻ?Hb㳋̬OBY41_Σ6 V\Dq׭C uZ1uxܧE8 ͽ>NS੐pəb:O DT6HD"h9j("f+ Ĕ:9ҥB96Umu:M{2kC!=r+"t_ =BұMs`V)C%'N ?;icѷ1j/?C"wa ުy G>\~fZJ+k?U'+t0= D|%3\n ;s$~)f}q/^г}gV [r eR1WFfI;쀌^FxBmWU3f')?7~yDa%fJ&?FM| |nVu8^CXjSHkәfjyX%}nm8Q)#;'Q`eYc=+K>lmOqȡƞ: bQo쪈zHL Rԝ ?QQJJRp<>IC>eB׼(Hy3dKGH+^Ȩ-E:: ,=g P-?'[(]6~씿P^T6k ߥ,V ҪAFL_0> dp-&f!0wSN: IwѤeZ1S˫{I)˅ /0d8_,VNпyAE〘I#]TZcOcT-@u rK%Ǣ+G/Ե)3NqMq8Żɢ=OR%qcXk҃O9}$*$N b&x^3, 1 QgTa&(,==ѧ} PGEt/^:{.iu[$OKs?PCٲ(K}WI=(zOv:}`A" XCZsTMj(ʨWܤV81 U8:fi.vT`YQt-)}P!MNgkh8ڥWٍ]*)}{d1Jo:7HD9l3VǨF Fc1"njvS(NQ"_փkM\Mk ~5UVPfm;by2q=Z췼k.oƁD92$}6f:!*Z?KQFX|1NڝwZ,`98˚ / }TɔJ,6;Y/!POtk- :Iim;DkoAA-t!Dۋ<'3ɲt5Ι45D2Ț9 g֋jǧl_b @)3ݸoJOROÞq-L J W;ʑU:"bF}og bU"Б=pNkM)R_ֺzk{ӥpF,zzAGKLl(6<(h!7j[_H@ci+BUco騗fj Ix+s nY?3"p4IݹSk#/~^wd<UzhMS>9e8PL|n6H{tJx"sDA Rˏu9ݡ'lo|pF9G-n?9N/TF(yT+grx :to`PRi; 0 +$.V|qޓ3dw5ދͥVCW㥪hyiy:1U*`Aa:-XKKO$SL?p"dDudF_ pwGyT*[Cޕt%47*D2ޘ\ ~? ;yu4" a `g~!Cc Z9"10v|?IRr8 =E<)Aȶ]k (˞\7--/ ~JT{!Wp/*w#RFd#96 >n لeWbo0"t$"&@zIOzy`ZĿ`w6A<(4 w崰ZQjnbZ PTXX\*)N<ۉ\,yh>$, eA?}W]=< PGiN}S)Fkx$&/KG}O\/PqE(/rNyF?fnŘ ಍fg7HBP@WZoNSV]Ձv+A̚ءIuovofi)xor:ԥ_nL\Dqv͉ܽCc}7<Zj &ebY=TzP,jx+6ǹs t.J8Kp_o3[5\L*N *d|%FˣEק W*6^H:F)uY٦2Ix=n-$e!)لY1fxɅ`6 \vOk[IhxTѪsqh6T@FbW?[0 TJG4nuңBI*0n-/fiH[u]? 8IB)vq"/p1[&\(h.~=Uu #np4qdwL >A~ -<&=^ 3#&(.4­q@xmsd!N'WJ|9C i ^^ lzO\IRΔXV,JCBXw4+t^5(k^9KjJOB(bϳV_49Th)ܡٯZ6*ڴ&~PYѢ^w Mʾr34ۙ C &p`ElnϘ R*@E3fLz}zt̎tJqm 1Yxĩ&ҥ)o:m >1t8^&C`ylB[?pvV+LK 9충 -*J [xzfI<ޭȭ."f\K`-h@!e~oȢZ='ޘ*47\Ϟ:M@)<%)p 'UP[!ZOMG9L/~SõauD; Yt4UH=;-G'*$W"̪.?H7(CX0䚢K_rg /s ;'٨nFe 34vp/7Cό{啪'g#:H-O5A!`=&;JgavlMS柳.[q7 \3{pַ3{)MQ>[3MV;z_O]%tsb2ÀQqՐ5Ѷ-wkÀ,^Ȋ+8D !p{GWO_ᥰ7 Vq=LUF4 2-eEnBgcfq5 15^yF[,$ Pgpی֦w2,/@!UY?iE@6Lw|t"ڃmA1zH܉{!Fc\H-Y-R0n~W0Qs@Beq?"؆vtr|/D`\DxEV0(W!qJŴakRY.,PwWEz؂St0 qw[IT'ۙ uB{{,4ŨQ A!WHn,Q`Ӑ&FEnG.B#0Mgh3%cvl~\[@b@@de:.hI23$y*Rw.480"u(p[[F0_AVAG'H_y5Nմq"_%^.hH̹>Aaھ"Kpxz9?Xu]B )$"XzZ [j_S{܇ibk7BTڄ*[9b8Eљ՗սi|\Fײ6 [i|p'MV`'%TΣ@ϩ~|Fy-Q < qt[ozatZRɭ8NYC{9k ,^y i=1lYəBȥPh7bm-Y9ynBiz-YفWi 1_6zN^4*4֐~ػE;{^cSWXGR6.J>)1XEzZ{禙5 uuntyc7u|8q.؜NӿR]j[3cvT䆌Pjrd%BUIP*Q1|}%xN6l- QQ{Q <#&1uè>|`%햹\?!Gĝd!lH"# 4yC8aSSk֥^4=Ҁ|FP?~ ضo#rB~gXG!~ g=/~ŒWc :gc1FՐN[-O312tH(*XqoOkp~7JI{/ #Qtf)2ǞI\ِ $V'=׺4ӵJꉲjרp7!SSW!m+U0)]dOLAd:n?\d$/N{U+ҰU꼊cf?p@I/3OQ)ʅ {f<)S)nԑ!ZOi% 8zj1D;:ɚohn |_v_K/vh+3pմ>,x:R+VrN |9rm$R/$ ffEn5m]L*:} F%@l_ezP v0Dg+[0Z&|<-~I6ž2Uƙ$~w37ZYs&{k% -Ԏ K;tFLlɽJЗ}f3W2u=7d 2IQZuLJ85~okׅosiSюǶNv1)kX_,aG;BÑ-:iR-QǢܦ(bos[\`1mfm^͞p$vqѣNЃ{2sW>ߗvh]*$k )'L/gl6/KuIp_Xu@Kȸig]**mhz^sJ*@cSt2:9ʬT8$β*ȒkИ <*8tAްX߻37Y[dl0z֌%Ti FE(g@=[p~.tt I8B[a/傥մz7Ө4K (%&|]cTyĵ Ih v9E{- =S0;;"[ivfR1KRTu[zGf b"iL7FvRk+j4qH:MԼ H%=zS&УEj$kʕi^e(T]*\N-7Ɍjňtd!4#BOQ%e{\Y 9.vF翣1 2@L6|/\Rgݝ5yhFlzz3fNql2q{w h$I >'s;Wt2DJƿYjޒ%>w#=)699 ߔťTXտh]ox o6L*ߤϐY zDZόFM~b\EB{CF@~:bIF(w4H%)q|  OIKp76G緱2RVJ\#K̠PORF/?, Ae_5x,Ip?MHC;n+P+`5+HnofcABHFr/rl.B#:aV.4ՕWT?}zaE M1#"C "Ha KvMJv+4R`{j 3obBJQyA6GC9_ޤW)Cv?r 5͞P3dܣ*%$Ap'6 ʘ'⺢1DLx= wv+UOH2v8FLSp?FtWњU9n}]ܘ_i*lԡ&$?&NR f<{7L;l{'38P~5?ҙhES8M]7ŀ_< f'B/`、 !o3d{8ՂPWr,; 9vg 4Bۨ2W`5l9ST\p3<9ΝQ S֖x^$e8~e5׀ n*yT K7]l1]g{K̂e~s?b yW˪]zM;ז&6u'N_hr4 4 nnlݔ$-˥Ȱ$UǸ*or c@j1i1/K{!.\1oZ]@_tW 1OnRM ,:9ڋ5 =:#  ?^BW$eȎ87v~96.yy>{M5Zkn|CU"cw ԑw0`0uh4uP{d fwٓz܄47C芔{$POULz M;y]lkh2QJRtgj>+n%:J$ޚ`FLyLqu;ُj AOwEZ.}kG 'Zxn@<\kMmZȅ%v.fifiӸ ']%!4ApDS=P˺`ʃRH'c!$K@҉ VFdom4@wd]t/%tJ\Lc8$~<@xdYqQ_F 9*b+Mv8$,QQ1_m'ns(lQ2\$џ}rӷ>']JOp,:< j5ڞ6`t/ c{**%xR(&LO?bx{5\Flg(U"O{u>ydMe7Gu8sll F2̃)2Lqӊf,ьPaY*4# ŧKJ%@+MVpֻ` `ѻoXuaYKk-=$ =U9Zo(#]$vٵIHq?lg6eMJ=㻫CxFxPqvilgհ%Q~mHg[uܱ]3PF݃o0rށmZ>S`۱#",'l4@XDs\MG,%sҡBƦ!fg~*A2ܥݱt\s \L|}2[Omu#,SL(5yd6K+Z2⢁(AfoMԧ|>ܽQZw4Tb-gm´̸130ԹXӨ.jhp-gŷS!#T0 GbDT mYՓ6 ~Sd:Նt5!CGy\vNJMggdc3I/*'qhi&9nGT E6qgDŦVvwuȒx/)&-0 vO̞nfL\1XM5_pzx#զ~ΙK>, E%Ηo+4^D=hh9д(BPF $7l _B/"*/Còxǣ!W +y=1{}R)k̑喛ޭ|۾ /9Rk`;᳈j7} rjz=0Lezl wnJ+TM^ Ɯ03BNK`/"kby| {F͌=)J3|Zܿ!=IA~fSi"Z DVC l?e<ҁj4]D|E@1xO1!/Fp% p65*2?@7\!HI+H'Pqk~H#[vtOˉGyJ-"ݓY>|ڠ(=qE J3qsM<MujPh9[N瓳 )Ә;w<E~ +:BRVg]#l>D] Dު׬Vzɯ΅mu,8"=))4>ZlH& Λ@9Lczy <F Fx"`j&}4sEzye{ƒj?. Vt1ފyO._!;]q#)HFH]ֻ1FLU"g{Kg%apeb(8ei2kOŲwhCi37HSG=Y. O#)33w{He+(ȖKݪӂErβ_1z` QU &+{=M߭ 2S TзkcsI=;+l(Njzl1 j4Cc;eMs XVb:~c<$[0hH:%'pPY)񡌿9 " %>XԂfii~gC{$u&+sg|_}Ή7,wy3vrFգ T{eƦ:?BD F6v^;&U.;ȶ ˪7۴tʲ'͘QuCܶ&qL"eWi$+^3LIi!T ޚ4Tsʕ'@λ?JC=Q*f|Nyq< $_ߡnRC*ԭX:,рk1@v4r 3 2'sU835q}z Vj9v4y³"1g /+}`r-yɘKă ,ZX2q1) 0d( ^GxSn1B-Z0Tm"#D BB)y=`7򰩛UT0>nE`N:J=p?#ދO!C\;72)Q`QW0Iwbη~!حB;ITuS0f@aC.sN:S'[R5C3] >rAa*S$Pr Lhҫ+U )19#ˤ^]ǿakϗ~3Cdwf7o}oxXXDl yh%U1meɹ͹ Ȝi wԖ7 <jU/(7?ʏJUi̬rVHhSs]U>Hzr6 -zL~N0`Mvr1k\^h}'H N,9PJ'%+)6dd ܃%iBK_9i5Vd`!qiYJ7M+jJ`-M7 2g΁۞QJ;{h`#b~1<`2y0)q8H6w/E|KsXNzY K.ⴂb #]9[0ĉ@:WS2RnkM:䖸 b:b~xRI ?wDꁵlnܝMdj,KG ||8r#qMS`߭6&dFg$PzJN`[RWJ1f-,%(O9DDf IjxpQ'yc8mP& ZK y VaQd!YGi#CJV.y1vng$EHNԣx+]ARwy0t5z`֖uMҫv |p5`ɾ]zѨsޡz`g mkKS$PgWI4aĊ/P&E>U}u3 o(#[s%|P>BY"0}pE;Q%޾J];$pQ&0IO̦JeLHUW 8O҄5^vͣJ Y'JVtمL):Lie˭ԭ㍏Guw C/0^ 0u|5ᐤ{'p:gP7r/28Cn6B_wc]n\\: J0:'q>j{#UxSH\=;8a驙 z#6,h u&x]uikT0T4]=3*+B㐙!edPP M~별H1HցH)ѥ{ϟ:W>?N~ !^ۺ%Vy0?w³(|!bjueo tr[tهM0RœNgg#uOa"9M=HYK|n;GBCHK,g;#/ʣJuYң`uZE]T(dUdq ig nO;?o0Drw麏 iEU7.ٗ/bO7D<:L#=P6Rq9FQwZH̙ 2Hy&2>΢l~Q!e"^3֧5ƬGw-*x j构^ vّ%oƭ.[})Nw<8x0KU$igv0$UFyۙ)5Ћ/Ud!Lp$&:xP ϝեgQLUh[ɹk9?'~m}Zɼ]z㙗rRw5j9W-Q!t+aS2'~c  W?.{+悫Zˆf7XY.ǵ潽TtZ%p~ H-(ӣ>zǺSMq},lx*K ;T1Nv~b @jk%a$f(W$WE%XN{zcO{WG¢h ϒ5Ƈ[+콲]P\.2F1 \<ǧmadlҵK^ ctc=Ϡ* D!BN$'Iw$" D!Rtzy/qItd\9vYIcc'P->U~jE:g +j3Elwa>TEE- `v@,VɄƯ<7 3Dڵgvٌ[Ќ /C$t{*a'I7l>Ύ9/˷{J6?Ls[y`1?ho}Vri“ƧyՑ1 A~ܰ6eۼ.y*~G΃p,TB2ݝwrK|NۊړwrCAmW4ɊZ-577Zq}&:Fs;'Ps^ e5fU_㙍1[t" U2fqs~2FhĆaՉhֳLK3Fu,TȰλߣSNgG7t;H٣%\HU^VbS]]A <ׇxL 3sYr, 2V><6j|{"E:L6Gq9ċl E-EIl}*R`*4E%QXP z~b:-UprqS1`4 0t4Do0HEKO+>L%TPm# q-emsX}{jKNk-:Ԫ@$퇴CjW\QPyJS<ԵˮmZ;yͅ`55L| S]-Q%UzI+^W(` Aq'3}G ITѤe?)y r#tuk;=2)D=,"ĩW3Nb}r?"9oҬshà ,E-Rn%^j@B1??A}IYxEBep,:sדx$k JȬ(oV w@д𭹇4]fhr9D鯰_HOU9O8.L"huL1AdEIFz# <0VH fLL1l)76b>aq|s|܃TYvC%b:1w)+)VpPM0p-OHDžV/ 6ҕ`bnx;^8end?5fP8(X h2K=/Fo^GlH;nOv6kIEӕ:37t>Gj.Ÿ_FOS|o!!cbObs>CFʛjS`*ؙBejP Db&;GN F$(/fW&PaƑ^wpc'.~ɊDap_ӎ Zi kYom\# ?X8KzuUZ9*$9SN~]/pKA{AQZaRj?e#\'d 'N]8.S22be,_;IJsUl9=ЂOr,TquxVj.ꍦd jK&^Eh%taiVp|2@+W{Қ=4\X\6X)q،3KṟBx2Zu_gϖg_:K<aZz}ȱ|7]47)PIZ>M*!O{r?&kX5y$zsT5[Ӥzs0XoSYZ򘾤Fv\/)F׏\o'7^P<݄, cڑ4HK^? +@g1*9_,-P.LiMa[5`| t';^'٭-Jsȑb+x{J:>QHQлVМ_IM(/4nH I{äŴ8&T D+W%]0/ƪ^<ąEA_%–H-`͹ồ}NH5_G\{ Y?>H7z둜5#i(BUD8:rgSgx-ics l^PZ ؔjc@u@`4G7q+}M(ϲi?*Ub1?|β:WB6$K.<$ŻE';Iʔ!u8Yjo B % J}]ZcQ>})5dnZtzm}Ezzg=uGa[;ܛLz]VEp[B5] F6ױ[F* ҵ#So~0N8ÇoUU;\'_n،piۖH8$FZ=yֳH!r ϩeg۱Yo1 h~4QLp-a⏳֐pJj;0X[žvuBwv~Ƣ5wi)E1hCK zkb\@7n'0,UM;9AiN*^~OQ:d).~o cGtۖf'5ϯ`nl[RS/lfU+'Pםem'=S 8=iAZP/&ɑMIА^`#+C':3/LU~G(;G%}ry"[<ݲyl73iGm23WQ%qK@WaB PvT{ ,L^ne]T@OZW[Xڼ=?5x_nwHUx\4=D0lFlgq]ý*v`c9CWxDQiE 8SLw%SѧVwUE3˂PЃPGVm6z^ȶO} 8*LV1j;.[ |s;5a$izBp_ ^F,H$'gl&PDgi̜i!=Xd'},IvmH%l;>rk! PՙUo"3G3_Ì1}ܲ?/ ]@PDL9u^G3QWf3eEaB0R>T6|@zhI^nv.ڸhϻ)(߲W倾 .r9P{hLa71%m?6&p%ZJk 1#uĂ6P@{Z cO{ -04>;.)ҾYżkT?mz7 pծkpԺ0RP TwFclJ|K'XN̢f2C56fu eufPqPdcVOYL 4Cv Y4C8w}ௌ?b˘^ɰNil<>[)t暲%@F(lhNz;P}{uIJK策wbޅP}1~T<+9ĺ}SK-toOھV{cFv+`iGۆ4-$L~عVqA1K!)HTesĶ_r|Ω~ŁUBH3q D-]Jb~wyKW&=CYL/E> bwxH{y⠳}4H,]]8zlΈ">ƹϭ9t_:pN[:I|fb}6j~Wغ˽8'\-MYWǹJilk]SQ# $:&M!eK. dYF;5YAkURl%}7dM/K]*{MCc# bϗ;  2J"ka?VR p܂!7ٙM+@@sg\Pla{2GQ`Puv^w2Ty`5 LVkBeam䓄nTJ$*H~)hKR!S TM񲼋eL0I]N7˨_5zV-YE|9jJA{<~Pq e#~!LfHΨW/_>`V.lqQݧ}o/IK5u7u]G>3v$D5ơWT QCXF7 dʣ- y@3ף"9;SZ5T u/vM*#S c !%@lCOOu+[R5a@mi;)B_ 3ie*P7w7򷤥p4bYώJHC@|N#+yI戮mk,5Tf2Td:!uYWF?ΩOXEJTz,(Քo.0`-%CZ KU73] zGʷ/!`twc)u^V;iQdЫ'TM@c:Fj)AP_fD<CNDž_'tIJYA_tf88k+F sAlF(? IaaFȜܩv 2 L^d \nI3gzYUTS58nR];#^02ixʁ-GP O2uY]N]>Fb)Gh/%~52vǯ5B3 ޕØ0زI D>}sEťlKb#Ԥ l@ݍ^>0`-Хpxκ]?NLIAXb~C N#6N' !  &;X j:{y` waR¥,]4yr>Y /e,X`Sʝn$G2 R`eߡڢ/F_0dzb{M< X}hҒhaRivT Qhi.7qV{>r&sY%dg0Ե /+N "Q[L8^b:l}j9C~aϤ Դ4،?g) 0ʽj 8;b  Ɲ(bV)qjȽl-l9!9 WYo00[ASC2N9Q ?V"PC=m 'k SğMai/۞75ry;.&$gqʵ5]v߫8bu9 2u~epCC#4¦/x*oD=])jDR=SKŞ BA:  W{{s19YxXBNJ9թ5iе4dXQRvmO+kgnǑ@OݧI 0dYOD 4l}璞6B"MG聙.{L]C#SUOoL~zbPeR>[U=bZѝ ,t u= 3y"x Ȁ(ui]=BͰF`sUDk1zJQ 1%zG_A2>W>mRw(31iI|teה'q:.i6*6n:pOO()Fkb傝?#ƹx؎\f$d0 mS?}C;87"UVh| ( F%%رpDVuN6lSX'X3HD? $atUt^TCgDF{VJgbq0!bhI':$W̦w?$!kii3ȍ]]3qa+؂?C ⌗7`Ap<ɵhWt/ds>2jEqNzA< tuy6uⱻ) U^ڵEX w&.3 zsUUpQvˆb$/ v58+ܔ͏t͸ iv.vDNۂB^XF ,fgsH3ODX%~A% /9q+ Jbxw՛|~%}==׵FdH)7 S !Wݮ rhqD]I_-"μD:ʠv@$P0?hΊjui,WOmX<)}'׺atT֪OIT ή pkCF+N@ p@ؿ )X1;j)wQccۇt+Rg"b}kA|]V4kD{ް/yܮ WCyYԍgl碢ھt3TIm~-4MAO*M5 LvnLGnd l"o==dRDu,1߫j~9voRl 6i~p Tq.C9KIEFqGFٿS\Z=J,eԝO_键_IN%t++Uҹ0n/<g8p\@8?鲕|W(KS~m:+CqqEk#l9[cRUjvi}BcO6Rf2Of;̋??-VuCt̅Lxh^Ɨ^  ⦯ؼA6f/+MT @?ؐag>ͫ[Tb,p?E!l{;zƉPX+V8FO9Jxi{#6eu{zu[;Ca'ee)W]6 ƅuw( 5{z+qX" AC]̑FGGҕr"[~YwF%FwJ7bZ/¤͇Թ ́RTa+17&v͐wZoL+NK_0U wiyw%v(1U¡4 CZarJ{RɥZQOW4(kRF?['Q=lT}|`1&n'mSPJm HXpS-Jt&e֤#z NUGwyrп3G`K m!5f(]9*m vtR)2@Uͯ?~e3lg;{tsn4igD*aweafw꒕I[!C3e6ۢ HFۥ4Rm cgKTV]LdtHy;H3^TɴX0\tFɣ<񣍅Aڎ3}C=~ Dp:"T2VoS8rh7U ʔiz0fPypWg ǕRY s,qxٺ᚝,vѵ|?LOۥyYOYn՛Q}x6Bɿ^ %:$ԅUN=&Kup.ɞVN=rR rb @[T㟎mRmNm9y[ֳta +G6քhw*^>PBNٗE\N,j|4WI-gz3 /6'm@Pu:G(OZ= uPW'W(6ؒ;c7Ac15af)'p;RȰ[#XN=rFK6`@Mi$o[$YnBAh# ˤB%CDމqvB}5m֝՝vU=AI W!)s":hm؎VUe,/hgj# 5oQ1olCZA˫tnnPsVXE(Mxw"]bhMkjΉ&*|k%;=M?N;:; ܰSC9_E?k'5~4߸$(`bFW:Ā/Z-8 _#N(k1b`m9yހ7_*Yh4G׆Y X8zŻl"Am}#L:<K;ǪG}n"^<M+eS_/jKX+:37PVz?_lTQD'C=cY ) T]۟ Ս"՘jv"{6%W=𩡑c 8X5Qz+(4jEk{/fG>Y|wxE7ËbcUyIFJͱIYTˈ >Ne6ֈ $W' Vә_^:v ;#qN2j*4nO8!K;0}aak) ᝠ^}/ $x\a㝿RaYXʬq⵭SN=u3z֛毇$V3NEŞ!9:&[A3EhM{b_7q~?h1d:n9zBj 2.f&_D,)hfh*M-0 _b.;`8H; 엟f8| ؛Hdz|2\j,,RPFwO'UgR]l P8 xطڴ-5 :Hy" ɪ1uTDxn/bvaI`Ъ?uרn/OpMu!;ҹM96s-]<'ءyN}Q ͶV &tXr*RK151Z_IۆRX:k#|V$/YŢ0$\/gb:$Pow% C!6?q2n_9"KH=ӟ$Y@kes^*`BkvM;ux,j #-BzUNG2tX{+rq xI¤!ON}_Nٳ9')$6{Q OV'vW[o^ՠ| a(5~8X@00);ݶ 9yBP)ʨWJ{.fQcK.B٬RIt>hGl=p,stdi-"NB4HIrek3VZ*j~VB-` Qs}xAH3(^}L/Ul6Mn2m%Ң,`7'|A[as:J%řyb6 U!@l\H]a5|ה@ȇ>>R8;8K07g7][% sի?Fw9,`ػzT6rBkhe#v^Oj> "6\%ӀpCa O_}|GI.L1LtG{bI9Dndn 68oH0d&&QZ4sUi })U0M28OaPaKAX[ %ߔ(x}YRR n RHFl^촙HYggp5lz\ilgn;/mAn2B+AŮެ;DQuӓyTvW~}Y%(5 pu;mI6[~I|-_@lɭZIw>=(Pa̸|ʯ B]j+ml;FbTZNwi1(NyABJΑ[qvK V"z(>. x6V&РPoo,7H|bHX[7{@{дwf))|(q'J,9ܡd-;U8#TO'FzmO%_%t} f98%>xY+SyKyFwusa(.آ_u2z" Wn-BpLvS5L -2gk],k3];(;_mYuc3vl^mW9To)|nC z;7 >1בj~ Xj͆ų- NÌPYQrҶ10F*YJ%Fx859oI#^!sliRХעX%P .a˼B+WB)W,SwKmF{c\G0Σ``.?$㜒nNaubB)&rȀQs?Aڣ0$ɃB[ѸfEү`XR|fd, y/*i;)X)Qs_5a=_OМz Ȁb3b窃.mQ GOU(.(_HosV-#tajQ Sbrdf_z׈Ǭ`WUJh =f7ɳӠ3Oΰ{aV;$;oe3ޡV{)O M[3 Dꅬc5ߜb6m*wr0e&NIMe .o$c3=U0L(~"sũR7ĸ!?;XtZ4TPQ:ChU)1>̗홀D#dWi^e]nf5 l3s͔[s.I*, IP㍶hW)$\Ik3q| ~%WVhh+qbT6Dr@ |'8h.ىW>ax5Cq- ˲JZCrb.m^W]uɸs)FmTWŰ Lˀ: _57-4 V+^q-^sBgF7XلVV%{aTN f5^12ޠfۧ]>(ӋB`B\9ZAƽq ^A~Vz&DO ෤KXHg xAr:+`5}`fDO:Ppbj7YYoؖdU]YđVN?C >d\jr qapP9@R#qq_ SՕ)~r\Z+.c[E KZdxnA;) `dJ!&Zi+ `^,<oeYr= +¯UrA,s 1;(ښw4nuv?-?wA}ȔubyGl %!#rCӣ+tWD.eߞHUMЭ+Ų΄ $ˏ8ze͓nQɔ CS+/OfBI/$jգ^^pw[!26$P1kd3<}iF3/)S´̔jаѬc+DP1Vf_ub, S[( 9$~FFE QpǰNx1DQ9lfQ*"&y[wۑoUcdgǖ}$0^T/ګOww0#Rtks :Y8NG/dKWsB6;pǫwzeZVҳoACl#xEs絋围g,CCGڙ' Dn0{mNR p[* O:1Iyl ;' wE?=ުBU%ӵB`5l;\Y`\=Ҵ_a8. TE b>US.{K⦳an;xISB63߄qs0Il`Oߌ18${-t_l!ud3b\85Y"s/]?֬7d &K[} d6d߰Ezxn\8͒pi[9 Ȼ`!SGض[ir{1$`T~œbJ"; }T%,smd2n 6<LjvhMuG`%̦ͬe+?6谡l̜xSgꥠIfygc u4 sև%( AĦz2 !Pf՜ y0;1 <ށJޯN> z[O YYxyKys<rqu\o0_Dd¡C3`G#]o [:ƹBMCE{/cWљHf8kQx2jȎ>6t;x*8WFDàx zy:~FITk%@\uIcھG[dcHaŋwӎGZϼ!yEU(oXlRli -حmft-RXJjX>f __C!Yُ̎ŕ꿓Ll,[c%:=sIgU. / F2۝<}$̿jb?ǡ r 'ŤS%!IgvI`x4Sf˦|+wg7`#٫`GbU4F>g(%l ><@hy n~.Jb Ywh< Ϊĩ{Kd#tOXj Ɉe^ekd>[n01j\:zw.i\Zc! `Q'Dϙ>n Kv9xO -r{V& W퀪 h{H*u2_@>%HBjfWa*IP.5&`ل7h~ntjTwj%#@w&W"`r3Wj OؗBI2Nlf5~?-X[:CȦ|>?TRUV?@?0w|dhBv I>us+yd^6#Ut9 _:w'+Z_פ\ɨg@ (w6 7VaU{Pd])Vҧlh*Tg^ @=nJDP}?d#'Syd _"f秎Lɔ^L ִbGO5"+%M{RDVZ@T߻639\;v\쒁`}m8|_8cJ] GNBʪ .2VNr^m`ۋr۳#ΰ ; W(7BSJцie1y``йB< sJrޅ pZ<@WSIFm"7 9풪F% 4:K`!M=߃ݐzlD7y을ܺ +ez4M R2>$o Q\4!Px7ck̮ˠ,_w;q-gBH^W|qaeuD l] UOՉ5W+yw/Q~b`ONJf$,]P\*~`RR4EVBck4 Ns:UU#>Uh?00J;ىL42eYx\S:`4*h2@'/lTVSf盭c7QPsdg/?f(?bsSE2@x(FXE4UN`UӰefB?4;PDG NSMב&Ty[)oNw-2OcLCKMr O18F.Ū gL lU \=yzzR eșM p !~1@ݯayS&Y%K9Y&]u9/푴{F0hLYC/P҃;Fvck^j; f4=ry60RGsd_{ޢw HxAF`x" AEꛍyQA>k\3!yxU{/jypXQ+ZPb@,R 77׾1(PSK+VPd>MPaAnl3܍L`"U .ztҢ@g~%qH |x3 URu9X@ϼR6?z<<)X״y^I,W ydT!87-iu"K=6ؘRkV?k芌{CVIu3s :auC١Azk9up&Y.RvD( jq;%ɞRQ1b0Y+%6Wd?Tf fd >>"TvOQ`,ًF1aҭf@-@m*! S؃sH%%NXc_4{C Nij }A^#Bye02nVw}heʲ)SdG&Ģ;4LDoDVTZ㱳_bw* xO))3D/ł%Xt"mfͿnYPGbeVE 7cj!K&SGhRL?IiU,E{rt<\Sq5r5$vԼP3"9u5|F/bZ8ͦȽA<֙]-]ng#O)H@W̒u(֯kNjB ]}܋{3eUpb %cB+%'! ZZ|>Dm;PQUf-4`86u'DFfnscNvArDdchg]>\4D"Hf;qŃԧ'=L,]i2*=bdkw/vm?ܾcX#/HAs.TQAv|.QK"[ѸZI\Cn|$4_hu -iI59O G6QGe{E* te1},΍ug*],'JYZoGu<&A丝-z` xR 5h^& ӵ`*S鬞rw{\~( R(*k? D ыfzMqV9̏xh~;WЮ\s6:% DE櫞0d|e}tu/c4P(ٿҒ;j'p;&6 W/aF U:!{IR[m^No@paI37ͱ" m E4{t/50g/y`ٮ÷=P4I{X'({3;$1ZȌ29 JDSc,@ⷔшfA#l3Bf4.դy.Z0 fsIhbⓧO 8P02Wy~{!.<ȥᐝkG~3%ʊ^SbQ)iQ+.n CsG $LPo`gD+T{5[ 98MYٞv-7k]C7ciSkᮆ{s\s8g6qXNM( &^u ͈~%,}̯`Dm21(\:pz_o/I3a$&9Pw\ *Ȃ.'>aJӰx"PfE3ѷ%hc& <% LU@nu~pF"GBڬ%Ձ!] -j| V={rf-<üBG bWU~w%G9uO59r`3P]nUj"jQ'5јi"֊ff@f!AZ2DAC8JB,ȦJ0oW,Q5fb~\K,!& wssp1щV+Erh5,a5mMJq e2_]KТo|[)3>: d+ ͕:jR~}sq\p{?ߚlP i귿~JChFf}UTP* ;@輠NLuI1$BnZ8lw(91595;A*Թ8!g[JAa'׹\\]@U([;-(lY1IyQ]-)J:~k?UY/&,:b%?O2Kj;#M?K>C'O$a0tVZ78a)f82ƾ6qO@0!~G[t >#"3 cܸ^"s0G8vL)Gsy™mc0)VHىy0vUXtuS=-`ob 6#f ?kh#W֧i^ŽKFqR`ch+JOhSh]:2'aٛMvQa$6 [6f'wN RM}`İS# nUggx6R45Brn4Re^e!H`ku?9뮗c;D7Y/90Quj*Jӿ|9]BܩhŁ'4a#zJUOY01o%b"y^`:ȭ7y][Zz=mNO2k6.HCmv+$[n=\B+\ĺR{hQo"i]98H@Sh e~͑/hz0ushA 3;,ԆP%^#w632EUJGB6A #Q m z$5ƎR;HƐ ';S<k!6F\:@ځ+9}NCm!]%GZ* @JAxZlw ևwTZ/kXپH18:%EC8/RUWXB҉PGYf[s`$&_ž;:mah6N *(oҋAf gL@5RNcR-\-d=Rs=D(c^ay63G׻a6#9DU)r8#tUf-|M4׭TD1{g z:_ 稯cX!.Dهw 5-b1~Ly9͋ 0-tJa.k>/nߟEAŨ!]l 4-M+ErRMT8+top{mMzŐYV(~Opg ~_s܎F'\ʇ BZ=$QwH)Wͼ9Xu[Л1U%C-LfxgykJ%673M&Rac C<+-:.XߗCQhr(ˎ:Ք.!U?mq$@$'U)sMiCbB%ƞ_U67M)9؁Lũ+y? <:ZΏJ*4!6Oq ˪-';f5Sh.}@.YyR=[? % WTWz؅t9~9Gf!ؽZ&ϥ?/GCIp3ttpzU\6\f.'*_/;F-_[Hzw؎A[|83Vc ;cN>8c,MW=~ec``n;B?sdϜ ٯN OyFxNev?݋c~7 a(m#gY˚2 pZӬu\'!V$LvSuf$$& s!N,-I`:u7FyxG۸~`D,b?eP/UÅD ^u? HX쉔!@q'#l94zG̤V{SxsYvK%.ޠ{3>qݶD[q (!=EݞŠ,0q 9$n@V(7T68ھ s[ kin][N2[-m!8Ɯgz0cX}% XҚiJO^fů/K٬.ZpxN[{GB;$r82=[ҐT1 |z؄o27h'Bm X%Gφudǎ,Sc 2cc&ٓ*mۢHda=r&=8Yn) (1nR:YP&%PkWz͚Arl);e^6+V̦Tp:)$jj>lqs=Ap' EB.,ˮQ XIP#f c~' ~Ïz z~qߜQ"\Ǥ@];mTSϓp[!F3~9tK뿭Z|($BIi(}OvBm400㮌!yC8VK2CՎV_(, Ӷ3xjėgIs)Hbȍk3.e&Pi' 8Bi^_9 zU"w d}ea"jf]`vOG>-9nA*K;]auOVPhXOq8 垅\n+=Ci)1]be1X:[ofb$Bօ "<Kcs.kuym>a. o{USH S ̠<_vxXGFUJtowTRO1 H@|6KmPKzZ61+nR" R6N[BZ{D3ӹV-XSm ɢ ˒R-0}7_et7A h#GM3,W{[k[$mim)kбr>6! b:~ Qu1-?e,>ӡ zSz),2V!ӷ, óGcVʳ!($F#v-h6聗R(B"O!68}{7k"l#vϟ܀N34`D9-I,!},g=@CWup/an_[ gcXZ8GH*dLR`.1%f]ád@cFff]`)}.7gffɖ8Jei^a? k"PA+W zlҕs_hZz Qj$fa 7H2î_*q+"kGd-ՊSh% P^. IL|At3vjũMPAUUYCx#}n6ԇȟzUNvŊBٔOǜt o6k^#EUwBw`;؉^6=Yq%]T|Xzȡ-b-F dsE( Wa1MT eGGpi)CEޑ3A*N% buE֖:y1VVڽ`UUbvr;,l##SjUW սupxh-9l<~;B 2a .|~C65B |>.i O(ͯ&|~  cN$>PX=S!_21RWYF*JeBIZk. Q+u@?epĺM^P}ƄVJ þZ9Ox)^-D g:[Hb0F(9T 'lD΁gw&h٪` \P0QL^u\v*|鏊 *2/u~QJؘX1r on1pY@ots'T *nwΏ^5#V?2 QM:HqA,7(9HRVKgf!8}v<\ ̢*_QT%$0@ܝ n귁~a[^ӔqƫrUlc/'.Էh1a(c~\㺛~֋OҊN+L_E]F U7`Q;.r̺Yč#>w~0껷F0mdqJ+p*~|qW-tIl&haz P`tJSt !S": 91 Q Gy7qQ6<9chHQdLt (݉q1˯*l=8dcEOb漰%;$>ob=E0سEwc ]c~om )Z)Φj1!wu!o<S0RqjMmc7geD\Ӝtj7u b('HTyNDʻ7U;#yV=b{oWZTj>GzE 78_FyzĜWsHT ^ɠi*o1<ש@_MKPӤW@Il!mŶ̫5Ь8ro~5 (4r% 8ʴ62 ڠ;Z>ƄjLn]'!7F=  5-asOmPI{Bfr(m k73˲ufDCqMOb;B8䅰3.DDt-oY gxft%w{)d׍m .od܆um{y]trM55(͠f%/Ο[Qc%UmGCMpT Q%/vZ)4Zkk[s乓Yi扯hbYx'}؈q7#5[bk袛94DRԆ8}l[Cِ~nasZrZ,J/t A}*S.@ }TxZHԁ.