samba-winbind-4.17.12+git.455.b299ac1e60-150500.3.20.1 >  A ep9|9&y+c4f^:3jJXg<#ϜtW- "0 p,$ݧ3vKM*4/lKkv|?Z(Lڿ4f;Px3H⌘>Я?R%eߥVZrf}ґRtw-rݪIC͛iԶ'^b%T\߈B.a67?C{Vk5K^(w2?ȖpL?d+ 9 Q .4<    > \   G6(7879<4:N=T>\?d@lBtFGHIX(Y@Z[\]^ bcxdefluvT wxxyz$48eCsamba-winbind4.17.12+git.455.b299ac1e60150500.3.20.1Winbind Daemon and ToolThis is the winbind-daemon and the wbinfo-tool.e h02-armsrv3eSUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/Productivity/Networking/Sambahttps://www.samba.org/linuxaarch64 if [ -x /usr/bin/systemctl ]; then test -n "$FIRST_ARG" || FIRST_ARG="$1" [ -d /var/lib/systemd/migrated ] || mkdir -p /var/lib/systemd/migrated || : for service in winbind.service ; do sysv_service=${service%.*} if [ ! -e /usr/lib/systemd/system/$service ] && [ ! -e /etc/init.d/$sysv_service ]; then mkdir -p /run/systemd/rpm/needs-preset touch /run/systemd/rpm/needs-preset/$service elif [ -e /etc/init.d/$sysv_service ] && [ ! -e /var/lib/systemd/migrated/$sysv_service ]; then /usr/sbin/systemd-sysv-convert --save $sysv_service || : mkdir -p /run/systemd/rpm/needs-sysv-convert touch /run/systemd/rpm/needs-sysv-convert/$service fi done fi /usr/sbin/sysusers2shadow samba-winbind.conf <<"EOF" || [ -f /.buildenv ] g winbind - - EOF /sbin/ldconfig if [ -x /usr/bin/systemctl ]; then test -n "$FIRST_ARG" || FIRST_ARG="$1" [ -d /var/lib/systemd/migrated ] || mkdir -p /var/lib/systemd/migrated || : if [ "$YAST_IS_RUNNING" != "instsys" ]; then /usr/bin/systemctl daemon-reload || : fi for service in winbind.service ; do sysv_service=${service%.*} if [ -e /run/systemd/rpm/needs-preset/$service ]; then /usr/bin/systemctl preset $service || : rm "/run/systemd/rpm/needs-preset/$service" || : elif [ -e /run/systemd/rpm/needs-sysv-convert/$service ]; then /usr/sbin/systemd-sysv-convert --apply $sysv_service || : rm "/run/systemd/rpm/needs-sysv-convert/$service" || : touch /var/lib/systemd/migrated/$sysv_service || : fi done fi [ -z "${TRANSACTIONAL_UPDATE}" -a -x /usr/bin/systemd-tmpfiles ] && /usr/bin/systemd-tmpfiles --create samba.conf || : PNAME=samba SUBPNAME=-winbind SYSC_TEMPLATE=/usr/share/fillup-templates/sysconfig.$PNAME$SUBPNAME # If template not in new /usr/share/fillup-templates, fallback to old TEMPLATE_DIR if [ ! -f $SYSC_TEMPLATE ] ; then TEMPLATE_DIR=/var/adm/fillup-templates SYSC_TEMPLATE=$TEMPLATE_DIR/sysconfig.$PNAME$SUBPNAME fi SD_NAME="" if [ -x /bin/fillup ] ; then if [ -f $SYSC_TEMPLATE ] ; then echo "Updating /etc/sysconfig/$SD_NAME$PNAME ..." mkdir -p /etc/sysconfig/$SD_NAME touch /etc/sysconfig/$SD_NAME$PNAME /bin/fillup -q /etc/sysconfig/$SD_NAME$PNAME $SYSC_TEMPLATE fi else echo "ERROR: fillup not found. This should not happen. Please compare" echo "/etc/sysconfig/$PNAME and $TEMPLATE_DIR/sysconfig.$PNAME and" echo "update by hand." fi test -n "$FIRST_ARG" || FIRST_ARG="$1" if [ "$FIRST_ARG" -eq 0 -a -x /usr/bin/systemctl ]; then # Package removal, not upgrade /usr/bin/systemctl --no-reload disable winbind.service || : ( test "$YAST_IS_RUNNING" = instsys && exit 0 test -f /etc/sysconfig/services -a \ -z "$DISABLE_STOP_ON_REMOVAL" && . /etc/sysconfig/services test "$DISABLE_STOP_ON_REMOVAL" = yes -o \ "$DISABLE_STOP_ON_REMOVAL" = 1 && exit 0 /usr/bin/systemctl stop winbind.service ) || : fi/sbin/ldconfig if [ $1 -eq 0 ]; then /usr/sbin/pam-config --delete --winbind if [ -x /usr/sbin/nscd ]; then /usr/sbin/nscd -i passwd /usr/sbin/nscd -i group fi fi test -n "$FIRST_ARG" || FIRST_ARG="$1" if [ $1 -eq 0 ]; then # Package removal for service in winbind.service ; do sysv_service="${service%.