|fn%$t>f#rCIâzAccqK~[[08Dsy0*MeTR|w_z,G+>ʉ #'g6Vv/H<1Ҕf* Mn%/\N%\J*/ o;ȏ}'vlcl0NpebUf䩹g.k9rR핯$hD cS2q0QGU׻DP: l6ð /:KDž㈍Xnܙl?BjQ ;@:D-.=C 6|߾쐎3o!ʸѫrf(kN(#Ƌ{ERo"ǔC i ;\u 7NtzQ{βO`ޥ I`c72cݍh(ΠkC]JII*?os}4[Ҕ׮5{ ,. %TE>7ĸnfWժ7$}F+7kZi0UyH^lܰx=Zg<^%<wc  U@~Kbi  g+*[HLXBs2c*Y[x dkV;0o c6Ѕ @z=3Q{ro%iΞ/WP:8 z(Iwt7Gh͓=bwo`eHڸ> KӖ^rgxze9*´O*  B*FO% kmHGg P^Dz\;țYpͳu\5 TWSjzFY8+v>l~qyhhsx7VWۉ?ZV/e0!FEߍK)Zizړ^-e6{Px,r$_2Wf-{yswJ& ZYG 4˜I}e-EK?bLz]\ Z@sv6@C8LjSlkAsK{!Q6G7ժװ,_$t/[Tmw&aC[oIx}W3w?G,3[qN$Uy^T&u Dmn/ a@C^a '޾fpp]XB]Z?2Qݴ $Gkv)iTeQѪ9R"DP?.zˀ < =`<\#4cK#)gpPgGPxJԕ~ZҋNA+?t[r.{,+) ѓ~\bpgtV9sAwMDl}n_Of QSέHPKB}1q{Ȳ' .} DpM!bov gi-(Щ}b;L4 tҘՈZOu ER" 71PwD%clg^&0DDIZǗ6Z`z*V&mUvFM,OC)ÛtX7{{Y&B!?9Q)Esؔ8| O(ɦY˪;A3񽜴WgJ{uX]:aŠe!A! 1~eoյi^OuHxYdbAo0gz2.|g݇.lyʷIqԷQ(5FdDI*Gi$))^Xuw4Ԉv5.7Mv]Ы C5>9L}}sRWGf5/3m v,fI̫Tb3zNS`|;.K L/ZU}8q 3Zk:aKYj ye8΢eY~w$Cnr<Gu8@F1+4А.il'>tebS1d2Ե%t/}<@jA_Fǎ^!nW4X.w- ?\WfeK %c) ŃXyLB _ F<#[R,NmiLйSw.^7~ rKSI?6;$i;._RL<Ĉ2fEApf=y".K=o)3",iYiCTɰPՆ淵*f+&0%]$aGio +ͮNYJbY&:t[ : 48w|l&ШE,!"!6AavCHG@9#g 66lwbHئx~@\ɔn[pU~9).kg'@/h<)8GGho573|=Fh02gPg]&X& ƔBũ1^cS坝(uhaui%yNƃ{ %58s{bDڮSg͑$ݜ%}4O5T+GJtT8W,_"]X&̇A"JwG WSvu2e9Qrfu-dbx{ Ζ+NXy6$S˫WbAht6ZS~wً3a !As -`r''&}S6i!&IՉGMaF4a$>#IuSd+حН_ӈ4ɨ`4Ow8=2Ǽ&ǘvD/z.>UG|J_' Cr;{ɷUY#:Uk|%g)3ߍ pC ]eß0ę\,w8EHL|tKaLd0彃ato Au?oR4 ̩cQo#{-9YD16uOseCمǏ$ »V h{c31zCGRbC%>[s|746-:~['%du4Ihkl [Z"JsCU d{EjKV{YQ1˜PNP׭eH!`,`yχ-mCyS"b@6"n f d}ZlF[UrvTEv^cg=e04,lEq&aɎJgc#ILH[eɤ~2<: ^;@T%eY6RyNO)inH%C [*1=f=g6bw'Ik7xnt5o9FzgҞ5n_ݶhXز P3r J걠4oWn~~` 3ґUW9$$GnBfp^JсaHR˶(ee+V>Pp*-CֹvO?{2 _~/Û0Ӛȿz>|v|=L hcZyʯWЯSsgF;7]7C]#?q5AGn%Pf]\Osنt#$A؈w_JύشFL甋`^.΁/Qu2JJD$7tJ̧ٔXb c5ޙdO 'L4E=R+ 6L:b*1YBr΁sD|;laֺ+GK݋*>{lf zS,"zQż}Jq@ҥY4be~H%Bb8}D0ߟ`ú'9! q>|X F,&o} Ri)RK%eF{ͲhPg]yo *Ir<4NP/R2FQ p58˴'{Ld'ѲAja#[.쀅شd.6[̈́lZH/ፗ+)r/ƭcԩvUV1$CAl`"'Li^z=d'R̛J*t EBFl#{U<SMɃkSF;J¹Wɟ@"uQNf]1;#ݻx߂y9e%hBMnDm7Ez-0S<#[?? 9g\к[qq$21UJehU-x)!4KyܫP} sX4nhħ{g?d|4)8 GAOż2wPwP9IO ^jTLe`O䁄MjxSu9Qɮ.P.UXGM\؜zb5~ʂH5/d 脢)z>>0TO4PƩbo0?zLeS6ɲ!خh.wEJzw|BbP*~>6e- Z|ym )R 쇤jŌ+^r2si b0^+D8_ Ю[WÐt+k^w_-jum dĭsb^~´_gj4d*w}-̨޷mu2C"z4wL99q "y6x e-ppįĤhQZ☬[tۤΟk?dy2O돺/eP[y|1Q9}:f;D&eJB[$v}xt_Ayy<'w[/E"$m^hÞFrf i+}PDL*:{HڸlsV'JnQ$t `]9s,pxLJV==TIE<Ӭb`6 >XN"$ZYhJNuH68d(.;=5 Nn|:Tawos>|/LM>gy)L)՗XqXJk:/SϰȜ5r*qȳZ$p[ՂTc6h<{9IWrSZ"7>&%_!f.}:?`WNT* ]S6Db7tIM s>{6=fT;އ9NBa@5hG8C@@{ !aWzXdY( ʞ'+WNb0IUcr y4+8V(|0ZDžYD4x1L,ub[|̮Ŕ kQ+]𠫚6 ǟػby.x`9.y?GبB`9S ܰ7%NtktymRTo&4Y(#jԀSfᲧC.} h~~ə`ի۞Uk^X*c+왧kc{.۰IFSGy26<[> sV.KX.|/ }+ +!7?3YxŗњD3鲂]*$e Ns !8 ۈkm孔OR;د%qωcVc߿Ys`S@Hkʒ8_zмFׁ¿ Ӻ d7 C& |y%T,B11;3feEktΒWBj|hD\!M'q>'wݨ\oRŖUUl+F Hs"ƽ;QBrP@rBykIk=+KV|Fįp}% ɕS K q+/6LMW{=X4ok:ԍCȲ(`/TZ@3CMPAo@vLGra.CE` EY +=w r:Grufi6answ"Ҭ/=yK]GLȳ,A=3 (2QE)ΰ# I7tY\ x'%_Ce,]҈&L0P_Oy޻(Kץ]3G \0}/>H^J':L +%?s=ՇJo<\\DYHC8੟xH+@PE9G]U`uWvKCQٲW95V#t1@ةv1/O9Uy[~@WQ'C#/>!aE gߺ|?}k82R[ﵔ2ttRFz _D*GC8'@I>r 3W,o|hOk0ϊ> ^/|sQx)3;1&-4D+!̯*8ÿm^|2(6ltP/Qn"3=Ue^#ξXf>Qn|>g+_ׁv%p)_K;Á&YkEڴˉB=tVQpY׋h+M+"O9XQןxOSg+7.^`)ɤUȣY4͕Qv;'PQ==U=w5̔g&oZ%l,m)0߫aEUG,^%D'' pJUk>тp >=]H'Owbn0$;Bk,-x} %\|}>,4ypb:CKㅸ/E@S>`cjھ~"܌\:X'k0Nt1u$P }U,ӨC@Eއ;F/ID/kO_(0v'>kISA5VxoP$[[Ѥ+C}_BՈJNIf|ؤg}҄z9V]ksOL}zC#6n4p=5j:R6[+:l:*K7X{!H*#F U\qmEy+G)wen+'G >/3ˉ]M֢ݡnf"lj "h<~V"t,L(NcMq|On*~GĆ%S,~(tAL(%ߢX`S毐49 |\U #鉜b<]ıP72ᯉ҉cǾZV\O@[iZHQKλ8WԋAsW譬ilDsvZ. koת]!wt ԁX:y}$gC:E;pOY !BxJ@L QئF2-y"zd;NWfsV!eڮ6q ô`u񨠹{(*qϟ{,],9R`ЈhJU$\la}f#2}>VT>5Vޱ-q`(;p8z7Zjk^ O!7XBz2J?n k])gHgo=a,d{Mc`Dz.lp6+!,3_3OShfdP4U+^zu٬iS 2k삙8_s ՛:봉>vЁIHsQݿqX ы![sҺ5ȥ0uX5S e}S, tYUIX^gSrfoB9ڣÏ,yHήfNIki:Ċ+&ص}aAyAٜܗ!2DwG@FM!&4緿vpI-%F:n%7o_8A4ec !ʥ DlÍϑy[@9fh} D]qo K^= 2s1`/tݝܵ,;7i4/۬ ME?B$f@Hg'S> ː}|T#;4cs\$H>/ xҋxk22Y_n5I4s7 I)δܿz\溣W >:6C@ɰJ {ty>Cd(En3:>-0"vD(ݶcծQ%u|ڤ* egelǖ!bb#&0<\<nKYWlLmn_\Xܸ;wxR~b}˲gp30I'Fph+ p+A24?}G@<ՓxT? 5d/EV0T+lL%'3g +9w-Zn)X\5W%;1|LpF(rա0$Cގ3rWhp<{nAԄ$)_I#;*tAƑHkYjȝ'*~sV?~ډ .GRQż4bڅC1Ո5_c3.nڃq@#Lncgv'rg=a0lzr$.>$Pz+fPÚ\ ǯQ6vi'ѧWwq(\_}K΍j8=ǵ_WIGx(Hvr5gJ+v ?c0d ppZkaE:\!:jT6"ƿY:6<єX6 qT܌6#\ Jx%)7HF(P$^d+U##fJ @E# Ƕ" E<ģŒ5 f"_~ICQi3 6Sa!I-$4V#5l-r`f?o?l?oƨl jp q+DR=Gâ!??hz7<\mh(#;l3Ʋ<,6r#͌Sg/Q\0LHmv:S~|lo.ws_ esI:,rP@b|WDsfޟc>GU蠓of.U5]a=lYZ_ ]ց0?[*Z7if=1+L y%5Ugj fw b׳+ ڞI3;8TW CteX%)(m5gExP4cTd)o **q[ WC' VsAts")VHh|2Ģtځcεjnd\VnJ/V鿍TFY떝5-47my AGԶOf x.s;N-0OjPk#o:Be4(6L2/mK84Н΀5&%y %XqJ(of"!໾vC3Fj[b#AÀ9Ôosh3a3<,c^)<-lM)C8p{5Ѓ E{ g޷kCޛDzgGЇ˫m; )b{W+@zNGl Fg.ț+ktP,?5{Gܱ DCꚋ +ρҸneKku9Zʂ6" R5/>ěq _lF[toڭKǙ5pjtΆ9ֽeP[F'gѤcSt,F4ItAes ' k3ݰ۾ӧd}~gqlfpE5\њޝ:Zg@e0ft404δDuQ8 ڹ?]Pfg.}tM})i 3|3xy c{( >w Cm MFzٓ.9mC?v^$4wB#4J2Ȯ1:c-b›H~;F Ry&\"HM.!'ʰe\w %?]1@6gzQy+?TO֨-;_?8J#Q]8#%omcx+&B*4D=eՎ*~rEMKBFМ8bR>*>7>{% d[Ql0qTzA/;z C" ˁS2 ҆O BLū+!1t\[iC:,J'T}DVq790ɩ~.c.B1?pf[1P@$$*F<8,@d͜NKP5-EUpMhe Or"_w}++ǜx'fmhI=9{*E:PidxޡFcMJk%d7f&lK!5Bw',hl͉Vbz֜6$Eخ.P\!S>^G$ԩ(ZA'o[hOKs`)6i"T0j`-\s @V~N,kTR7S rrHl)F1-[I@{i U}7Fjr TfcԵEG$4'\V|Hi+빌٪F_qQ.$:[U0@ QlUz!r)]6)pǺPx’U_0UBvi*nܚfzIй ֑ؗkς6 ~:' +86@0ὑ~Jjax.EI{>0 mԳ5) ̜~onD" ǫFnebIr)hC?Xޔ=k\[_NM`^ ʒ0U,=! Ӂ҂U;ƲY#־mFiϭ{>ro}=soB+_̄FbJ^A쒯ܒ5iW/޹)\JIފqE߄13)a!|Rۖ0T`{@s1e<9sG<3k\-[F+Xފb>>mg 0Z#+Djpi ZڽdP9PZ L`OL1堶mj 0z7Ǚhڑ,cjmM<BnGy(o>xQb8E{O\{ MȮ\4_FuF@6zxtbN# Hs\ZuݕWwA*tлǚ_]e GTnކF!Fb)Yv-WWrݧ(3j&OTN<8HIܭ)hz$̊ s8W&4^g(SZ E ӑm9@$Y=hx*" -d?0)mcHix9~mQ"L6I>˰3Aqy71=.e!bl󐹶]"BjO aOT{'ѓ-s)dko,BZTڗT/t8ӧl"R`w]‰aA?|/t=ի( Ɉlλ-;1A!p# w(M: fַ@|W*W?̈́KtgOC*rf5-\z mI'ʡR|.NFkP `d9jaFsjᐉYZ1lNƹb,MՋ"=~#C MZ޿q7g>]e`.NdYmY q qAoxKD)"59Uu_ mɩ}τo0}ARE8m]? sƙ1kVmU͓Y`/2B>nRuUnS3ww֮ҍ[[{_ЍADXD',^w9FXq_%z@Q wAց;2lxcxiO+OU 5gT/ 3NJV+{nߤ#*Dq}|5(wOҦέPUFXu1|s7%6M%Gckwu$ i]P1? ]|\\U;g{E.BrMq17 -./ܴ0r+Vh 8Td@DaÜZJ'X|=طwnz΃~WdžyѪ]mb8V_5Q>oq ΃G4olݧIfU2Jz]rD4ʷBN\&ZsV VUОA\-}vਮZʻ⚍ss,c2pN"l*Fx ϥ8#mX=I>3^)>=, gWxڷc.RA>ߌG7+໒nK,hDH!5kۤJXo*_iPd7ujQJ7Քա.Z"|_h))>vlTpzm-t8FçU΁?Yΰ4 8{@H~n$橾 hPiF K1M $A|FVOY*,ҡ;_;wM ϮR MH5sFd& ٔɉMr:IZܜRz8¥={ ZnnYOj,7*. .h)7l[l8d'˵!S0eF5V|C[I c?fNUL٠TA~H̝Լf&Q/%kWV%u2@1") PW`MOR\U^@h^\ sE@ؤL0L0jrY =m@? 'A(%<|`~J$ hL~sSQԾ  B@:ߕI{a*t' Wzw&?[#<@6_:E< ˊQ}Ty,q]^+ɗ<). N2%:9F3VU +%9O&IHܙZ< D#(%ug0tOon\$Bw[&Hxw2cav2HԤ@@"éun~Yqr5Hc/Qe-IalL1)dƺ孄ևJh^)R]|`E侲ϼ>1Mmۿ1OxH6MæR.~ײRGe@ҹ90nABv OO)zkމ@;IQ?z'gz"lX319d3NdNJ}5㼹.7Gm^!r[& -). x.ܧXӋuKEhڲ/tY(Vf3~͘JϜc ^TJ(H>S 7B_]`=`=) КqwO`gK0z]'gڟ(lo5ctu6&} 'Z>gb叱 ?68,2 գu lTdc|$vJlZSx9y(F'RJ,}Glo,MϪ1lCtQ%6iuE4E} HӘ`G@&; 8Y.$s3gkF*]n1*ðX7yL'BnzCyۚ[ ,a9~^.SD ?TȆ I-QŖs$ǔj䟹;;,ȓ'k;`-CK~M}pa9)YԜLO dTj],/rjX A@K>:.74CvִT݀[R0PF[O_76NQzlKgX=~c8HȗSA(MR%s(M+'ܮ[ Lc~-#E:샊5X!\Nv&Up`"&b-\֔#SO7zUu4Ve[nMضݘӬu6--B˓P,}< Aj!jkgYGዉ=&g U>ƔsUpV29rzNٲsV%[K u9,^U島1aj[/^cQ+CfGrtI\T=fgB;66&6% )P*s^xtE D|TQl ~ZB aњqQ"Pdb*J9OLP ke k ot_7"8Orä @iSS) ^~йtzǘD_hnZu3G^yįU2ww )Jg1MN>dT8S.F?HY?#6;Lj.@C4Ѧ?AΛgϧIaq3@n0%]$ ze,YoL ݪ劤B65cC.I-쩣`HmlYE} qOCoQ;} oKВ|V 1KX@GN5Sh]Ṁޭ,y @Wø~k+ћ9/KP:&-='fPp|3 ȩ#t6 Jـ4LiK^EL+ k?D DݎriĢ-hֱk(ghx=s*tZ(;.A}DO )͌tP6#!epm=0F "%?E[.v@Y2-FYA\Q\$^v.׈eŵK{rZlK}*=f41 Ж">;&(^ eNf+CաfAЭDޟ %^{t>CH%UT HkNj#TX!{c_D탵xE,mYVݢNr [,ؐS z+jQM(U>MN0n=! R<'Jj nE0#ݕSFУVNȄ 6|S 󵅇 Sz;ty#GZx@/lMaSRr|[/px܊+dۻ|ab̦P,b_Ѽ@]Zev*/$_Vyf 4BCF~N9KR7mq"͏˂zKPmRU?)&c8ϝelT}g=n$pȴW~L{%W{SB+esFl%v`_*9B,QZ8ep.Y6wLt͙l|f13O]X@,Jb݇qx{Ó꧵mC=URӥ`ENAwp6oFjӍ>Č'm4Ó\"D j#j0P4\2%DXw4~.? wviJ6e~Mn8@:o3Ƙ zy<=Qb-ѣs!@v3PSgY|-Ӂ.47!6F`d^۵&féP=4.uF&59kX:gV1s6uWSBHYP{l.5f["|G8}tO4hí@ezV0/[Z-e^X(g)HkI_iEwpoX3),.o]y? h=Xh(]7rO= Q7ZS!|j!'?uf]Òܮy /0n|\7B.Q(D0(NL}ˢ!-2NJ˜Hvhooz. @*slFgRh>G pe#i~RE>ZޛwN 'N@ړb.(7gZWC?a\N^Z&DNڄG^Xˏ*by s}'6Ag"]r"*{1ՉJHA].]0ק<]7>\>!HHu0cGʐً pTHUG08] h!\vc|[LaTNuի\>GHB8{\i6|]zf8o߲LMc?\][hQ\T pܞ?J$iDނwdf v|D+.)-+SG?1]PD 8ᮧXL >,YP Z7^^m̶i!>/Cv'2n2w ^W&3IOS3ϼg%P'w nfz,6.?e.