*}" rm -f "/var/lib/systemd/migrated/$sysv_service" || : done fi if [ -x /usr/bin/systemctl ]; then /usr/bin/systemctl daemon-reload || : fi if [ "$FIRST_ARG" -ge 1 ]; then # Package upgrade, not uninstall if [ -x /usr/bin/systemctl ]; then ( test "$YAST_IS_RUNNING" = instsys && exit 0 test -f /etc/sysconfig/services -a \ -z "$DISABLE_RESTART_ON_UPDATE" && . /etc/sysconfig/services test "$DISABLE_RESTART_ON_UPDATE" = yes -o \ "$DISABLE_RESTART_ON_UPDATE" = 1 && exit 0 /usr/bin/systemctl try-restart winbind.service ) || : fi fi<X% E^큤큤AAeeeeee|;eeeeeeeeedbd95eb7e0d1e8c973d39fb53be9be46276b21bcacd8b0ae1adeeb63651f6fbea676af835bac5e037fd6f6d9950ea49ff3f39bc693d479069190927c1c5308399bc33e5e9ed88139d889a3cbb20b5827f5590c1fb5afc51ee201efaabc171418cd06875358c0a35c3c1a2050f2db1479826d67aa5517cae8f7ea566e1386cec148c787a47c3127f9c5fdde2848eeac71a06e22cbf997c132d74ada549c086e0d7ad837116f8de04fd9522088967fd90d1c40b9c1d8ff9bcb53a11dc27e7e4697ac90835ee60f30ef9387032c83b6eecec8bc55c86bc759aec647733f1ac45de09a16eb3e6b8e2bf0b1ee56f8a98e8ed307633badc5f3c02d8a82a4293ea474397229c59e6b85ab608b68a2dec39ae80744cdbee6a4ee99eefa911881914336aebd26878afa500a3de66fcf5b3463c8fbfccd12a6469ba0ab7bf12967d3901cdad3610e967c3e1ff53f3df1399831f397e55603e996029a0f9a06bc797a95bc51c6b4b0325dd3211474ac785379683cc4e7f17e211327fb9d536c1ff9138de03eservicerootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootwinbindsamba-4.17.12+git.455.b299ac1e60-150500.3.20.1.src.rpmconfig(samba-winbind)group(winbind)group(winbind)samba-client:/usr/sbin/winbinddsamba-winbindsamba-winbind(aarch-64) @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    /bin/sh/bin/sh/bin/sh/bin/sh/sbin/ldconfig/sbin/ldconfigconfig(samba-winbind)coreutilsld-linux-aarch64.so.1()(64bit)ld-linux-aarch64.so.1(GLIBC_2.17)(64bit)libMESSAGING-samba4.so()(64bit)libMESSAGING-samba4.so(SAMBA_4.17.12_GIT.455.B299AC1E60150500.3.20.1SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libRPC-SERVER-LOOP-samba4.so()(64bit)libRPC-SERVER-LOOP-samba4.so(SAMBA_4.17.12_GIT.455.B299AC1E60150500.3.20.1SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libads-samba4.so()(64bit)libads-samba4.so(SAMBA_4.17.12_GIT.455.B299AC1E60150500.3.20.1SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libauth-samba4.so()(64bit)libauth-samba4.so(SAMBA_4.17.12_GIT.455.B299AC1E60150500.3.20.1SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libauthkrb5-samba4.so()(64bit)libauthkrb5-samba4.so(SAMBA_4.17.12_GIT.455.B299AC1E60150500.3.20.1SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libcli-ldap-common-samba4.so()(64bit)libcli-ldap-common-samba4.so(SAMBA_4.17.12_GIT.455.B299AC1E60150500.3.20.1SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libcli-smb-common-samba4.so()(64bit)libcli-smb-common-samba4.so(SAMBA_4.17.12_GIT.455.B299AC1E60150500.3.20.1SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libcliauth-samba4.so()(64bit)libcliauth-samba4.so(SAMBA_4.17.12_GIT.455.B299AC1E60150500.3.20.1SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libcmdline-samba4.so()(64bit)libcmdline-samba4.so(SAMBA_4.17.12_GIT.455.B299AC1E60150500.3.20.1SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libcom_err.so.2()(64bit)libcommon-auth-samba4.so()(64bit)libcommon-auth-samba4.so(SAMBA_4.17.12_GIT.455.B299AC1E60150500.3.20.1SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libdbwrap-samba4.so()(64bit)libdbwrap-samba4.so(SAMBA_4.17.12_GIT.455.B299AC1E60150500.3.20.1SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libdcerpc-binding.so.0()(64bit)libdcerpc-binding.so.0(DCERPC_BINDING_0.0.1)(64bit)libdcerpc-samba-samba4.so()(64bit)libdcerpc-samba-samba4.so(SAMBA_4.17.12_GIT.455.B299AC1E60150500.3.20.1SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libdcerpc-samba4.so()(64bit)libdcerpc-samba4.so(SAMBA_4.17.12_GIT.455.B299AC1E60150500.3.20.1SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libdcerpc-server-core.so.0()(64