׀X9}sL|xsխnc`B^F1|b~nM`Ɨ^h y6ꙛ[$ ]q Z2MeA@mCsY"5-44d"6zz ;i%&jl%#uM^=;br Wm %>Ua<ވ6{"kˆMu&VFч"!85dVHEhzi;uY .S_hԵwig $iggez.%8KY[`x6X$ݱDU{$`m zKE<l4`muLЎ%QJ~2!eW/1T(n* Ѵ'`L&sǚx0=9 FM//V-1 QOАʬgчS$Z@j!iI5x0&` 2'K-cic8E)w'tUx[Ee"uR#E(U] ˜1«ru,eub[8q=:%0qk @&E պ9CF7*bH=,-8)c A#eU~1㣐ˏu>f,UPi' טʂgLzr_Dc1U Fx?{!(VզРήqf,bk|Jm`IǍv4pIw,yN >r`!zӺAh*9#EFW6"G "n>u) nw@R7Mq`g!`xIDy—U(CPԊ▝8|>]%R0NjUհW4m,hX=EUVp 2Cnr=%,/o) Ϩڦ^忈G9Ob$q(ȗDV%:qR/8Cº߫P$èȐGkw~a&Qӽ  щ/~[JGiH`zFB8}i.u'C̺-&0 zD@!pqE)*T.7r" ޺o˵SI#14O@Z[ע&/xZFp.+Z[ RMxMԜSLZ\?`!d /fS15+:&t=*]>֓(hvKԥ C("ĊGgzENUN=̹ 0v̾@h, ,Gp+LuzYu,\r0nBnr4zs("ʵǴ]GǃVg:0c uz'Tk%^Gb揦\)LTׅq &Xwµy ¹ڽ0(eE tU7K[(>BǪFf.?b)ƫ3|t{rR3$)4u|ᕒUSg4n79J`z,袼Ýcn?ؤis)3}󕦏`09o^eT܊ᵲ"|EC\q_UJ(&.lbaVRQq\<$@p^G^lǤ-`wy>/=WSz )9A+lj0D=CL~r0p٧c?ɒ8[rZWkL파'DFa-}{[&W&%b'asvB>=Ty­SfJ)RD! }RKWprhO#{ y.򂞾E۾j@/ ,պĺk{dJVu8";ۂıʮEjNb-XbV/1TܗfAαE>.jgÈR@b}9+8N\ )C66ZeҺC+rLu%|@{ts͊J04L$/u[G:ec3K|rwrz Z2D{AP*ۻ:4G0Q@L39bq D>.f^ N]I28o`&JK8RԥVP{MNNj#@^*k`.`OW tF y734BѰHӲ/苫D@r,MK$KsnхiJkW :^:e*D)P-"\lt|"25 ʔKuzT⥥tέpEtQ2L}:dz$#h\M@ >܊v|4!PTx;~pH|q#fĪyW*Voj#c醱ػnx&QQjFLEZRdžr*7Otyl1ն@9.k8{"Pͅ>;e>a46|zzzFcfʒLdb-HB ͦ`fa-j5sV(\\2%q7si Hk&3nm 4Ew|ho{9&_=Bܟ3g?4mL)Q [A{*\.N;ו[ #b"Q!Πݪ@uN{WJ69]򏹔dj/1ζ.3.cz7l/ם++[Kmsvل8L'ܒwFܡu|v @KuVFMnɓ\ U#z1wx\=GO55S|M:W Eot sF-A H^,!Q.S>U Bb)*Xș%o $Sr D[t&w}z,3 Rs#aP(2H':چם^EI;Q*[ˍrI[Uc=g  j)I@PZLŋ- ^P`1$2*Ϫѽ˸*Wڲr]XnHTrɂ_rkӓ<%؂#;V&gt~Ks )ߩ&y6]7C WZv;]^Ku,D.ٿҦfb%XVT$'{w踻yAQ3hf&A@dJ]xÉV!#J;ʱ>T Ԫ n3b4FOώ'Q)ZBTy:]|#*N?O,ӴsG7*HLH7`,E25, f%/ɱ!K^*=p5n8ǀ=tu!N X$0MK/C=)t|w d˜s:m$dɠ/?zQO?>kAžAmtF'sDA 8HG#k.#䒿e(ǯXfAFu- ]e沢h#9O-',GZ=<>VY]s/d1S"ⓀG f8k;\jɩߨlhq{ >9^Ӟg:9-w6&Evl;E=pIfq,ۨAQ.h|)q[4Μ2[l6G @ &P43`7*9Ȳ#r Z%yI&џnozc3=Z٢Js1?FYuo9ms*Q>GL#wv/z9vs)vԜp1;7jmVp@jM7mĩh}3ib٩>,SjR" ~f[jj͐ tsw{ t1& ݔ꣦*>r?fp?D/2T<iXVyD""tAߚ{f[^v^]YĎp]`Ap!d^"PY![|'YHp/WBV?/x7eݿwPiOM D b,q/Pcfvm[VX|#L #hi)jQTQӚL(:]&] ?0AЦ//䟇N!).rĤhIt{"֣FO}nm{x#*8C >7mF 2nj/ɀH?CY r=taߚ݊ZBUB:'/o`xP*6҉v /b PlQ(% ?6[n4WC,_O,{č^ dqbk׊~jrD$9:t3k(1ُMXAV_ LuG-ǂKM2H3nxorS7qЫdl m28ݴ6,6t mH @(@Y+̙c%4`|"Ϟ~C|X k,7al3O)b1, vwd}aYg;xZd xG < h/d|Y6`0DĖ3b֑2g@?]=>uƷ=_V|hoy=Sym +҅pO(Ύ9]Zc|8ӵy)q8%@)苖W7ui+Mxo(gKyTX5R/D"DS&|@4tH6MDJ]c'^gݛ /E:'Jܯzq8`~[~7OB$#È0Lкʠ_`~_|?L"(W^LZQ="b5+l-A%$IxUAiUw"a>f7m>X+`QKb"NNDpaqR ZcW+(yi+\11b}'1(mSqV'晗`&xL|,{a4a7*Һ!S -9 {3Ƃ'k` dKJL1XEK徳ܶBBRB1pkHzwqZ BWƱyBvBXL0j 5wNG$Xcҭqm(nj,OaNkpU0{5~-fY/9q g|x80^HC@KbMz"ހ+1myE?+\͐ 'm_`3?[5#z=C&˞!!`hT$G>mMf'j?"æZ@{`?-]4)]s%պ! a VFYyf jRO}9~Q7H7'U<W7ua*HŗBsO 2F(>e>|8kD6i8. ( :Bnkk^I\]:@jA.:qtdcג,/(乢iãF?%˺5DOdRw!pZ긂8q&Rr2͔+#^jH(^y[{ФD gZ;+U}b"#5ˎ կ쮲ψsM#<@[%Ju!ď4#t`˙WͰ̠4?s:mxcZٕ78| ecے#,":a$I}# Qc-Sn:JyPqRJgth;=^$䝺~o}=gQ& ,\q'1x&zf|E21wGx G>~|`(83й3`RFuyxǽ̛dsԅeP@ᔐ U+ YcP ,1D^C*[A5s)\q) {mpJS\mwrx~F+!;.pb:(ӂ\0ҥN ,\Q)QSPu\.O-X0_j?!wOy>ۀ.2ϞjlgK{³Km"~Qu$RYd&09lBh ]+UozªUӬ͠r8_lf8}$CQNJLSbtIU l#,HA39qƱ@pL+0F׈JJڢscK )t 5I!&i5s^jB aBָGУq:8[va dH'r'q|?J+px|nnpf3FTGo] C.nBґ(ALOѪl]TKsvdĈ__}C,rjG?uP34zfvBQ=/N93Rף hax]Eg%Z8upHn|X'3W|}*@;_ǾI'RiV} (?uV / 6vkSxrz#Ӕ`shv,Vx~+cXx6Lcl# 3By||7睔N{s#;2Apl*yGeC:BL/ӍD]?  sM 3&muћc1㪣GZOXh'EW«h#Jp0|̈́5q2Ch&-ujq\ί)i硒mAW:܆_jф*hgGWjY*D,#F~5I$Or*F).%(*5#g(wkA8GӠ_nB۰R_ t!V9J3.`H4oEBGՌ:8_'V+g.7q`M5hcW0@{(/Vh^bLG\*[P%ҿٹp| n\ {OkB$ͭ8k vW[ q,A=jolXwBԾ>DbY•'ƉwOzo˟鐬b"j-9ㄣdENvZ΁2o/7Q: ayJݢ_| p#K٘19nqQªD>)|5cRrL?:йP;3 fX5]#S`I$Tg"kx׏(VXW} I$6b FH:eo2oD̋miQhdi×τ*GЃlq>z[?<3h(DB2KZx\?hgɓf;A`Cq ׸;Wú߂z2:t3lwb9{2$^m~4y qW@[zdI:u➅1d8O]l4(WHGIb~ ]lkhOو8N^%wg&<<>ː!G~ , { dФIU1EVDž#R>PYD3y i/3|x98wjHP.0ؕ/'*[l3ۥ.w.>=;Ƌb@$`d.k2Geϼ_q8 DDL^c 733ʠ,ߐ GN醚_gpqte*7Up8% 7a9ҭ_먱w,Epuy>|p=]L".By\߮<=s./"bSjx*'gLp8q)"a?_](|ug^kIPf\v ``kF$фfTBk5bQVǁzadwN&"5!j9&Dբ{ӵ;hI{gDs-EU9yj+ őY7|*EO4K7&zEk7vXҕx7W.4+ɳp A}|vOW*j?E"Ƈ18){:Y_\+I߄oE$*{?ʾ,ltz9)8TČ\=- ސ|+j!7vn7o;a6o-__ o<4|7 ^/>gg_5Et4!XɽPN E7 ֵiEo>ƸI`4ɂ@׋ekF^b!m bVH+7 :;[t&=rh8 gޜf[Zh'fӹ:>u,ˢyUgUi*7(lC,41?/:R(DR}{`C81.Pޔ!T^"pvJ !7+gM+/ SeەwGlt6hi0đPc4Ndbz$MU+Z:)as]Lv+_I_{у$-loV"h' <[CJfPHO#IWx(%y:/Ӝҧ1Yr=ii4A򏃤>6&*glR^ZwK}r;pAJuQ0.[Ht$-#Ԩ##VlkU%fZŮi|}y:u(î,5It볙)LWGbw`RF9 Yįmْ=W)=CF$+ C{x3̻~3w3˔̥dFRٕ 9T^D3nqJ{:ˁ B%0 ܾ!hTlD5G)*ɸF4KxB2%hPu0hDйwaieAFP!@US7Y9gg75 &t8p|*n/棃K9643)VDOcw\w ߟHNJ ~5@L kIӼb2Kfa II„ctLR8]e#IV{"x{UƭqYSd+i+u r¼F.Қ2Q/׶5/䴙 Dc7e.nl;rw`?I,ø( Gw{\ԇ>syNlZiT>l 4'AG$%f"O5BꤔlEq69Ѷ 鐙G3wyNfk t-Ӑك eTũ+{4[̯6и %"Z=K̲R-WF;{CAQe9j跺yg lf/Cq҆ث&\^:%ߪwiaC ee`A J"݂n=,N=K?p /4)茧 [7`J [p墌1~,"w/ȭS9=}GcQ4T-S_*Tٻ\0j&/ *@Wk_b&{UwxFFަLa4:q̽hݘ^tY*2]o{~'<9u闅σ?0,jZ{bRuhRڈ9j gU31Og:@Q}x⹓ƿ"l* *jRߓ0sOEyƕOFߓAأo6IH 8oZơcI)vX3qգ:'ɤJoIRVWX'ۯB 0%!7aмr/w hUң4u>vd t߮-b` /X=%d01yiZk3fd3/W{A;b}_*4-V٤24.E)=Η/{5{,{ENUw1ff",мBO(]S+%a&Ӄ''ZB}sΛ@yRJf%HsE(D Zǔ>O:Pj3rN3ƊLM^q[fHgA!AAvqyH{EWv@lIf Ѥ0HZnsfM8!FX=EB-+'rj3{3qg5fĵ%͇ KCj"$ 5Gс]lT b}9HC7#'q}§iKRZsLU]9S3iA9dm鵚'܊38+j2*H]EEA4 !QǍTK`w]=X64Y>'o'wl3–Di:{0uĖCT?P('[e5jK@Iпd' G]8wGSsǯ5 42=vYjE3(FF=@l(8=GRB׶N>RG;NJVe>xͮbj/?A h9"=i=?6L5Corpi\69LÅhb9IhLO%+?V|n@t-3*RbvG2W&lwUEBV3} Q-Z VrI4{Jj(/zPB'&e1h=x֫10)6=u1ܮNmP)E/ҏʰj]%ȴR[ZI5W&” 6-(?ugݧ&[4Mǣ"684\9;+=Fǭ )^Iwx5\d'a)Z]o/rL* ܥGtQq;VQtY Qm)uw,N&F`Hw`_e<,bݳfW"(1}HH³Bd6'F#t]a_d64`Uf$QnH*|.]v@\ۆ"` MjKY?U Vj,g[υ"T,sv[hrN3L6g49V:]α#po1M'l!-lDy>Y6O6ª,'NU}⢡ΗL0U oӇ|嶆XfHOٜ;ON@xE_i֘$Р9Ql0pDtއ.ḛ6&Vm 4ڇl:s$RJUNGVvH,)GSMA˴}5 ʸ6l:S gi%u  ط-Ʌvqb cП 10!PK&Mz,(/34ԼdTs% ^|/ׁ0DwxFg8ʽn \#\heFuQ/42G-kxL &^hx&U rϽ4&] 1GAhVlnZv|qDoKN; #%7Iޅ0l/Pҏ̒3UFjRhEYvL>Yr\-u+,^2%k|tD[aZuK4͋UIJ6*(h5b Z|ey65"4@m A]["#xDI5?XL>:%3l|vKCu&Li^l;iB/8LN:QtVE Uy9lLPEPx݅A.fFǕix/>`iyD<~>Os@ol`2!R$kԄ(2ZPTK}R렏dt^ ;)('SCnm0{mkHզ/s[F9GViT& h>.3m5U ~ ^ۄ>2*Q]t/Q"^)>Jՙ1*;5ZTؗf,w#ʼns?CB2[>4i(!Dg.dSb#Bm-'  [і2&w+xj $,校{=,0m&*J`SYmJf >,?FVbȱ%蘷r]X>ɂrug^)34#Њj޺雰O2r)dx.wdԕAq>ZܸGѮM-2',lG N)ψpe #Ь=nYPd7Uj*Y73D1\)vwdi~dsx.Bc4KxgqQxc ^ΰz}ʷbZ/! (e'ߒ e!HrΉm⑩s@lBƑWc.Khkya $1H$"̣+XQzW? t)T)??c ֊YSr/|7I0 ؃>H6n1AqL"Kj;t +f`}Pe/e#f}[V1wOPh݁e&͆J*4?`XZq2 -eNX HTܷ@4|CA$1v2 w=Ȭd@US=Ÿo$¨DFި ̖0hp;MqՋh-LT^X4y%c,c#̰C,^>mbK듐7o 7(KrTBxO4 (KC T;&yb|*o7 D>$uݵ})%^2Ī T%׉M I9GhBj tf\u>XRGd٠-i+<'I]]W4^}pͷcR٦A`nzv|etzTBkX`Kʆl@=*#!6NZm5QM,%gpZd`'=s_\ݜ)RKeUF1/>gS],p c:,roG A1y6S<&{5a4]3EvxG.|8|P2&F|i`qRs>m9 /kP5RdL9jCCO+_'3{VR SF`,O$=ȑa5~ dehy.ŗxjVs2T2P^I!YMؐŪhaC}FWV{3{/%Bj| 2&+Mq')[tM=s!x߿Zh_6S$2BŽ%D׮x3I%>֠fq53y]Ejop.- g,2 L)zpPǠ5WSwҲ :տ7}[=%OL>*S~lK魎 RB)phN;X[vqӢ*(2G>1|M$7+\ r!Kٺd {mSgɉY9r6{V3΢dO~PrF > E2(Gkv>@` &^asB *Fg#zș[-[m̤/捄yskqkY mx_ 2y5W~-5|NSE`2Xl] p"jKׂDcLE ng^åزz})bX֨Βk'JuӒ d 6_4_צ?mѨh(-KSDN;K` fSOAz`dj|{=Xp$HŊ_9H^-;{\=nrx|d!kF9a+i4}%WH3ۼ0`GxFUePcIßcNBA4P}BW}?Ocgۥ}:T#:7 ",e9qށ~hڟ֐""ک..nHFO\YJWPV.i%~D.>ގ]/AlܫROEg'2Z)^p=?] ˠclLZ'kkWݠN&8nuQi2,})4%l֖{sw..b%R,6(8P9hz7.m&cw6Y!K ^,5VYP1oy{HN,bS|Ih8b'ػj@`&lzB ԁh~_P0*O2 jjt17 XȇLlQUzЙV5٘C+K%ې?5(!p kP4L=B[UZKUc*(k>`) A|r4?ch۴ 6@0QNI }$BT(2[=:ָt~`TM>4Id ; adtqƄy:lw]<(h uTzO/#ia $^ .v`nԒʵ TCmNp < DR;=]7mi0X5ϩsaM2nT] +{=4G&E|:)\{{8gu!? ܩDh̒8y(!zx[t%iFi1 ][kr,24f\{yG c\<ߺ6NmR]wؐ5ǻ'9YRkI㞨="afLEzD&v ַm@J^/C>>W'n#'v"Z<M+V@x']CcV{` x!4)` B=RsIOVQ2_K^𢘅QϹ_S8sx(%hBo82Y;l\щ2|P$NAMYItrX(#䭬;Ez?HIkJ\D3`#@!^T.EjFW%w }RZ~L scCU2'G \Zoq+3'2xmW{RYCDIJb@m}HPbkS3J7Zh ! qM4$~ Y龧COl=θŇDzh4=E :v S{Μ'.g0"TҝB{~J|.e!b`sK{TC_ibr0\Eɒf"_4+vv%Dpr~aT˩~-KIkkM'fKp͊OKי:}Gŭ8VYL\wyh)-K6M@ ,H|l=iߣW65p F0-a:OC6q[=;\ ͆ڵ.ϴsW*aqp'lI->2Bbd_C6A)맯 8j~GC#_?uS2xƛԯH`Iwm|`9\z,ɜp+oE02H@v'G-4ڲM/9ԙ&qS, ~ڤo15N\GF1P <ߋ}͞rupL^aD^svք2wIUFdDOP ML$63X wU4_QEY 9:s+6&阄xԕ @ÙQky xpn\0k;?3gʞ xSL Isc!fŒhn~7z%_H?~@ɺ: ѱ |;)U#wM!- CtQ D~Y éQGڤ n}}ǛUgB. 0:q(DxY3`ޟ OJveV~= beWJɥ.ܥEUM~\0;RpQ9錬 "9h$>"6B6Vt\S:n3 j9rZWGHm c/ R3rwLo *!XKe2S]^--+4.€ S+搧 Eeэm&ݗD6|Fzέߐ UZrH2?