bit)libdcerpc-server-core.so.0(DCERPC_SERVER_CORE_0.0.1)(64bit)libflag-mapping-samba4.so()(64bit)libflag-mapping-samba4.so(SAMBA_4.17.12_GIT.455.B299AC1E60150500.3.20.1SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libgenrand-samba4.so()(64bit)libgenrand-samba4.so(SAMBA_4.17.12_GIT.455.B299AC1E60150500.3.20.1SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libgensec-samba4.so()(64bit)libgensec-samba4.so(SAMBA_4.17.12_GIT.455.B299AC1E60150500.3.20.1SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libgnutls.so.30()(64bit)libgnutls.so.30(GNUTLS_3_4)(64bit)libgnutls.so.30(GNUTLS_3_6_13)(64bit)libgse-samba4.so()(64bit)libgse-samba4.so(SAMBA_4.17.12_GIT.455.B299AC1E60150500.3.20.1SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libidmap-samba4.so()(64bit)libidmap-samba4.so(SAMBA_4.17.12_GIT.455.B299AC1E60150500.3.20.1SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libkrb5.so.3()(64bit)libkrb5.so.3(krb5_3_MIT)(64bit)libkrb5samba-samba4.so()(64bit)libkrb5samba-samba4.so(SAMBA_4.17.12_GIT.455.B299AC1E60150500.3.20.1SUSE_OS15.0_AARCH64_SAMBA4)(64bit)liblibcli-lsa3-samba4.so()(64bit)liblibcli-lsa3-samba4.so(SAMBA_4.17.12_GIT.455.B299AC1E60150500.3.20.1SUSE_OS15.0_AARCH64_SAMBA4)(64bit)liblibcli-netlogon3-samba4.so()(64bit)liblibcli-netlogon3-samba4.so(SAMBA_4.17.12_GIT.455.B299AC1E60150500.3.20.1SUSE_OS15.0_AARCH64_SAMBA4)(64bit)liblibsmb-samba4.so()(64bit)liblibsmb-samba4.so(SAMBA_4.17.12_GIT.455.B299AC1E60150500.3.20.1SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libmsrpc3-samba4.so()(64bit)libmsrpc3-samba4.so(SAMBA_4.17.12_GIT.455.B299AC1E60150500.3.20.1SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libndr-samba-samba4.so()(64bit)libndr-samba-samba4.so(SAMBA_4.17.12_GIT.455.B299AC1E60150500.3.20.1SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libndr-samba4.so()(64bit)libndr-samba4.so(SAMBA_4.17.12_GIT.455.B299AC1E60150500.3.20.1SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libndr-standard.so.0()(64bit)libndr-standard.so.0(NDR_STANDARD_0.0.1)(64bit)libndr.so.3()(64bit)libndr.so.3(NDR_0.0.1)(64bit)libndr.so.3(NDR_0.0.4)(64bit)libndr.so.3(NDR_0.2.0)(64bit)libnss-info-samba4.so()(64bit)libnss-info-samba4.so(SAMBA_4.17.12_GIT.455.B299AC1E60150500.3.20.1SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libpopt.so.0()(64bit)libpopt.so.0(LIBPOPT_0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.17)(64bit)libreplace-samba4.so()(64bit)libreplace-samba4.so(SAMBA_4.17.12_GIT.455.B299AC1E60150500.3.20.1SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libsamba-credentials.so.1()(64bit)libsamba-credentials.so.1(SAMBA_CREDENTIALS_1.0.0)(64bit)libsamba-debug-samba4.so()(64bit)libsamba-debug-samba4.so(SAMBA_4.17.12_GIT.455.B299AC1E60150500.3.20.1SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libsamba-errors.so.1()(64bit)libsamba-errors.so.1(SAMBA_ERRORS_1.0.0)(64bit)libsamba-hostconfig.so.0()(64bit)libsamba-hostconfig.so.0(SAMBA_HOSTCONFIG_0.0.1)(64bit)libsamba-passdb.so.0()(64bit)libsamba-passdb.so.0(SAMBA_PASSDB_0.2.0)(64bit)libsamba-security-samba4.so()(64bit)libsamba-security-samba4.so(SAMBA_4.17.12_GIT.455.B299AC1E60150500.3.20.1SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libsamba-sockets-samba4.so()(64bit)libsamba-sockets-samba4.so(SAMBA_4.17.12_GIT.455.B299AC1E60150500.3.20.1SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libsamba-util.so.0()(64bit)libsamba-util.so.0(SAMBA_UTIL_0.0.1)(64bit)libsamba3-util-samba4.so()(64bit)libsamba3-util-samba4.so(SAMBA_4.17.12_GIT.455.B299AC1E60150500.3.20.1SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libsamdb-common-samba4.so()(64bit)libsamdb-common-samba4.so(SAMBA_4.17.12_GIT.455.B299AC1E60150500.3.20.1SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libsecrets3-samba4.so()(64bit)libsecrets3-samba4.so(SAMBA_4.17.12_GIT.455.B299AC1E60150500.3.20.1SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libsmbconf.so.0()(64bit)libsmbconf.so.0(SMBCONF_0.0.1)(64bit)libsmbd-shim-samba4.so()(64bit)libsmbd-shim-samba4.so(SAMBA_4.17.12_GIT.455.B299AC1E60150500.3.20.1SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libsocket-blocking-samba4.so()(64bit)libsocket-blocking-samba4.so(SAMBA_4.17.12_GIT.455.B299AC1E60150500.3.20.1SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libsys-rw-samba4.so()(64bit)libsys-rw-samba4.so(SAMBA_4.17.12_GIT.455.B299AC1E60150500.3.20.1SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtdb.so.1()(64bit)libtdb.so.1(TDB_1.2.1)(64bit)libtevent-util.so.0()(64bit)libtevent-util.so.0(TEVENT_UTIL_0.0.1)(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.11.0)(64bit)libtevent.so.0(TEVENT_0.12.0)(64bit)libtevent.so.0(TEVENT_0.9.12)(64bit)libtevent.so.0(TEVENT_0.9.14)(64bit)libtevent.so.0(TEVENT_0.9.16)(64bit)libtevent.so.0(TEVENT_0.9.20)(64bit)libtevent.so.0(TEVENT_0.9.21)(64bit)libtevent.so.0(TEVENT_0.9.31)(64bit)libtevent.so.0(TEVENT_0.9.36)(64bit)libtevent.so.0(TEVENT_0.9.37)(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)libtrusts-util-samba4.so()(64bit)libtrusts-util-samba4.so(SAMBA_4.17.12_GIT.455.B299AC1E60150500.3.20.1SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libutil-tdb-samba4.so()(64bit)libutil-tdb-samba4.so(SAMBA_4.17.12_GIT.455.B299AC1E60150500.3.20.1SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libwbclient.so.0()(64bit)libwbclient.so.0(WBCLIENT_0.10)(64bit)libwbclient.so.0(WBCLIENT_0.13)(64bit)libwbclient.so.0(WBCLIENT_0.9)(64bit)pam-configrpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)samba-clientsamba-winbind-libssysuser-shadow4.17.12+git.455.b299ac1e60-150500.3.20.13.0.4-14.6.0-14.0-15.2-14.17.12+git.455.b299ac1e604.17.12+git.455.b299ac1e604.14.3ez@e[J@e6`@eSd@d.@dd-@d@dd@d6@d@d @cvcvc@c@c @c@cctc5cM@b@b@b@ba@bascabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedimstar@opensuse.orgscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- Add new idmap_nss option 'use_upn' for those NSS modules able to handle UPNs or DOMAIN/user name format; (bsc#1215369); - Avoid unnecessary locking in idmap parent setup; (bsc#1215369);- Add "net offlinejoin composeodj" command; (bsc#1214076);- Update to samba 4.17.12 * Weird filename can cause assert to fail in openat_pathref_fsp_nosymlink(); (bso#15419); * reply_sesssetup_and_X() can dereference uninitialized tmp pointer; (bso#15420); * Missing return in reply_exit_done(); (bso#15430); * TREE_CONNECT without SETUP causes smbd to use uninitialized pointer; (bso#15432); * Improve GetNChanges to address some (but not all "Azure AD Connect") syncronisation tool looping during the initial user sync phase; (bso#15401); * Samba replication logs show (null) DN; (bso#15407); * Spotlight sometimes returns no results on latest macOS; (bso#15342); * Renaming results in NT_STATUS_SHARING_VIOLATION if previously attempted to remove the destination; (bso#15417); * Spotlight results return wrong date in result list; (bso#15427); * macOS mdfind returns only 50 results; (bso#15463); * 2-3min delays at reconnect with smb2_validate_sequence_number: bad message_id 2; (bso#15346); * samba-tool ntacl get segfault if aio_pthread appended; (bso#15441); * DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED can't be parsed; (bso#15446); * File doesn't show when user doesn't have permission if aio_pthread is loaded; (bso#15453); * net ads lookup (with unspecified realm) fails; (bso#15384); (bsc#1213826); * Regression DFS not working with widelinks = true; (bso#15435); (bsc#1213607); * ctdb_killtcp fails