̥8F/ތzzc|"wlHk_1.}Nva1dpv,wMه_BOG99 AZϦœpD[l_&.!b;At4٣:{EGJW>s!)o8j7wt#riwGIN57~;A p┭$ZiP9vM6oHu[?olB?nqj1XJ _dk@uXi5_~5zq9f.Z!.^pJBŌual9Ș> ],] 5l%o9`#]c%<5 znj#5 d}[ݑN6CefHݪlVq7M٦C:w\=T[5էFcۈ9_n"|zxrd7dX2݇iIM+=Ѥ}4mad%7ʀvWE;UN.L37Iܕ͙9L[=/=|Ruy*J]õ$tvRL|x[) ;MwH~Pd;EF9pUCv%8A%C4^[>WDont|g A3xB. }+cI[0fL'ԸƷejXdLyǡ ZB,T5y`k|y2_WRã5_uQj@{/,LmBGH$*r%ufmnjHz5%SBxg4Ht"n?i#=/;Pwɕ#}&mGUvm}g$2,З ~`/YWRo  =F!<\7m)Ƣ>%H@΂߬@d !~_cMd9sNOKfFgK_86F ;; X5 &ks?XCدiH,J?y,ʢJȄ{ց:,5P, "8D;:Ӟ4+癶?x4"ۯ2>F*WQ+qy#ʦ.) ZbFU~G5dY%HfdKTflNU1~0s2)Ks20q.X*A^5X{x[7V $C#?lKOK~Mr؇9qAgFGa"0=نcݤԛ4w;֬*xݪ2@\F.R|urfv};đd?KKo`(JBK`%L=W8vZ[kȿ#E/ MFq(\1fZįWpS {xAԁ*.jŮ9ߣ( VJe6Z;m /ϼNn>_Z=% { FM^LO4J쐁Sj V@+L QF݆W6s8šf!-8hw:qn:h(,?nZjrh&B/$6^6L+kۗgoL*c{4 V4XBYJ6m Fƨ i7IKA ^Df<0]Ic My<)AUhP`hfE:PQ$_xvIJ*Wn@2`3'vMPۇ-CW.wCS"rE$q':{m|SA(.a"7J(4]m-` Vmۡ yMѤj?M|$d"nK@3#pyQvv1\ĔeL{e -'TO9Eiv9o/%e-q$k5%ple 0EM<[w)nn4\).$>O-l.Q6tr{P nG|Rk} ~ u3V8)QfPW{64X-G5|| x\gTm 6Dv]ļmh5V+#Unv}Ra DYJ>z{ٷ0AMో6 P?3,? 8 6$?1uӬbgDljd\{CɲJ@%5>j&*U5֌4 સ8Eek.pcN)GuM,DP|i{R2>Nd5Q 5DYp$U৞>^? 5iNPMvhlK)%smU(Pɯs7N4s KHcȝ|h[|ryf W?\yyʰZ}OUF3"S(VG>%h֖۠s̺A+!9?A oB a^~-~*!7 ^?g >nEm:O6Q`;mbF#&(hV4 !RȠl%sЅi[,ZG cwB[OKv2&Xw% 03)Z^]>ye0=t @a<6OQ{.d>/1㵝&O)&$_*g;Dwi#kU Щ%DuY|o2, kwÞa&ЉUqK=+Ԓ̦U$AvD@Urʫ\fNy89k/,d pՏVl79ٺD }c]ic…x}-(䃜A,O̵ܳEiAG*zx؝cyDY;0$M(r:A4ƗLwxԭ#)7­;Ie7%keG9LBSIH1(M?Nq+)UD;NO]~nWb[_d6v%;t26fNoh{o~LYcC=KON'MƿXK"aȔtGsZ}c2)-dcYq`2qVzsSj^|9vS3_Nvh*u)[=%ݏ7 ps&U "%C >Fufxf\dn$RL JXgB UX9n&O wrfY3Yf.1|1=Y0(yuqP[Fzq@3^ >-HAj5B0ΌT!m,mC*͒ Uڮ2xQ|*:0YatXN^Ĥ?VDKDS "ϱ-RXq%lT$˂Gnjs%(͌JGV;>ݭHǗ6P >Y[B+PxSɅm(Hձp=Y'q*83:S7 L?h鉛PB9Ջ $GSXZ'IH\e@[$xem45ZMDe`d-/MoѨ3\E>Ā@FEdϗ|a 6]e{@u&_Y1Ѵm& 4$иKhH{)ۚ=<9 zi#n:!"[{ڮ,TjΜӒR nW9VqZfIK@O%'_=HuO?&ơReE;EL "XVNv|8>\s42dYEDX@%#/$(l/FŠl,ld|h,(غX$~H h?63 X "4uO.@a W|,eذ ,fG|?|.&QĽ{jmVĀY~j|xʎT V ~2E''2x| eaT ;؜8 /n07DKiw-Tf;l mǦhORe{U]mUZV,4lq3_ʈ1bO$i Łj {Ip@  _N/Ru@,CPj_+ GHB"s%,mh*r&=-=vv0Se*S+~)?vo08RfCEVLc)a.=+O2KuЃ!09=Iao? g9 L_'"Bh=ɮ&+ܣ<^׽Vՙ<`{GA@GXL{s\!e^pzy$PBpU)HZ.l[7TҴK=#)ݷY(oll'9)D#Ty\{[䄫 z{BTf@q4lkϼY;sd-Di>#m!"Èy])"za7#fbNԥ/^[VzR hPXA`a閗`[.#ე0U(.)>p!.O&\L*7&Btimo&,otx=2F)#8r'I؀Y89hRpczchfNP;aDj,M6Zz'KSxr?X"MړUDFzSK|dqp(4prnJV"ظ6)MB@pF4CB uCsf]Cµ7AV9]4 YVC95XC-}M>vXdƙsVzԠ%w.5\)|eK l"6(ĽwD^_Yalq %L^ Pq$;`Cg9D0ڣ*=27+2 _H ?_{2jۜ,p}D$rΣ`I!Ml$OχR |uhF9&ˬ& ٴ,V~,o]DPM\$Dgu[t~_Ƚ[FPߝR^p3iⶉ$=cBzqG%V"rC߃d)j; :9OYyI0~@HB$މ,aܫ?tC}W}o~\ Hc>g^:/g㌈JH\/TUV))iFFaNg q09XňMoQtÏ}<خӖV!рN_>ҔmmŁ|t3 H եa$ڒ[}9`n:2|AZ`͗\Z*S;VN$_I Uh~?GOr`.Op+B?L @S:/^&]IS"~fce8L1N4fGcc t*p!&Ycݝ4 ѷUjrt-Kjgv7tg!>|5at.~r[BWE@ |I"ӜQ,!te}%t{|#+2 Y䂖.Z*q x ( ܌k9rDtjc zZ+M&犗;Qz'kb>*6tc9a֍n'2q\4h t4I&S:\k玒{ԕeGz.x+fv?]ɣ :4*q2v^k]3V۰AbJ6ȿܜ`=ik70Ӓ& 1Iˈ4ַ~eX &,FBTsk>OTiVZ0%\`2ge\׼K<=&uGεĬ5Ji ~`|삕 ly0j= zWLcPTr^X'2FY/~ 2f..>*;z>߂ʔga:%Ea߁ 6oKeD‘h>a 1(*?1f~'~dtl`X6A½$1TF.B}lJcl$z>M(K` 7%sU@NUxYyLX?o9w N™QyHFyXM/GBrtmL1!|!Zqlp(O :G ?VABBblm8vhKSEN1EAbWS o3<Ŗ25M:^Z{6 \!asȚh ]Z!tD3?\⬇MUWHH8?# Z?C.E r VU77_FuX o˹GtiC~, z < 9l#(,|nUe`/y6>d\Ї #&֏x;Zp]nY3h[uz.ϜE@wm[(SW]8UMzdhuCxq3+lvkty0$Xz}fKe uwa; ,z?*uLH! QU^A=(:rD8)0\k@)>bX i#hJ]\Ma \HmlӨ\`2),3" XR} ۨϋGrD|ip"[@YKނC 0q_|.d02Y%gMIR?@kN51 <: 9$ }P x!ZwJ\FJ^+ϧ(Zn;Ӆ|X{GUSiZ}LR/$I:K>'L)5gՅc(Vd)yuk~@dE٤6 YA\F@rZ/K>qZrE8D "4ʋ^HpikjDI]|hsӳc*-?}]gcEOi^GqWWq*Ukܘ;v])Q0°;v /#%5AS%a$T0¢A8+s,ZKJKf|Ð_3wL}=xʾGLa}7./-n\ji82~VZn9?vQ 4Z0+20ٍEBy 5pyŭIQTђ`=WnN#m ;'lHESn 250ٵU ѡnR=hCaypEx/*e&[-vu܉f>~ +ܜ~B yמo)w&<2o48&>H~kq YjhMT/̇p!c nPYuYJsJ^i ؔLD.`վ܌|>ZA j&^†ڈ=!gV*4B*m'[]pܱHHw]ԧLb$uAhkuxt;Ae{D_oJԪ#p q4+Wk.#nqi*Ȅr*1D0Zb6uf {:1z"rX+dXB~ 7"αXzJ?d}:xR*4C|#].t,Jfzӹs/tl2Ԛwy%U釳q@:hT/C8h~#DMM.#f W.dyNKǒnQ =uzcdWc{~J w[ܘ勶+#h?4PtkgjFcw^*wE4On4I fw) /TTI_4r:"8%u<@ !.͟fT4ß-}h˾VX7q!ÖƨC"Ѫ8ma'mEO3 B'j>M[2OȰݮ&WeRy!k1{iC`PD66hKy3̟<}5^ZRŐs2y-{53%I'ƂxT7oiW < %~JŚ(t/a`92>fcVBGc`Xymƽ5>52K":)P )>uA!Ai`eirɪ^ kO7w Iik8ߥGZ c_9k l[X frzvpQ{2Xuo>gJA5S*.J]ZNe P$o})wsisLUjt$ mnk.2VXyųi`88MmEǮlUx'%"g$h[c5="" ́/ )EeaJja&S[ kZ  apԚGMߏ[4@@_Hz>@N01&mEfjUAeda.csI%uKM rZUtSq(5\,>=ښ%S@Q4֣*4~,Ȼ4hpk0Bԗ55QEdfHoAury8 A)M(BAme(Os! }3 |Vqq؍O]B5zbX#G(|UhOWkN*wG:0;0GRlO6dǮ0񩨮u&5'*;r}&-zT>Z0*2u/FgZ97,\MeooB:.fY>fM1zGQmgkS~n)ղklJ'p8~v(v_WM7O'LwpGaٍUVP3g2?cqf9H;ta3.@#Y3FYg3%?k0)Pgȹr!6/&=C܃qrJ&횤V9H^v:.Wh {ՠGJ>% 71g b,?7Xj8U_1*BּQKR=xjD־-#3G |0@11Y10&#sE ]ǯDpޭ<]TZ JB:&&?椶@xދ BjyP4xg-c6 ܢaʟY8G3 ΂WB ~C!>cXr8 _kZbؤ7^# Zdˍ Lh_Wт6GBNM2. $de8QkѮ!!˄2c:i<ꞷXx?FV,˞8 >\RyP>}\\Tf<|vI(ΉjVp Ckri:O[DC)J/9CW)덿ea7F[d XC"uxSsxE;# @;A(1iCPavp}L6 O4a8g|:0`s~0L-2d"Ŷ%Rbq˙3% uzxc'i,ތT !4}3X#s[͈NKC*F=ݹ:D/2+qh{fxg0!C|5F:.u2)ᅢv^pd(97\w0;N#m4jk}ҀaW譁9@r WJXt\ $zu\q LM|l%QӢ|{܈Q"3|ȩ zn%ay^Ћ22Kz]S`c*#bP4 G>_`|D{- q *V6+fbn㦖=3M Aq p^i&3m] Qy(O+jt0@hྦྷU:"$fM BTRQpS_obp!y`c(8P?Wri&eyKE@ NKalh\4_%gnS}^JyRwum#A*$fhO톸NIE{fłiRG.6Cb.c7k#=3D{ꖙ4"#ݶaTr@bȣЪ@j h0rhҼ!/-I\cE,\(E'MF8hWWvPEL*X,ug8s z;#BsQeȼAzUSQ Iד-sFD^E*AWjjs_ұ;3a\gފؽdTHfYI۶ t2ZV>|MLQ-WP9u;-ӥY)k1@s.D)|rT[1H*Xr>aa@qM {yikG;9jdEIymĴ.?*WwT$72u5H"{Z)F6% 3zPpk̛>Spnqsp^E\c A2ÈFȯE4%r$mi;gQ{$*+u5@on~SGfy> M5^`'Hl)!AylJ 2lR)faT}^wM7bE] ƯHq؝ /jq>yC~T-F{ $|BӪ `|I:u)Yi++>t'Q U"Ƣ9V }\ Y ",Pf$sAkM^$ a\8ex `6p{6Ήv`BsD[u+u*~ yu4Zfz^_]ck9:[^@p YX(7ϒBӾl$BlX^犑Y Ds3?ϖ^+k Odl5F* y`5`Q F{:k&2T~!pݪk#fCvi<|sxEm]U>2@mo#u@ONJ{6Ea9yaڛoަ(K?(o gy}Z{t\K1r\sd7YpšCZV ]jXýr [kڊ"}q<'2! Vd X49S/k\1($GLHf׈UN[jomBH]@>&\Mp)rCC":h&yX d~YP)HW{Hx1 II?}C~$>uͨhO͸M~Ft,_:Y{MN_ZNiI$yqlGMy|?7ܸ]8l6[pGVǃvUeƱ3\n> >,eyh5J9T@q&k)${&}v`4ΒFՔ(?:,K}qM*тöou(q2̦}[ޞ~m "<>ә6xLŸ6A.=D7]V1EuOEoh&v[~QZJTFZwt',"h1%q %c_MW,j40MάS2kCLjT^RJB7TzxMX~i~# PC4lZa&㧶2}G db P4&e8R'l>~.b3WFƒSBR=bR aű1x+1v"qFuηVK[k{m|>ؖ+v=Q̮fI nӸt-&0<H c+eʈmw%fI#cWSU)9%g+RMѝHьrD/8ߞ?/59|~\$`ٽ?6̌ r+to( 8cN^PLQsRWX0oU(IWyvK\S9E߉wdMpyLvgY9ݍҁY%?ޟ8dŒzD,j=-T)aSH^RYyJЯ16#غYvR T}BrS<@_rZ?ê&Я *)fp}B@z*Fk'O"@3#|*"ەJ>mO@%܊A\PIeYPȠvpxg72~J%-@–<_1.THfnE{kuW /=8^DKa6O#>jxBW=oX[>D'GZ)˛5d|@c,fgK0uA`UrCCy$׍y|D ~uo׌Šptq.~vۢW@14ǫwHC>9DlbMfӅN|RpL“Z*K @~P,JqC=REElteEN&utu1gX!$B Lm@8|>65?ߖ.']{Pcax)mvw\ƱR{&|7h-kldg~:3QW#[c%yοd_F LwF6HFF tkƖ}{u s f'$"}wEA&&m a6z_pP^>FeK!٠2{%|#Bp>/|R<w2/.~U[X!"֕JՉ ntS9 gC.zh8-9 . SdP̪.C&| љ[ރ;!Ҳֆ7esqRׯ6635L87'u8T r3"AāSdQMY[EQuu/I|/-S5Wm6vֶ35,Vd/ >!#ׁrcշ%Ì<-hSx-;gS-V;o.ɵVD#r20o"]2͚x)_V[n4v "!~cD8Y|?^jG;/ 2¯7ՒOnCќU8}M|N{$PaZEsmy"P޻32$kͭ09Q l,ղ.,~e15m/^s?J#?F|[44 ͩ|_ ZF|pbVLyB*`Tl!|̶Ҽ#D]?G_F.H2@~*28Wave O4ݾTKFE P>p@Q~Y\32-4`3T{*OTkykRhV!5Q%߇دݏ|DvJ*yǸ&O80l3Lnx麇m5,Fj۬`ЈyE OX9JEcKh΢_RO֮u-oK>#X|l>lcQޢ&SNrs7:S0&f5aotd㕗zm)SL/pVA6@{eV[,cc2[ p#Auq.Ysp,rk2n}e$ ljb:-rntQj뮈! 6SEm}1I Zg xƯn:w^L{فK=niN?֡D0'wxov98*ҼG z{I(]h1s {OYAWo.~IܶW_' Z-(+VI{<P=FMAF}l9"9lRW߉fpr?}J&F߲|6~Гq$?oGYj΄k*JoOP DƣCGMBqc0 (3I3{Eh?7I5RQY0Je&݊=ѣ{RĀ2%}._ld 3LaU" ?"0HDyY)RW'(91akﲱ09 f/ {b}NvkRnXMuςrI*HU|FNJzX=@cf_d8Wj R(AIlc@Z +Ly¸PA¥tO(frp+i/SJ:.d~ǎp9>C 6\:oӮo;pcPU/x,R Jj5@8}::j盰*>~9l5Ili 2U),s Uu$H+Oub{6BdunX6۪,b`_.D_gO1fN$g%kS2Q`! I沲Z֫bX6Nt˽ikj`~;o>I_~Yu4I"+qt/[~إ}`.^5c1^5/(#Cf|# omΕ`0 H;UPa2KyWI={نV D3 y*v %fc{Z|dGq6VU>m$iW`C s+LOp9XjY%T7kB<Ҏ'<Ժ!Hʍ"Ħk$;*{BdQ╣,HI̝ȶ`Ef6< ș?``mtzOǩw#|ħRC)lD,{:0vB6c#TKqecTu3AM8ʷ!ϋ7?uc炰a" >thrk6CRȶd9T/6 KErs=+՛~my<֗I$(2Y)ś,`EYʽrcÊܯd%BZu8q}2}+4ACk9B꒤YH0y " /tM0K08:{ެ (%̸ċgEvUl}13=b[v;l$1|%}p>vY{I&D kFos$^˚zlU<:9 t@粿l!Vo"#<t>-J"}w"bG7 j݂*iA/i b|hlR<$3u09nhذsOWfCg AՇ=BrfX~,x57:q(X_%R+?FO]SxCY!ҙ,.gip^kNx|V @ L;ZL$yxhF-Wr*yV$ԩ`X֖tj6X7w+3j*/iM.))@{߸_F9[")pOc`Jڌ$]WOA*q!s|/ȟLg~Yj +xO"5 䕤LsJ,O4^mb13IH!fǑZ6Qᶏw.13NOGGe maoR-z_+1-9F՟5\ڴ1Bso?4O~#8#y'g`=)m0󓚮Swސm2M~kHM/h+,-Z, yih j ldPjew:7 tpLtwL WCnc {8#X%r)״vc$G[ϩ|xPN Q'4)I\|3%mDNf$vݴ kUWsIjߧB Ff}2rߕTILP/a݈O E*dsH9TA\mj;@1lMk4>gkJGx Xi?p+9J4ǰ8hٖriva("̈́4`b-`l>Hነ޹,"'M]QbbgPGaGAF l؉qPN!] -E׈}z;L؀IЌCՒ l!D'К|oǿ6"fZ?