to work with --enable-pcap and libpcap 1.9.1; (bso#15451); * mdssvc: Do an early talloc_free() in _mdssvc_open(); (bso#15449); * Windows client join fails if a second container CN=System exists somewhere; (bso#9959); - Fix crossing automounter mount points; (bsc#1215212);- CVE-2023-4091: samba: Client can truncate file with read-only permissions; (bsc#1215904); (bso#15439). - CVE-2023-42669: samba: rpcecho, enabled and running in AD DC, allows blocking sleep on request; (bso#1215905); (bso#15474). - CVE-2023-42670: samba: The procedure number is out of range when starting Active Directory Users and Computers; (bsc#1215906); (bso#15473). - CVE-2023-3961: samba: Unsanitized client pipe name passed to local_np_connect(); (bsc#1215907); (bso#15422). - CVE-2023-4154: samba: dirsync allows SYSTEM access with only "GUID_DRS_GET_CHANGES" right, not "GUID_DRS_GET_ALL_CHANGES; (bsc#1215908); (bso#15424).- Fix DFS not working with widelinks enabled; (bsc#1213607); (bso#15435);- Move libcluster-samba4.so from samba-libs to samba-client-libs; (bsc#1213940);- net ads lookup with unspecified realm fails; (bso#15384); (bsc#1213826);- secure channel faulty since Windows 10/11 update 07/2023; (bso#15418); (bsc#1213384).- CVE-2022-2127: lm_resp_len not checked properly in winbindd_pam_auth_crap_send; (bso#15072); (bsc#1213174). - CVE-2023-34966: Samba Spotlight mdssvc RPC Request Infinite Loop Denial-of-Service Vulnerability; (bso#15340); (bsc#1213173). - CVE-2023-34967: Samba Spotlight mdssvc RPC Request Type Confusion Denial-of-Service Vulnerability; (bso#15341); (bsc#1213172). - CVE-2023-34968: Spotlight server-side Share Path Disclosure; (bso#15388); (bsc#1213171). - CVE-2023-3347: Samba doesn't require SMB2+ signing if `server signing = mandatory` is set; (bso#15397); (bsc#1213170).- Update to 4.17.9 * Backport --pidl-developer fixes; (bso#15404). * smbd_scavenger crashes when service smbd is stopped; (bso#15275). * vfs_fruit might cause a failing open for delete; (bso#15378). * named crashes on DLZ zone update; (bso#14030). * winbind recurses into itself via rpcd_lsad; (bso#15361). * cli_list loops 100% CPU against pre-lanman2 servers; (bso#15382). * smbclient leaks fds with showacls; (bso#15391). * aes256 smb3 encryption algorithms are not allowed in smb3_sid_parse(); (bso#15374). * winbindd gets stuck on NT_STATUS_RPC_SEC_PKG_ERROR; (bso#15413). * smbget memory leak if failed to download files recursively; (bso#15403).- Update to 4.17.8 * log flood: smbd_calculate_access_mask_fsp: Access denied: message level should be lower; (bso#15302). * Floating point exception (FPE) via cli_pull_send at source3/libsmb/clireadwrite.c; (bso#15306). * test_tstream_more_tcp_user_timeout_spin fails intermittently on Rackspace GitLab runners; (bso#15328). * Reduce flapping of ridalloc test; (bso#15329). * large_ldap test is unreliable; (bso#15351). * New filename parser doesn't check veto files smb.conf parameter; (bso#15143). * mdssvc may crash when initializing; (bso#15354). * Large directory optimization broken for non-lcomp path elements; (bso#15313). * streams_depot fails to create streams; (bso#15357). * shadow_copy2 and streams_depot don't play well together; (bso#15358). * wbinfo -u fails on ad dc with >1000 users; (bso#15366). * winbindd idmap child contacts the domain controller without a need; (bso#15317). * idmap_autorid may fail to map sids of trusted domains for the first time; (bso#15318). * idmap_hash doesn't use ID_TYPE_BOTH for reverse mappings; (bso#15319). * net ads search -P doesn't work against servers in other domains; (bso#15323). * DS ACEs might be inherited to unrelated object classes; (bso#15338). * Temporary smbXsrv_tcon_global.tdb can't be parsed; (bso#15353). * Setting veto files = /.*/ break listing directories; (bso#15360); (bsc#1212375). * CVE-2020-25720 [SECURITY] Create Child permission should not allow full write to all attributes (additional changes); (bso#14810). * dsgetdcname: assumes local system uses IPv4; (bso#15325).- Update to 4.17.7 * CVE-2023-0922: Samba AD DC admin tool samba-tool sends passwords in cleartext; (bso#15315); (bsc#1209481). * CVE-2023-0225: Samba AD DC "dnsHostname" attribute can be deleted by unprivileged authenticated users; (bso#15276); (bsc#1209483). * CVE-2023-0614: samba: Access controlled AD LDAP attributes can be discovered; (bso#15270); (bsc#1209485). * large_ldap test is inefficient; (bso#15332). * CVE-2020-25720 [SECURITY] Create Child permission should not allow full write to all attributes (additional changes); (bso#14810). - Update to 4.17.6 * streams_xattr is creating unexpected locks on folders; (bso#15314). * Use of the Azure AD Connect cloud sync tool is now supported for password hash synchronisation, allowing Samba AD Domains to synchronise passwords with this popular cloud environment; (bso#10635). * Spotlight doesn't work with latest macOS Ventura; (bso#15299). * New samba-dcerpc architecture does not scale gracefully; (bso#15310). * vfs_ceph incorrectly uses fsp_get_io_fd() instead of fsp_get_pathref_fd() in close and fstat; (bso#15307). * With clustering enabled samba-bgqd can core dump due to use after free; (bso#15293). * fd_load() function implicitly closes the fd where it should not; (bso#15311). - Update to 4.17.5 * smbc_getxattr() return value is incorrect; (bso#14808). * Compound SMB2 FLUSH+CLOSE requests from MacOSX are not handled correctly; (bso#15172). * synthetic_pathref AFP_AfpInfo failed errors; (bso#15210). * samba-tool gpo listall fails IPv6 only - finddcs() fails to find DC when there is only an AAAA record for the DC in DNS; (bso#15226). * smbd crashes if an FSCTL request is done on a stream handle; (bso#15236). * DFS links don't work anymore on Mac clients since 4.17; (bso#15277). * vfs_virusfilter segfault on access, directory edgecase (accessing NULL value); (bso#15283). * CVE-2022-38023 [SECURITY] Samba should refuse RC4 (aka md5) based SChannel on NETLOGON (additional changes); (bso#15240). * %U for include directive doesn't work for share listing (netshareenum); (bso#15243). * Shares missing from netshareenum response in samba 4.17.4; (bso#15266). * ctdb: use-after-free in run_proc; (bso#15269). * irpc_destructor may crash during shutdown; (bso#15280). * auth3_generate_session_info_pac leaks wbcAuthUserInfo; (bso#15286). * smbclient segfaults with use after free on an optimized build; (bso#15268). * smbstatus leaking files in msg.sock and msg.lock; (bso#15282). * Leak in wbcCtxPingDc2; (bso#15164). * Access based share enum does not work in Samba 4.16+; (bso#15265). * Crash during share enumeration; (bso#15267). * rep_listxattr on FreeBSD does not properly check for reads off end of returned buffer; (bso#15271). * Avoid relying on C89 features in a few places; (bso#15281).- Make (32bit) samba-libs conflict with old samba-ad-dc-libs package to satisfy installcheck.- Make samba-libs conflict with old samba-ad-dc-libs package to satisfy installcheck.- Remove non functioning ifup/ifdown samba-winbindd scripts; (bsc#1207414).- libdsdb-module-samba4 should be packaged as part of samba-libs and not samba-ad-dc-libs. Additionally no need for it to be removed conditionally.- Clean up logic for PAM migration settings in spec file.- Change with_dc default to 0 (for non TW builds), ADDC feature is deprecated and will no longer be included in >= SLE15-SP5; (jsc#PED-1122).