Ƕ<.+8UvIyj^/"fZtP '<|T`!{ 7 on)=c_ *^ [TXLΩc '9Q0e)Q`@2Oʬ5qu/!9 lyį;{FI/ qFw/̅rsbQk(&g@LbfJ{He?S+IoIulr(3P"c\)eΊn]]4T!<${Uc'y2j%`mNN~BvS.qoޠ &y'W١5S(_XBGRL`A8? !ƹ(N'&v OI('LWVZLoM&y%ʊ/uB%?"%{ս(QH!!<%M+숢+D[&wlf\c´?H3+ ǵ'T|؝vT]TSEX5sZ/9:J=wQzGbaRQeͣ;d~i j%|6!)L֘p/ arTOoq9*0 㔙ʓ-}YO.neG/;?8;{b-GpsbN9(|q`tUiVMCNF!?ZN_gԊbރ~+o͸G`iԼu$zD9!ѫ&^{/n nX|zj7vJXTH 3lo2ByVE@-O3!gC=mN^W{mjKm&qf#)0-afwuE6T@o|>v]{n I98t/<*\ߗpغC>n;OGҖi1ihE u\,g4˟>2eL(:Pڮ 26ڟzh!t:b/D*S 9yC? *q+ļqIjMT+Ox[̓qӾ唹mszJ@+t Y@]K{1!(;UKJ&7kEbɤVIuw)900s'G*zv[M I_y7A=Q,"W kA^={raCG')vzDmTl<4:_ *{+L2R5$!Qfoo\ 4CPԘܸy"4g8 /(Z@j1{/7ߨEh_n_"'oH6xmI;jO/hR1y}4rCT^}j`*#AD{sObr&AAщm߻@3mVZ!+5#&1ap/.]`MgXu%$]gCDN(dPT@5xy Zc3gg h鳵/A2ZI}a\r ;=B%\:'ٞGiW 7:<#gwxNqyP7r!$.#g+jTa` 'N"AYxvfҤB[5%B|8}pGPhbnx;d%mp AOnAx'/#mLCS 8&xIz]wlpr);wreX}(hrDȂ&in˅Ӽ4bnj:Χ^5CӦ* ߫ i-߫k;ul_JMsb`6dޜku+ Y؇ H\t#c9g˶Si3mju$w,IOG; Bge)RI>eAqMƸaAŝc|o3ɧ/ëd7J-r# +>AT+._yLv/4`ᥤHWwBHlڲ`.h3 <Yz#Lb#.2;p(?n?Y]ĺhD֧Vэ;;pW%2&hzК=MXZJUA[JDZڤs.W}OXtP"m2"b֫5f?eeTc܋"e 1cQS̻Dş͞՜e!O14㦤ܜZ,h7m$vy`;>_]! zOK$mEޖ)ER&!Ūe4P SO76$S]랱v|Q7npPm1Q>lPa- j^H&hkG)AJrڱ] 4M^C׀`~b2-US#twϖFڷH!6UB^q⌞)p XP,TVNFk=מ.323`mYlhس̒ U2xt,:?nZr$W]܂*ɇ>e4Z] ڴTEuiigWʬ91=^K MkqGF*XM׏GF,m@e<`[(1#OZ Ɗ~=: ZDAü0"dMKP#@FZH]KȢWKhE6}j؍QaF)W]mN3hY\]d9Bs{5Ml#,a)Hk $afeϬ;|ENI=QTbRɿY7dkE쮗ȿ!:QNk)Nm ?8um'Bu9Zy¥!Oʂ$j& Eu>f;Ph4ꛋQ*o)N-6+xT윜.aEcc|U(h$;^NjFX¶8+-"i-0R*?Àۍ =&XǢ*W3QkF{,V7A}\ A&~(ykoRG uDpYߛ2ZexmTm6 ϸ.d)#X{)\ˍDE8{6U,hn]oU6 p?g3,؅Y ueЦ–l[28nfPPr[)GqrVX UG–JiyiS7+dwK8jɆ$c,G lה.oCܤuY:)U Tr<"kڻ;\ WzE| -!oVF&/ 7}WWS;V؏u)J4{! bѶ1&gs7G}v.%/v>wY%Iڬ<LX\k\_>bQo uzBl} 8L< $|9bu|;R3aոU?sH&/ML95ц]j'~<D_!?fYA3ߌ,&5{E] Sv)A eyVO΢hߺ݈b?yi8 P-&\U|Ǡ;>〸F ,Ta' ҹ3B<>vi!&% G~.(ުNo6E0`RFg%@%?{)6N1>UF%G=Vfu ({,dBp#u6Us!0!m4 R>tU>C;mjR t/?K͈u:T.ea;C'eл9l;}{#soC h;TTQ[?u=bIHW%8cF%` 4m+w2OK0K'ʸN.HDDy)2`.<]`@r\–0O-J ʞWu%} .Oʔ!SXiv'Ocͦr4q h.А6$DżJy'a:'Yy*iYg1^fNTLlh5юg5P2wg\J 0h_+ $B B+֛_BEzK7et} sVONKntU^x9s1yS Q7K'7Ⅼp˵ߟ J0f@f԰b.*;[<.WnVt@F^$z?* n,XܓS'-wǿBFu,'Z)V:ajW;Mk0 _j:^?BDd L _qW{:A]&ڹgͭ^8&Y%cM*ֵqf:DֱJy5yU2xʺt}|i:is#^{9ɑ5% ~AyҍR_+_p#N;U5˺K>i)$:|*h7|e)9 E(=NJjZUBl}§ogq>6MA6iJ5ƓR3֐ܹHU.Wlvf&\J@}!X?5J(Tdu)Frb VzkI[J"&WD6^݇NObLI\A7"*VbtGc9 -@ wAT?j%}Hw,,52b*33Oթ׶rb$2 7Q<^~;S./{;Gv8A7 FqD?H7H1f r؆V+U&K8<YЙl!6 } Igl̇+a0c^rW*LR˰@ITו@iJJ0} L,~X!X(/`lM}J#lbLdmL H.%1REYJH &Mv7jChQOܥقz)zmlnC?& I7Zhڂ/NjelM=B b7phE 1Ez÷g$źf-zQpHg gr1I'Ȁ٠0QJB.:(C(iKfooӖ Tߊn/cz4_ cv 5.=U6/TRnŔ0ԤC~yb pAD֎'oh3A*KH'WE|h[ (zczۻ-v_wn1NͲ_~x݀Z6T,]NwD& #9QGE}w gE%#qEg܅M}fw9Tf^/l-SW⨍$ʟcM膐r2\50d_d>~\vRqZvW_=p\{%kRJ](Ҷ}/Ҵt?6nvs-GQ#"ݚpc C u@q|4̙!F\mc@I~Y3+o5bK%漆X  uw Q8ϥ"4 ao3{>c*XC1Oa5dAT*򇟯3 VgRg iL"\U`Hp5~Ixr#O؞Uy线7'ᅑu,L-|[ȉmr_Q P 'EMx!޹Wvv78w'o rQ+ qI #DJCŮO.㐁"~447i\ R#{ iu/mkى73r׬h}A#N[1cْ윏lOLN2܄)k:뀃Z8ۢ|j yEc"=|"M~v9RY.nsMcUSMe2Xy@ :@M21 `m;@SHz}N@B5.~F81OO@^ܖ̔ 04Y[|7&%%mWl{Zi)Ȫ*j.JP(qLYbChabА(%NucZπwKiSLU=gp{g6! ((dV0KF.\IZƁP%`sDJ%2?N(~bH|!I7yzƦ\"{q^IdٺќޅM曱r\>UfW3"bÚjG4<8ATL<(3O˿hFv2P j<2S/c,2 )MpS ;FLhR5 5r`fch+ltayνԻ 9Dr*"-@đ &KS}bS*nVbmxթyVRSSDݾeivu|F*P^5,,TQa2x䕐Y,ʦ‚P>>AŇ`2tvYpXRjĒ,J.mL /Iň =?lCGoqvIW \IA=E>k% JVAti"[@nu;c4u  {%!֚5y`n 4;OLÙ;~d~AгW|+9 ],lf{㡅[w.㼭 $CgCKZ~xYW rafTQY&>B(O!6j,Ie:iA`eMG8G6sU!ԗ`}pzʼnON Y3S6!Ѭg3.un$'([Tm^|:%m +,iHz  @I^gq-kSY ؠ[ᯑ뀢^+ߤ)%`&{P1/"zV%^k'Miyb/twuuhL)E9/{o*=3uA0bLgɇ )#‡T!L9i5j4!S'Xhy]!P#a): ryV_y|& Sν{\Iqyrܞd'{i_bS-Ó<ڴ/\ĊuPPG_a`_Gp*58kU]S(Y  $J{h 5d#eswdd7,ĈFyҐSR?Kpbmv6WG7l1`vBe~LAs{,E{EC<Tm LVzCCO =[ FnFw)W(HtQ=HUpW:oh؈9d^$ w{pNq/-t3̔,xjƓk']R$ФT9tș]ڕUGWYfhs_n{FBLQ̴BcSt( fV=YΉHBxP#tr!V[e:Rkgo\ֺ_@M;,e YU(2"7jv=.f pp毟t5J[lўvMqͱ㧵{4r tqqif:SܔYK2^#'c>}wNWp+Н_~Z>b G&#jj񒩦 ^N|bĢޢCO+r4{;TCkTGKޒ/,3cJN* aqp?o䇖6=n)W!1&c#  <֌bؙ#AF}@ A,ٿm0}-+aI62ENzȷe<&1*d"iy{#beU ]_MU0prSq¬do$XF9f+isdػ#Z+r?"uG!jx(,%~0^d %+ ǰLhy&A&s_3meC]+5'ڵ90_Gk>2Gch Fʐ:LF4Q`ICVhЙp}y|tlnVC/,nok#|}IWLbLi(9T[C)jd23Z yKa12N[j4e?3*̿ i@7vEmrKsX(HN/ 5HpG%ʯDn}hR,Ŀ[-ѯ1l:^ LdbӪ&堙 <> Zzp)m(2R( Eac0~0M)@Xs'OWɋd[9DjxvS{t }d@*JOAI8dpw=?1pfn 6} X fKp >D^}Ft Dwঃ،t3CZ+!z$v[]b<=X๛ U*S8^JX^+'t-6aniId$[#`eieɊtzF5$ ,)ఝ;FvQP0tچwJI#ghj}{`6Pjޔs\C:;5hkƝȡXfΘ6鱻 bJ|z bl)Y7lpbU{Z6TDsy#H'\;&(c Q+sTz (>a-,7n8P.2#dWkfŃU5[*[=I;*ƅB4X㢀(]h]S!]]ˎ>P{>$d^z 2tM3T)/Κ<un:d%S9iLvjF ^)"хȠMR2OjLСf5ekϑ:]dc֓N!L#w 6O.7Oܝ٘;?$Ul,yEcT Ѣ](^qX9KIYQkׄaMrüOWcr1KuǐG'*mO 3^Mm`ETDZhǟ/cl&?F{zCfn 's1' r*Q}W{eKhBIM= ~ӈ oG}ƒeF*žvm1l?JmyFR;$o_t:>t Qp9l2`ʎRΫ_]_V@Pl7WGÍIsΤ,?dh r\HFnp䠼m8z\_78d 5^-|2/$N=W0,~jgϒEhid!B8v?P?L/d|]U_1,kP˟n}$؇/~9ȋbJ? `O~91ޞPK';aꪰu;~gα msB)z5Ǩ_H\Ps-ex^S,3[?Kb`ÿln@gMcƳ߆PNs _3G6>цWR:ws&bf//݁5~Lt6ҖÒ_u| PDy~btE\{2KKʥV9`19:^&֕Ux )νؐMQٞQ6f4oF)i<єMkHJ3KHW5ްy4+y :0ǀHNm!-G1pM 3M Aǯurgз$fu[%MzHn[{ $u.Jˑx.@Ӽ4T6mo1=],T_ޝ Դafk) dFDU0o&r(+ LْYҬR!x h͢L~g6kԡ+e!vi^4fh0_u]MX=NGbHÏpVz+v"*fkR6*@26jqNT>d?lYiYܬi>g- 3:QƅSH#5YF#!5Z2zmE\d>bq]V5!L)jy%NކX(AlXMkf@C%u!H3:}UɪD-,du, hS>Pir=,at)YAIQ蒫3)!gMbƷ+ĆbTbdV(S ~?R592k s: ]2ZT#Y.|D¬,t,C.A{ʈ8Wź|0>^ 0kR?Һ39u8> V iۙ C=l^H fQ~Dгy #K΅NfUx!r %,dWj\Gl%iuI\/|>Yc ,5zN(m6=<,J~8aNv18LMyZ~S n7#;CX8t#hbn`^J0ش J,ٓLuR@Zm͓ᰗvq~/ H\_UZ5!@t>lƷOs_iV:S vN0OmiY LP+-6dIE{`ﶅE<QՋ&Z݁#BfBi P/qNgRs=2M/%/X\ʂŎbM=HjmPf%(N7+_3 ',_8(eU 4I5JY(ќody މ)t_ H}t,5ֲs˵̊f x4+?\5-Ҍ/hlqZߤ1݃?eZkB0#|AV`L%IQuwjUjg#Q"Z 0rj??}$t֔,wXEkg 0=_8S ?h&8Xg8 *̖gpk BZ$&qn8Ѧ7lwr{Ҝ$-Kl Х0t@?.f@`F4M'j(.nYP+?f//[}sZDt?.؂],, '9P¶oa1t)'WPދXȓCF{'ILv6=Ɖ0 Ζ=JFPڊ]qjtܧ$ak4M woYJ)bgfgJ')TufJ$"x75t:Ô`-u0+ ԓt"K'/hۿLLF-TdaU΋G% !f~X=T=1KfB\9q9T(iܵT~X1sSKh*"`Lp%T/cR"ЉU;)G[~.6Jiq5z3g lc}֨7AyDvQW@6UG" S rXؼ$8= ;sڪ;?jHL6}̔]~sp o t]o h<ߊUg341 uoikjI.lD,uoy~2S4~ 2yHv'^<-lw:Cغ`Y Gn؃-%LF7[%W.k_ `2p[.n4Q\^®YajFQl>V'KnGR?(X dϞdвS",p+Biff @r $CdL3y Hp.uX zGQ iVhРijGJVxV!iq/ƙ%s-p6E6G!8 tjMwV,$ $Kg (Lew +ƨɋ 3+С,UFd߭Vj?n l;RDb #)SƝ}ϭ f?r+C6.@dKXpq(M:xxv[qR:l#g@FwTo+Ha 2*ýNK[=Y[efs_/l ݮ)i~j}z&cll|N@ۨנSk[2cqfXv3<`- C]j PFb4jOԘG Vseˍ]D 340w'>ZXw9؋us! 2M\Ͻˀ|ɀbrVq# w#0y T|}t34*bw@ynJvTia #hgiCE_88; d_ MӛlIҥw= @i_ÐPhጙ?8 p-Arے˷ݚ(X sX);IwᚯE3 i} ď|5NC[{ˬ8ވnfS9,z*ˈD<\7FqPGQ?B~hM w;p~@L}W嚳ʢf5ߵ0wd6 P_Œشד8݌$.;vVH cUBt"Yl̼~ $,- EjExv Wx3T+xmq<規3>0Q(H[t_-AF1Pvۧ`d!^[,e3 xq ~ z{+%/QiiP"Q0 0EPr-u^0gU C|fbO޾Tb~z=7/ 4^lo_Eʻ'[R= 6i<+#Hfދ BpY&Vx#2XeDv죫r S. yQK[36* lBc1QJ$ʭs1q :A=nٟ2=n=vgݨàٓx R&n"+.歪Ԧ ;?f/dI׷]UM>~I.,[1xsi]_@'&Z;YI|p,H=Rq>C'Z-li#b&МQd5*t n9kj ~;JY9E_fĜ2'Kڣ}j) ?maA-Kf'mg95_ǰKyW1G#ϡ[m_g>,f$*QP)!O)TUۉC;goa m|~e'W>F0hWZGciZQ6AogS.Fgf2L{bb{'Uꁂxpj]sTV.\vvg,JŠw WmuYD}ǯH08$Lݾ} so+ۛ.F%)thk-Ɣ _KFI f|mrޤƌWjDe>RV~̠9F ܻnŢ]YH`ٝ<(TelZ{=Մsڿ&2>~,tXi*p Q1[ㄱ2~M36?a]w]r։Đ6:r{lށJW0.@ݺwX7u ޽^ /4% `M?>Dٙ`(]g~dA#fD mPԸY {HbbW: Rftܰdy.zr(svu[^`cc1.!vDZ'Z@ǰ!- h*U4Q@,6]r]-눤#`)ց|1%r=CȸƂIfJЇ2.v2"h1Ua ?u#)8 1 YU^GL-4u*0ҭ53xo|FG,򷚉&>!PF =ߵ1NaFTw`f@6#6g}%ގmr)N u]m%1A'HQzE%/$i:EH I֡ \,;nU`3"7EXON ˢ&©+&$N'|Ei6ccZY4VmCOR}Y;p0y}6}$֢A2 sS[@.{2~d$Pw `z( F*@!BXPl])k 8]A!Ҳpf`|Ec_e5e´Y[b%9}H8>9DJ&gZ':`(|ފ#dD w;\C8z=H0Ejra*Wș`*[ŐoUf[. I)ety;7@lewƷ8Nw{y5(4QHo75@O^lɼu7A;oLZ`reWSnڞ04~ZZfRO_`uU':1`7xCd~KƑ[?8nꄫxgIh$o%eVڰEkdgO,t6!ծqZcܲ'Y6axl+* ׆s/#,GI}t!ZTeWwGD6#}PQsi}5&kL^^VBSa{4G!| ! d: eZ=eyz0fK_ guדDJoՏ%j|Ѳ#5N<|3Sc =2>敨;-T؝b%\|q&j'?A>*;48 ?Ҿ&e$چWGʕe^A> g~_k7f1 2gL{}!{ri-l̤Si{Q~NYжӧ:z :<|o If !OO Bx̋$[=>1*,7Fkܠqk}P*D_L;&t6y/MK&)Up!`-[6|(7DPii?Ymݞi 8JC~Ϥ{# VNĮ36V1&~y` ^Sh#vHY |(d38*Qs0vx QMXkGq b,m!}Uӧ5$b);> Z!17\STm%h"ߥЏo"_0k:MRЪSeMܺ>UגZMD8:@>CŚA5uLI0D+WUE^.9>|gnjjh#%pƈ,;)i{,laޝaJ¨40B=$Խ~jVwZU{r&kcFӒ&@$;aVfBz!LKe<&~Ԋ@%0?!3Ʋ[R'0mNtC.À)Qu;mg3,6\Z hoxhZ%>JwV6nk+{F>r{aG(MQ*Aip+NO/Hti(0[X׆ xK}"Ш~w\3BX:c+dFO8m9%)F]NyH@5e--o-Cޫ;q⧘~ >\K q=fA=Kn=Iwf.2j:>~K,7ƺiQo<%W͌.B <,Oa7̰`ȇUG{:1@]w('ޕˇۆ麑IV T,?F}Qr~ky%hC='@8[,(ԩƆ JD>k ܷE@s?^Fd*#)ΈmRXO,&5LtWH1/nt3^+ld۴A/%sSԏn4ƞn4l}\e/E~)12NI%`8x i0Ձ*t<kZ j ON0mQ^-gqڧB$s;sni_f @p19xN7<9du1+cŔanbٷ;{-r#ay-Z1r,z/@c]&P庒bubG.1c)(19# 62J9*B0hs3P`T A6'~_DfZp۱*CpW4ltV#ǮfbMi@x/*6+%jgVPU+5>GXĽLwa A<`C ڊTL0.^ OKa{#Y`g(/5<("7ϰ7\3'M`-1UV7.h`hއվGAּ*^&C1Ĭ.x){kQ@p1=# G\d!pS&1j!~[?ƐQ)}=NԐ/<{egj`rFӞQvQ]bV.DFc^RL[f4n;;Ny&+%jj/?6%I|+j2M,0}xC<Id}?:CGڙl mDӠltDŽ 7i{27’Z .8> '>g[֚@a$п^E"F?,S2M < ݿ(xUĶd^?K6%Zu klΫ!b/ji9O@d[?Jzx}$G<﩯M[x+U#,'p+!N pO9_Lt:{iJAx$zۡH,$O4>vY-EPQ3qx3kKo'T1`(`Í:tT!2B-/ɏPYMC3?1O֯Ӹ+ @j''%%_pJ;(軵=2m:spȉ-1X>uf<9b}#ָ'"XjA . mJ}*{]'u\< Sa%J |DSGRЍXTZP(tcLÄ}o"W %X~+7v%<ဧﵙM'd݉a~&HWrV*d}:NRTm_ *Һ}o#É _Zc$.cJѷӻZDGjSczȷ_ Cnu+Mmb[5k}A_R I_$^$H^au%;֑dA?Bw& cBTwLlQ9K[vJ׆v>nԈh dAwK5]p?48 u)=TzA! Q?KbId-ɱ>lgTgT'p.82߮. *&Kṕ lnэwRM N $4yǬI=^.c;"6 +ē.# o=MJ|i؊bcF oE2\O4 Nܾ U}ɛ0R}"vLbQJNԍt"x@ ~ mlv Db^L )d`V]s A2Vig#߯5MV-:ƀK_v%GݟlVCuTB-`* ⠼AZ K3ӏAz[-@`?*jA_j OH'hvƘ@J@@*.xՀ+kK(:W.M<#Pц'6vv)bjyNw/=(}}hcdE.8^8̔G{y@icgsW9??l:!$ZNz歈 ]E?elܷ䥏xA ȑ*MṴC_&= X=%'c*<# we_Dd(@!VY/UcKEtA $R=߰]{EwbG~f4}R4NiUR s ?6I9nyU 16g~\}ndVt2QU5|lK-*: ~B:c]N![g%A_clw5U'ԕsi;j6 ٷs ASm q{&s"Rxj %0 =Z&u,C`(; fQLDYB+0=17Hs'Vg>+zﭣ쯼[瓘\+ 7HwcIPXWĂ}O`jO-R>WG[]JӰx@5S>R @4->FFp@t ,-mbD W{zYwX{k=+a1݅D(3ĤZbTP۪S08Yu/M8pTҶA=f$+~j{(`s[@HI1tMC1ln)&t/*-8{VyAƚtIC}%z5*XrUwbbпC z$j8j{0jŷhZu(tv)$\VGb,Sw %bǨ8ŶU \"s -\xr]'"Am~c?}2v=5,x+㸽 Tz1Is6 0}F}A!p)›e4b'}(N+ m?t\DtWT@չ2Q:'2U~Iv, E0Ԩep3k{}jVjG TvE,I< 1ݶzG"$e`M Ϙ5@u Yg\)Rr}T:,"Oi&ƳuZࡷ3 3#ڸ OS aH>sN^x'LΨWAβzc=&\z>d0âoegdTLHA7I>L$i r7!=-)U{!JHWqr􃄫 lfMXdvze>ՙ`rNkٴM~z@Wu~l0 ә.+đ`2mЎEХh?c1a= JM?^ S$@ dQٶy.icmK>緰10PEE(%9d H=VxUV"C mw4nRLM҂rœ> 8֮5I7p0@JQ~1r$O(fB{6͗7Ι@CZТձ^NthF(NuCj]īCitLavJAeθA\K/uQj- Q R,l4-9ٚ& Ȫʅ9SUc_ROEr@%!Ō)#g̜U0˜ xf~vB-#Odgzݼ9w AW ࣶi# 1,/b4WLDa;a,XsKHJrnڴ58ne"PS{Kڽ,3\OT<|7߱FMxlWte0Ą&o޹~!81 l~Ç$HmDp#!ID˝: Qx/rZ@9oZ#X SՆ"8lh(har]Wz_9*W\-s$1w ҈0R6tX̣UH `OA 3i abbRfm~+K-1;\3/x۫V9k۱ Qٱ;wr2n`tz,SP5#O!wh3>'`>#墬T1oKVݫk%)t1"\uy"t8/6̴[.%DZ6!֙1Ti񢾹nczOW) _@= Kb̟.8D>.Dz! HaQ soH v.-R*D <&_J 8VѾ?$t!XdgefS]mD]Ul3sr>JpR9Prt tR߆ŁWO4u;y1rH3<-EJqcS;W.׿`p*FnU6טxI.m5}Th9Zw j>! 4cQncv#y, f"GD.|FZ˿ ,##@9a A7x4ʫbY *~tb(K{[x`z`Fcykgrq.`☷#*يb[~}Ysvalv1]UOs%Yߪv8R.UԴG^vSuHIӭu׽PEL(Fg/h8Y^|8l ˎY=Bhy+-,I `u_+Фhrk6 =ӱ4 "lzٵP`zȰbJ/Q>)C~s&gً#3Ѿ,uV:QB޽Ovk@{Gq8!6n eozo%[`Op +L' RNL#s/RTAA.U@_ ]8X8r 4Bvy}D2g#xWuNY2^mEYR̓^(RAE|*:Hֹ80yjFX$R]We杞|х'?ܼ0D ֜/+)N3^}uUlp]kBmIK/\]}/nmJj̘5gB[`aO '7I0؊/"Tc*f4RYx ]-aubBA%s#Θv׍J,5dGWX O PH"9)剥wv^IF|{ӗ(h%+ThmYM3J=>B?{#Vn5&Mq рݺef)Yi P.ZDtE;c'!c6(|Wz]ƴR+|'3O ɉ$ӴZmzW\/|U(Z&f78=fGL^o+Z\C"| \RMZE,ߨ.H^Z*34KkrMa;'oGtGKS26F ]dI ԧ:3t(DX~;LTbZ5Wg.)})~Y2 *:i( W8? 1r;po}4þWy#Od`4-/abhۿ* CcV+^5qdUش)F);P7VG>nBqt^s:2" uE&M;ru#MLQ,zCZiʩ]R;p&$?4*jAHQ4(z@X(I[E&g*ge.c>GM!6S^3Zwu ̝ Ԥlx> Z%uԳ&ykDֵZPoލ9ZgF@VF+KIZ}B Pd%8a~MλdNSLr Tb mf]FT}%`3(s˪pu'Ty e^A_옅KBmn]7ā*&JE @W 3h9[O‚=5Kv:+Uwa/ }7yfLjJqS DQNM]i@}:T͗q`~.e44,2i>~aXTFe>TF|I,Y3jH +OygGW1Fo L&dc4B FEL6Tv'B§ J H:A,U/+L g֙+t#V;l2m7#}EKلe䟑awS+קKꫭbf~7 \ǣYq47:2 qY:H&}VůIoH{MoGiQ@6ǣ3=U+4r0A[ x@W;vsVB)xNgcF:cE@\^e205^ulYܚZqNbmd7sd |-qR4k+>Ǥ1]S?.ȵF $m)NB=X0y8N,;ܫj=Kp).N'X‚kBpp2?%띄M?}rkFnSg7#D7@\ j(ljNT3;,/k.p7j%7 2dNai>xWV͜@ZA>o4֬y9."^9R(\]PXR5IsKBaL4;* dgYb UO8ΜeMLps9k#HenlGstGn[л, kmf3Lc7"bg!)eZ﯀U"?to P&ؗQrb0 Aگa}% OEm'\)lӴXJ+Dʬ @'"F Opo b>L?7ԞA/|ietpʜ3ˋH=;bp_zٚ r/2uTfOjs' r$clޏp5jUI~ȋ){i۽ Ob`#i!%ҡΨU6ȷ oZy"Cf>Ü$'O5r@,aխaXyЀ8kj hu&J.OǑc-~wu"zq,xatZǤg ) 3πU}<~@^ {-Mc4)E܁Sh_Z(t̨bp툑T!eSQHD5uvk‡5`4̻/@~U5;NAB~͋ab%Pkrjmv* a)S{xgRO,D_jCXVyyGd #$5N.gd)\a|P?e֩]0wx}J-J^m+~xNKD-L}ͼcI x. <0jD1јLin' s+Kh @sD;m(o\1Nr\e7Fc[ؒT9\A@jG/͂ tZ^HYHo/&Tkr6]Ų2>;L6ő[qg< H8/!i'ǙX9G,.je'gV = D`L2eAdtcJ>;ª]w_gS+bUϵoԴ*jF H7EǗCv/{~E/kaݒ`m_YVԃf#Ϳ beRNH}"LS656^OgY8v[(|; [nd.]`T ̜)_ͨrV6Š/?Э| _be G]"GTX\@\-C n/{0O]haI3PQ%K7Oe^( EC3C YpkO*@pTv/kכ$KwMTឤ ju&EZP0y4'*e|\Pæ -7ʏB'ռ:KH6VwJ2* zt1@T%hP˞,) rڅtNHвHvaTUĬDD .v*Z20/s}-W"HQ佷2s9Ѷ%V Xm]vv\5@(ğ]"s,-̮iMØ^s#G)\gT϶8K3f]ڧ<"oex6/=5n/Ƨa^k8gJѤUȌZFPS:a:P5su,3ȱ&,PO+.7u ɹDy}5-\y飝Uifr?-?_W0z^&CB~Ɔe|])=9CL{r}#G:Iו0"J*< \ϧ&H2-Ė4^B >M,qa,Pv%4Vd"LR=y?JamW-5m&,pMm`|8)gg~G_Mꛌ/󍱥uFUX]jٓa a#fLb)rI\@G8߬Ҭ)OTP? ~-Rt \Ź;$ɉ{>q^ȃC:L[s.ɽ%bR~Y^0vteqӖ?xwuDڮL Z4ik'ϟw(сbxF N :U;;-ž|a(,vw񩘄dTD;uȬ:Ñ_˫e/wP/p!;\]!8 A"WS֫B3ǿYyۥ2pbHJ{VhW탫P\v7y{~ 4x'(Tq-~G QΧ< ڧJ,wݔutWQܸ6zg;fjw?B =KG0Cp#I>[ҕP/ǴN)kGk6Ո3,}æ١xsлM LECۧ{5 V&f& d[o0kIj7 ͷٸњd*Swpg6^ಽ j,ƱSz3L 7q ,xu?;R)3/.xRTmP"Шv>SWmz2*%Z VrӤ?'2#sBoNz97-OÍF;Bp1 []>֐Boڬ85>wOl |;?A;yvuKPnlf&=bPa%>Ի$_6ߕ&;Q}w%@*[HLͣMl`?sks۩őӧQ״Tf`ޝ JKcɃ`ӳƑω 6[-TtWjݎ=VtI0gܧk3U] @!ZhrVI& vꬋ"Tb'>i =7-wskHlnK̏׹zI#Ame^6N0:3iJ҄6Av߳;'i0@it ƍ͖)ךܢ.}_ZMcn&5`2:,T‰~1'2q^5;vmiTM ~;R34c7oSyp⋛jAn'B'm)rjivVHX{sı?~LLr]ASC[@, ,%"vO|cH0i8j]z'a> 8bzآo` Cɝt ,zuH4cMj q!lf`䖻{(E]\*:8<Ը 6n*q3Ζȩ ˍIC/e`=:ݮ02ߘ̺H:-āQ%⸴fbjk`v'7}SyQRBZVb"&f}yvM~xـȏ&5cAáoQ!x2dY^/|-u` 1H$ݰer oQhyv8i-d Uqq=bo+;u4}@eaAh$^B]r6-}*TXHb |i~N ~i|bZmv1Jc{QUg>}j2xѻh<6Vپ$ʶG~2^!QN2DP!-%f2 AGv$,{La#WFE~lݱGyeM[+X6,L`ܶ\ХI"""(Rsd֌GNx(K׻I]*=EtA- w9͘]zYD/k[[$Ys,猁$u\8H@dERk|j!w#|qkcrΔ9`N:p,N __0'".d'8afŠ$[Haz|} 1`s>5}UP{L] Z?euV* ~:}Mg ~ټZ^kS>X a* 9'{(53J}ȋUF/lKa>|QcVGKR5}(7qt^'.h0;㺫;nO잵8pf#a 阐,8r UVp|ކ]a9̄vT⏝c9 ɳ|zs7Gz2'/$40t]S_mHKhK MM,lqXHOP 4F/f$W`*B?dLE#)_=(O. PVLP*n-%S EN_5MY/}䑔y=Y3'M,rUh5fsO/ЫMEz蛷ۈ+kԾT@Kε} ߒCSp:tc 4ڤDxkV ;BK}now+ WX7PA^fU<%~S#2П;*%Ps/~ B Ga- @gHP+9ͻ҃¤Tfkidt^AN:$K62Pۚ#isێ-sRl?tc i;Uag~<:8,툇U.ⰞI1U}9ZTV4!III=fsӘ-Iϩ2-{;9I J+ +Ae~ޣznƉ4(X֟,CH 8lcli'EĢKW4 U?mh7sl&8)yUY"crM*֣SL]Ԃ%vH`"׻wt]@RT4áP)GzZ[^{WVtT=^:d-un9#GoWF]ҤzćsIkLMߝAS>4ٕxKHA,_n$IJGF+XO|H 4,~aC]}nՒ+$%WֹHz§nlFUF?{iw'cF:Ĝn L ʉbn?/yl˞HinUdϩ}Mw^.w$W. ֐Vü: =P'j&=;~n6ߎ|U WKO<:~\8#;2;xuRi#~jHj{IſX"HjpbD 9^I' ;Ѕl-}SIM$h; pGa"+P~xVvwM Yxoǣ_w6:ş>]jv?|EX'`ȃ=Cy@`L1s>Q_>5R@-sţBÔb+/Q81?`wƶ .h48şE-Ux[ {lu[FkBI+˭c2eZqPGeA  # "m:eh#{tu}՗-y"9ċ!)@2(A-xv1;,-[;25H8X^~azptrPANR[pf$[k2:[J㊪5*&matZTN %Rv@bnVpZ kd*#7,P=tOȹٷ2仔[NN9Ue,O, }<ǐLԺgCw;E 3\V, 1v7 ,] t"H̘D1(wV7뚴Q'[%H9b/&"-ڞ+SQfsıeO(aA%մƗcKpvTddd"u,2!RAzf 1HQ}dq{BtGI⌀^QҍM2 +)Hv_4#уm+%Jfl`fЯz1eM)JI+_Ua_jF .R)Fϋ|򠵣Q_]˦H=ON7*pb41Dƻ?G=MLJޱYzTx r; Թ?'iJ HZq ,}vm7Ҙxj"V-4}H\dc}x_W)bs%C,o N8sj FpA&X4ѨO?5%xYdR#rXmˢTooveln`ʍ<5Iʬ験|䬰v]Qmy1i[@1XWd–Udqv>avyEg>6vG\.(TEb4F%#Rq'N$)$cu]Z$ӱK'D' {aB\Yc@Ez u t/Jʂk.U0F#^Kcbf;/ l\pz4mрt33ӷ/ L&>2q &/L@R ׿b\7Ož/a&pLrxt$zV6BU7zǤI^Xi<e޿#z8;L$ڊ&]E `5uYm=FH˨`:PkRKױ3A 0(4wobc߱z 3?nY$$]: U@?2T4C,%vEa4lz"EsdLQ/FD] PA 9<i0K?Mi,= [; $Sج=ȉ{"2A^sPD*Y\SRHLp{Ō n82*CNLuvbs Q.C`G,i f kd;ì4Z݌/'/}DްT+iמ@޳DR\.#{IJ 1(m/ .;eZuihw#tIֶwSꆟ!3愞qYc+ӵ+muyOym?B5Vӓu5ZŲ=ye^w_n^R Nu5ӡ&igo KKfX6wm0nFh`xw ۀW(QO[S&A o0y'C/| Ӈb?L$rr~Ab!Zyo+* y5kqٗm5sF9}az*)6uV lΫK6<6G? 2[% l5 lҿmkyK>ƥp8wC̨֔ pb [ ouR4{ZAz9͂g'J:jﲭ% W+ٝ"ÎJĝrI<@r}fxw';N;e- BbgHW+Cc,ν-PHbbHB\0o&)>Jf!I2Q[G{tA8,BFYM55듭[H_#X^:y[熱َ= dl-kb*V}"݉-g`o jWQ(6)>&:K@`儦WkZUG;֑$Da?Mu%aHYi1} )%ާ;D!*#BQ)zlCqJߑ}3 : n A-CKʹCΙS}Bx0K8娼`HrؼH. y D8Fi^xzkYyr :D54TbL0 zʙa5Pܷ!)cWFVW +h5~_&*`7]&C0xY3ĄGԨN(Qqjtg$:P/ XBv(3d[OT"PgV q ѐzd2[zd Z8f#$;'3].-aFl8#s$iGab*Ĕjs?lt} ?󣤮/rsaRl`o}""h K'=p|Fj;x3 G4) KQPuNJ3o6Ș+1tr,>og:L&HzCF]pq&K̍KI8'{SWƞΕ>2qzRt(fLVro>1sCHpRnCv.F݋$ r]HʠMln%$5hu/^g &z<(zcj&mzgɍ h]̈́\&I`̑J ,p 9/-TřHfmw+<%dLMZ_}:#BD:Z**S }0#m)GYP[d>!1H5.yH(#a=2N+NRaj)T}X# }e!du rˠ-ac"# jm sWSãz"f  M:ah-iOwM SZycZQd$mCwn%]~REv r-4nOx;9"NSE!(OsӁaqqw/Sb>n ;Gd-'=jMm\ZI `LBmL~띘 9kXx R;Ut8*psϱ]-k?&ԙ$tp@!'({oYJv X2 T~Qԑ#謥Rji|.ǁ=+' $!ߨ8Ҝ%84BPwr76Cc"⇦ k$pD6Is&fр'FЏ6&+ە!jj!#?9e+!J@ѺF>0'WPP2hہ>Ifu n/pU4MJK[Ϗ:Kq`(=X - m‚,L]Εo*C.-#aA3FMzOGs$ʠaDxOCӦpx*La5y۵ziC'kQ48M2E Ogy:b2qŲS&E~ݒ$O.-%dCa[^N]s#1g@[Ԉ Z:TBuU~[ҞW^y6CLzOgL(b<'@pL8KRUam%&N -RJtDUoܓ۔