- Update to 4.17.4 * CVE-2022-44640 Upstream Heimdal free of user-controlled pointer in FAST; (bsc#14929); * CVE-2021-20251 Bad password count not incremented atomically; (bsc#14611); * CVE-2022-42898 krb5_pac_parse() buffer parsing vulnerability; (bsc#15203); * CVE-2022-37966 rc4-hmac Kerberos session keys issued to modern servers; (bso#15237); * CVE-2022-37967 Kerberos constrained delegation ticket forgery possible against Samba AD DC; (bso#15231); * CVE-2022-38023 RC4/HMAC-MD5 NetLogon Secure Channel is weak and should be avoided; (bso#15240); * pam_winbind uses time_t and pointers assuming they are of the same size; (bso#15224); * Heimdal session key selection in AS-REQ examines wrong entry; (bso#15219); * filter-subunit is inefficient with large numbers of knownfails; (bso#15258); * smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories; (bso#15252); * The KDC logic arround msDs-supportedEncryptionTypes differs from Windows; (bso#13135); * libnet: change_password() doesn't work with dcerpc_samr_ChangePasswordUser4(); (bso#15206); * Heimdal session key selection in AS-REQ examines wrong entry; (bso#15219); * Memory leak in snprintf replacement functions; (bso#15230); * RODC doesn't reset badPwdCount reliable via an RWDC (CVE-2021-20251 regression); (bso#15253); * Prevent EBADF errors with vfs_glusterfs; (bso#15198); * %U for include directive doesn't work for share listing (netshareenum); (bso#15243); * Stack smashing in net offlinejoin requestodj; (bso#15257); * Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue; (bso#15197); * Heimdal session key selection in AS-REQ examines wrong entry; (bso#15219); - Remove deprecated if-{down,up} scripts; (bsc#1206444); - Adjust the systemd drop-in file for named service; (bsc#1201689); * Paths are additive so do not repeat paths from named.service * Prefix the samba DLZ directory with "-" to ignore this path if it does not exists- Introduce without-smb1-server spec flag; (bsc#1205104); - Update to 4.17.3 * CVE-2022-42898: Samba buffer overflow vulnerabilities on 32-bit systems; (bsc#1205126); (bso#15203); - Replace obsolete python-gpgme with python-gpg * Upstream replaced it in v4.9.5 -- bso#13728 - Update to 4.17.2 * CVE-2022-3592 [SECURITY] samba: Wide links protection broken; (bso#15207); (bsc#1204499). * CVE-2022-3437 [SECURITY] samba: Buffer overflow in Heimdal unwrap_des3();(bso#15134); (bsc#1204254). - Update to 4.17.1 * CVE-2021-20251 [SECURITY] Bad password count not incremented atomically; (bso#14611). * smbXsrv_connection_shutdown_send result leaked; (bso#15174). * Flush on a named stream never completes; (bso#15182). * Permission denied calling SMBC_getatr when file not exists; (bso#15195). * Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC; (bso#15189). * pytest: add file removal helpers for TestCaseInTempDir; (bso#15191). * CVE-2021-20251 [SECURITY] Bad password count not incremented atomically; (bso#14611). * Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC; (bso#15189). * Flush on a named stream never completes; (bso#15182). * vfs_gpfs silently garbles timestamps > year 2106; (bso#15151). * CVE-2021-20251 [SECURITY] Bad password count not incremented atomically; (bso#14611). * multi-channel socket passing may hit a race if one of the involved processes already existed; (bso#15200). * memory leak on temporary of struct imessaging_post_state and struct tevent_immediate on struct imessaging_context (in rpcd_spoolss and maybe others); (bso#15201). * Since popt1.19 various use after free errors using result of poptGetArg are now exposed; (bso#15205); (boo#1204279). * Remove special case for O_CREAT in SMB_VFS_OPENAT from vfs_glusterfs; (bso#15192). * GETPWSID in memory cache grows indefinetly with each NTLM auth; (bso#15169). * CVE-2021-20251 [SECURITY] Bad password count not