iؑF/jpWT0š7U^0Ke%b^TvasFG9])B^nڍֆжSl^Ϲ<pzM.rIJNm g-senc D-UPs8%{SYb,6(g M)X@H &ߟH vw# $\@ȯ_w9U_i¿/Q"~ 6`su?ρm4pjC- <9V@!=7M}cN[ˠe-5ߓkM Ѽ+m͙ShV5'XmvEe01V+7;A }IÔ ̑Rq2[/F̪k=E(D?(h%T NJ ը,܃JM cAMpg­"ڋr}#ݜ[2kP1: ++knsy&ھAUJ_| <&85zb,$2i@[xN SpI_a=˱?bxæ}R)Gfd6TBr`w l⋚|(!i%]0SS b(J9h:KW"Mx5J,Qw 9 ()X!(ckt IJ(;Z!JŭC.}BN*f*0? $0 Jv' y1[2"%鄨^眃+=SM$MA#-:1VQe>lAi7?( JoaUpؐ¡K}@ME߶L0!PJS,F#Ch=xE$`H ގ9?;@{JEENw4t$͖ .k`W8sO{OB%ޭ$IRu{c x;t6y `]]b_A0<ϙp81C{ۜX{K?f6%#|(LEdlɦ)/K9.ڋM)fo͞JIyE~YGQ-TsyeR&RYN}57Yd y҅> 5jNXo?. vDh\Ow嚧fM9Tv1}#5œK<$cZw/@2,QD"U9؋1pʉoڬ ' (B-dTn#YCyfhb|uV0o:מ6ķ_)t{|N?'WycT*(iRA++SJD&<%e 7<z``~$8h;`>1)rRQxdkzQ^LjqpR<| \ߪ]|[iU#J6f.Mj0*qP:>XI%jl*I?b$Bu2b(<q`B{*U `rAyLSt{) ڟ'oO񈤽,ZOm4l֠^l@,;̳s+0o }Ӧy1C)\'+phϒn:`qq7pNd=EW`IJSW4r+eyyԔ}c&e25ZGQ/plERW p ~lL˲3>0j/N*uosV)]OZX ! 19A5M)Hw*LjhQY^,>e{9Cp) 'i 7 XclJ=mk!_Kx֫Ј,_tHӆ3$GpZc59<f ~ ;'Sd}/HT,.2V/CSV~rSR( f}m],T.3HF5>>~K$*b ;ڵNɮ`T;+3֝jOO`\J' .y7'x$Y5lp(Y@^SCCވ\繣{Kb0pŸ힋U8}PuF0M@>AHQy?t_ץ6tK#l!|SGB~IBP|AV>TbgIk5g$Kw:\yYMTGOM[G$Ū:Ɔ-Ԇo \K'TFj;CJљve κ֯Dc˜gׅ|>&'DA"k|$/P|S蘄E4H8'>YSZec-LΐWZt81Z2qLd*2#tO&3jX9e?:8§*PoqfNWBϮ#{F*syֺ.lLt "y9ftj=AUxcD$?̆a]YYuŐ"ªPQ^l6o5DoJ#@wR(@7]*n$ KmTTMz hڟP))Noɳ*TTz*6,pALzj2go}ЭaցI6,0t\ 7NI<{Ǘ?T}``!T3rE/97*$SM}᢯Fog,>z-ëβB;nVx; ,ܪ,0 A#\)f&hKSe%8ܽŇ߻uw`l_`_jEњ߱g2ǜ: =;4]f١#`21;ƇfjLҜy4Пz(-ZC,[=U#KX8e/Σq#!Du8B؇</:>ZH ¹H{“s"Cu41&|,K6h>fTuk֎0L-UDW׃ )]RjKlap~ _N P-M} "i(}P_JC G#V  9ong`49]D"SE^ ~;DtD.N?8?G"KVB^u 3&͟]F *5c1ZAD=OKOtYV =YT_htApURN"Ϯ.!ê~5`||zȚdG\]xh;qiwǽqB\e2P\ۯ$CYUk#+) 7/)k,'7ԷjO/".ԟ~y{2{,&N#;TO ,V5]kJx>(/߄y,*~)c G{p~((։ín#ggY4yxAVMT_To StZEtگ䜳 ֟WizDa W`mT?es6.88M$2;ȜͧRc23qO6DJkHJ[^L֖NUzG`۬"MaZBdfZΊ$wqUb Z +.O]6iY+" '"O4Cϭro4oqW 9~sIj|m 2jkl׉KQ#v]IuRw?#弳}T4B;K4Ju* %o@ C Z ])7=F*BLgVذmXPaKR0?Py]kJG2u^ w"+ٙЙnpwJ .߼#sVjuY,DI(]!x %(AE*;)~' Tr|[Q{_Yl)u>J/ZP0F Q0ĚD7IduI^_w(͎;^%2> k() 7D ,# 5ϊǎWUƈD*!EӘ'G(~{# hM ÍkV \{=/\ZH9O$[IgxpjrʹzEO%+}9NF[P{I ɜ4e/DbiC ;{ ?m=E7Xf:^ks!!JI@KLhNH zgS7pIj@`L(;mܤ1L`v?2/Crzc)h#(~zYYL&pyb78! ¿_W7xBVz舤9?!KˢNxTx]y4IȠ<'/T _O__O]Y<#qZ!B7b{Pe}˗@蠃PIǥi O(Ka3*k"&K{'nH?N] oJ Mlažd[=+0xsSiy&^ud\)ű~p ? J`,ANkݼ=x" dĮS5H-ش6}셫&̓:fffM3}PqHQ<^-yw[{,3*!p ='Ϭz<q !:ttҥ]E|iJRw&sܓ6K#D`EoNsAMԟ Wuowq:S+RZNdmBUXLGJBn=[>oւT/Go `FAAO<Ŭy8:;N)Ĉ;0`kՙ @+JQ&uB>Ua)\kVD"[}XZ)hL0 YЂ jZ|JX6Nci CfuZA[%zuz?<ݾ@LX $3h׬+*fFuqhtp$a54q΢m?tȠŒl;-uяx߸XX'D6 G W05 U ZOҾ(#T xkWۨq SJG瞤6X 4.ho{SH. Iz‰f3m`6 u5G 8s+'c .@LhJad[vE-SKbN}zAIhsq-LQSשtFxIj3W65X[A9`ߌ ݡt˒qMIjbnpbp%ZJ#1R Wp띬21uSʷ% zqDëv)j(q]>-pcUң(< G}'7YJ /~f~CN<('E5AsjWqΨ~1Dϼp?.;$90U0hT_-ׯ2x4m Y8â="x!~crA34 Ū}u`щ/j?MA2˨sMK> &8Rts Q\N˚>)GiڵŋZSӅ(#pў?4#=`'!M5:X/kÀҌ"IlKօ[ykYPG%ƐށB?%x{I]fƫ~5"&M֞mn%Ŀ5?D<*a8)F8`(^Ʃ#ST<o+~}caQi'R2ORjigלm#O}QDfѐ:sf hNr#gpNOhYGDFazOztbF"%B֝GC,4LjyBTaG)]b dh ){=J+P(|}>&y #z̓=nXa]o2uu`y7DL WH^po9:-~ӿփ *jpz,/ќ_ώO"Dǘ|em!ixvWxx st %K3Pg *d\ha^&=Q!4;Khat!4ƽ?~|;HPIy}=!q෸u~_֜{I>E@3s??ՏKVhX)k [IkUſfR:o?WP/9:/Wb{oݸŧfP`{r":RA%s[7;9ف '_&ʖ6Owg}_axةN Xj}iU^G%i7O nC~A3fcQ;PLΨ [j@l'_'*Y#) R岺/<gw5 ':0=1"۸$>{'SE[7ٹ6%TsK.;]\8u΋ɉ3+2]$NJ4ۚ`hx\y&h˧Lr==Uy1A fl4enlk`F+ UzƯgP}aJxBgĂp#['9GZ؞zOD1| AdInY}DO`r"fTgB;,3(xX` x:|T}ܖEJ*{}(#^]XEs5j`ܞ@))P2Kf hP=sc$F2&0jFDuPǨ|F6xǬ)֫3S1`e 믰ħb:5;\_yr =MٵΥ6@dȑn 6#`[y˻[N9S Pֽ:%fRϽ0#jn0b)?Ur8# G R@z dfJdzA[>j63"8:.driկy⾥.:+D,#fh}O/R:wdy9yRZT(3'h5lܶRrGfg'3>y@ 㘛Vr\ϵgxtheT7/}X9aD,~=(F%ÉmеA͓p Aop X庀 ص QlonlD7e9{@t8Yqӓ8=c6Jԛ%z /ut.]\v?5Bo@j?؄pG <+k_U㦙c Tٔ?[<8Apbzf5ws=TuY`r3C>@6.a>]-(,)/ڥt. p)7a6TBj5r7}^ZRWލgu(l9z_:mT3D8 mD )ͽ&Zͨ]ΎmAfA۶vEI @}ʚǩ뤣|ĩnPUKz#/ 5A=vgAxVaTp!rQ+h'M_0lVu?F #ogg'~6iGn+ǺC+l9s˼OIk`YpuGYGO-`V^^L P@(%k4X [34Ҟt~֠l:9;45v1u jπb&ƓHU$҅aL>X=giZ}Y^`}0UQXjO 4E$Q~@OVw#f~-mGkO@FbIUEsA~vw~D3zi&NV[O>ykE{z 4`xKk?;p1+OYc9'E4Dmϒ?rT<9LdTllu֛!%W-|4d[:4;7ƺq`/,\Z 5Kd@C@hڳdk$WmcZN ~g)489ea h6ݪw }5@T׮·"_PnQtTך?o'@C/Cc|Uo >xF!:qzR2 ]D#Y[S,#Xc-ja(~_E_tLOq.cVV\\Jkk87`WӑAp3GRbq^ aDmi;h=Rv/;kJ\ Kj`U~]6 *K*$1 G 2?(Rv)R&PXW_ͬooT/5a$ƛ$26V/6gON?%'EBkI4>`H>`c6kk[|z[y~xdp,ҟ%)@˪(b!O< >3BCq~T?.R؜Lw.2fg|\=6N]q}'V\ BZ)v@Yh)DkK'a~ PsQKwW #+qKHo{?pOa0x(H~?f2eQ i9M^- .avmd9j{zŇn"tIB޿;fg=mkT\U=ɂ1v`"nq1h]9%sX60eqo6wuh#>`b tz2FC-̥+o2h]:keA9Vq5d '^9 nbF\szP`( r[\,3S1+if }4Z&8Z푥xVC~A}DAp|>^p%}zBz$=3H\7ji*S:1X gxTB 7F0=r NeI&eį{ylٱBvS `Vy9F`7aBu&c7ʲ7=R`OIσD9^%eD[70M~3g}g"fܣkT>%w|Md,#Fjg*PXY0sDo<&P&! @m^)A:j(e_ޠ,GdjxuWA 3#'y詘E$Wtƽ"rt+zm;cQ^RuQW Ti /l& y&7>$2Chl@Xfg|sR[A>mYti#߱QǪB/1ې.)ۀ3\]+nC!ESxG0xRXR5KM346$0k}J=1e 'j@KyAh ܑ.#! WexGJO8FHN"W;]jۿщBp+Hx7d. U?qG,vE|6LUm$pWJGrTaYVZqk'u1xj ʜ8SϬBFi!ֶE#L&0'@[.:;c)+5-ZAVY^l/6Zy8 ۞Dz湇>s\Z(qt~4}=MSmvM2< GM_ ]uҊqӵ4 \BX}HG ı<$0x o1>7fTȕqx6iiTO<,G ;ȤKK?MC7-ƥ,Z=\O[9u۵_zA?;:?f5^0J [&NDe GHnȭ1-STY$cʼn&@gT݇m XĬC)e6wUFLc%],O*5O'yjP&:5^V#EA`*nT;_,df!#MwvSV2}9T_DbjUz VpUO `y:5\N>͐8KaE[9W ƺ o9eҴJ6zyWSص.hYg;6.{| էs۟=@1AO ry2%? Xᅵ"VSF>[ . Je6(EܸILbCx[b'qd} I2 ᛸE"58A2=0 Zy]>@&>uG9"cYPL%5VCZǹ{Ʒ4MPޜiSSP=-8Qb>f!pן~G]H":?-GJ{NUT_@5S;"`9]ZM,g#b?pB4KK;seaShPW,p~5`bdEbIu#DyXe1r.-tY'kW픪3y4Yʇmk0-FgAEZi"1ԈGp8L>e=-(@c]I?35Nٍy6ؽ}\9SJP]_&XO0-,=f`s&mK4.i1ݎtNd ' :.XŁ͂ӯ j})٣VGX(㟛z1ѫo0j\Yr^EMbu(H̀.4м=סLN-&萍%(l'oJz堥MŐ탠>K;¢Cⶇj|\]i&S,E[҂gK?sE7HHj5Aٵüpr >$MRF ^t΢{reӨʲh?<{{KV-=W̻Lŀ3FnǺw4ȳpDRMULTeV9yonVgQh`4L|&D=w3r]ZFna\!{a=i lvtb|AcvWqvD,}آE7'._QOgs,9Rv 7V vP% f_%w70CZwA*HyBi0]Ik:zrnZY!c|ɣNMz*r LgnO|}&>2rsvϽxC&E|/K VUZu"JM\&~b ] Cbdognr ?кSm[ /ۓnG̹J;QDɂ@.hLFO EG `Lչ^o^Cv*= si_?5\w$-OVWP t $ʷ 68'Fa=Ca9l^L#bWBXG b".6<D.ʵAV' F3g|lt_yZb[N\H$1Zgwo/&}d9}Oޑ^#%T+`\DR^s3KqTVP=bDt{.[?)\ =sGýbV|>{r+a2L$~ՈGhff !AGOT@7 Wv0 ,R.lW 1u}J_Gׂ~_8z_pY13=.WTXođ1%÷ Zi{"M\KA)wpԓ^ I]iroO 4Hg$}ړ^AU:ŸUaK ^зNn2n W+U&]fr&6σ]f:_ۿ{G]Ѯѓ5Bk`$U{|vLuŀY&9h5=E/M4P zX)Ʈf!e`=)v"Q[OnF3q1a$I7mY+Dd=i.FGQ[K&_cN0pq )xg!`..GRۦ=yWFk_8'hB[`:F->0GȄ:ӈ,VT &}en ԚKOZL"rjtMmN/KHށiJe cJCN=v{ԋ?4}b\0PH(VPlaR^aסuX/9tHHǓk -[fq8/oɨH8eRUJ\=&qL3Uهڗ{Nd~RA٤PʝK$SŦ="qLpb'86İ-]5JM!}Vb5ێERL7UUsuxbn?%.%,kR'+F5ٴr'8v6E4~[QܾY<` ǩ=Sja-J(ױTadٛȁ  l+AY> $ۡ=x49mzxy(Kfik4=D "oB3دCcCI6: Z^ u4R=|~_'m ҧ!_ ޏ9=_0]W?#=]C[}duӂװLxG;`ĵMSA΁3|P<;ɜ捍QG^Tm/$OSe`2~e68UJ<&Roif̄29YZ+}{&?^R;eHR-DyKa3'!V:oȨ:3:+CU֩OHdIHZ|EV83BvlC qqMD˒60EL%6D/NMh>_3Ԓ52+e+QuGc$#~|ϖoB9#RvzP23괱P?tP85㐞 jI[g}Dp2#6EÄXY%? *#䟶Y)++(!^T{b<ɄA6^y&SEB S^(Z+W_?}m-pkn4ZT$jtvGȫx2^Y(%`_ {)a KzMoIeـ*x38e2GЪТ Ki"`G|DVZ[|{ ,K3WHv7kr˔S^chzq.#<顭Jq=Y| @9y-0YΆOAэ)XHu #_o~삚pW_pYb$ Iym-g#|!hw@Hr޼D?uRL,T _V% oOO>\s7]y5)]0}b~t󡛥̇Bv_GVr"jvyZR@{#'l۩*"db>WٹVOz:OPD'@ݎ{G!ujTm{Q, {R[#|8I$Ә~|<⿡ľDZ rgB t݃usmUÃietI柗sAM#lէŎ|qdN^=0<_qƒu!P^ HA*7)0GaY:GQ,$ tv20=) ϙ<ǏӪ|@c{dyg@(%]_XZfs*UL#4<`'M}1:\ Y4\e0e}&{&!'4•.Y$vJ|I)y6 q4Ϟ2;h)){ߑIk&QkOdΘ8-"*vJ&qa3tM u!e_߂UsMz>ďt;,~?ҭ5X0 !Q?9Ω+É@OC=S"!7VtvxW%W$0+*UU)O9>$L`'-<\Q)圍Uu~ .Y7O; gZQwn|AgM2OA<k^#V Ivk2?ͼF Oe!ew*v؁}EB\åO%L*zCx^!MYz)1'UŠ[@;BT﷘rsK*'KlZSg}(1:/_]nm7*1~S-٧C½g|Dr,q/sS/xoHma7OUpG0<#Ϊ-zh~}ES |H-H^ab6$ A_-mRR" kSYc$/o _\-O]K\GWZU7lEtO =|p0MP ) %pA~{ b! Ŝ] 5y6+n6llG4tn8M@&R͌c΄Y l?N{ﵺDF6'y aǎ<\Ѹ"dʐ֫jF{MmEѣ ̼@UA ˥Kߛ!]ОeXJo,NyE% 2Hsng]*U^.ҷ|9Yv8,ԗ?K4X蜺{+l-:&Fk REoR# _@o̊1w\mʮ+2$rStzvX+@ pZ4c2C}56W}R|zz5f:x#:@D8uu- ,gu.Fc-Mbb!μ7ʓ*iee<7@B[R߰m[U0i)6^$V0;/;4Ii͘0*뻷s.GU.Bϓ\~R)5(?LA=eΜ%&ϊp.9 -y_FJapDM6jJu=ϔ'81і0z6 U02 eWc6y(C ^f3趫򹇄^d $S:J5W*/*Qp# ?=? riV,iw ! #X53wI_t1aZZGWLJ77stw+z%=IufU{{ Z{b{}2k^zQ$ׇF?"i R]I2S)rWn} Ig^]O`^ Gyiq0a۔!6vᜌryDlj"z\@N*SxPPtw@UP!S!Z[l@}Egzue}ϽFzzRQLcr#2Z[_LJ~>>|9/ke jD%@rœ+^2v15[tLnu4c;'੒D:SYZq腷6Mo.iPt/Xofv߈v0cmjߺ~hpsaH$z&!?]rp,$c4iSse(sKD핫…iيsĮ'ZqڬiU2/fAs"qO@] 15z%~&vrE$T7H^{bvjO<=sі)Ib) Rr<g" 5_TQ@V |VL1B룅 6Phmhޜh,|ʔɘ,"2@F=:J,}?^.ŇR3R&RNfvdJ49 jZ(m$Um]"zM<@8H#v68 #[8[ɑjcd(d8+Z$;1cU,4To6ĒZmP$+-U|%mi ~cc(̖B8aj!?\V|D،t#B !8* &{@O=W k YZ