incremented atomically; (bso#14611). - Install a systemd drop-in file for named service to allow read/write access to the DLZ directory; (bsc#1201689); - Fix use after free errors resulting from using return of poptGetArg exposed since popt-1.19; (boo#1204279); (bso#15205). - s3: smbd: Fix memory leak in smbd_server_connection_terminate_done(); (bso#15174). - Disable SMB1 for tumbleweed builds. - Update to 4.17.0 * acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr; (bso#15126). * Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1; (bso#15153). * assert failed: !is_named_stream(smb_fname)") at ../../lib/util/fault.c:197; (bso#15161). * acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr; (bso#15126). * assert failed: !is_named_stream(smb_fname)") at ../../lib/util/fault.c:197; (bso#15161). * Cross-node multi-channel reconnects result in SMB2 Negotiate returning NT_STATUS_NOT_SUPPORTED; (bso#15159). * winbind at info level debug can coredump when processing wb_lookupusergroups; (bso#15160). * Make use of glfs_*at() API calls in vfs_glusterfs; (bso#15157). * Possible use after free of connection_struct when iterating smbd_server_connection->connections; (bso#15128). * `net usershare add` fails with flag works with --long but fails with -l; (bso#15145). * acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr; (bso#15126). * Performance regression on contended path based operations; (bso#15125). * Missing READ_LEASE break could cause data corruption; (bso#15148). * libsamba-errors uses a wrong version number; (bso#15141). * SMB1 negotiation can fail to handle connection errors; (bso#15152). * New filename parser doesn't check veto files smb.conf parameter; (bso#15143). * 4.17.rc1 still uses symlink-race prone unix_convert(); (bso#15144). * Backport fileserver related changed to 4.17.0rc2; (bso#15146). * Manpage for smbstatus json is missing; (bso#15147). * Backport fileserver related changed to 4.17.0rc2; (bso#15146). * Performance regression on contended path based operations; (bso#15125). * Backport fileserver related changed to 4.17.0rc2; (bso#15146). * Fix issues found by coverity in smbstatus json code; (bso#15140). * Backport fileserver related changed to 4.17.0rc2; (bso#15146). - Migration to /usr/etc: Saving user changed configuration files in /etc and restoring them while an RPM update. - Update to 4.16.4 * CVE-2022-2031: Samba AD users can bypass certain restrictions associated with changing passwords; (bsc#1201495); (bso#15047); * CVE-2022-32744: Samba AD users can forge password change requests for any user; (bsc#1201493); (bso#15074); * CVE-2022-32745: Samba AD users can crash the server process with an LDAP add or modify request; (bsc#1201492); (bso#15008); * CVE-2022-32746: Samba AD users can induce a use-after-free in the server process with an LDAP add or modify request; (bsc#1201490); (bso#15009); * CVE-2022-32742: Server memory information leak via SMB1; (bsc#1201496); (bso#15085); - Update to 4.16.3 * Using vfs_streams_xattr and deleting a file causes a panic; (bso#15099); * Add support for bind 9.18; (bso#14986); * logging dsdb audit to specific files does not work; (bso#15076); * Problem when winbind renews Kerberos; (bso#14979); (bsc#1196224); * Samba with new lorikeet-heimdal fails to build on gcc 12.1 in developer mode; (bso#15095); * Crash in streams_xattr because fsp->base_fsp->fsp_name is NULL; (bso#15105); * Crash in rpcd_classic - NULL pointer deference in mangle_is_mangled(); (bso#15118); * smbclient commands del & deltree fail with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556); * Fix check for chown when processing NFSv4 ACL; (bso#15120); * The pcap background queue process should not be stopped; (bso#15082); * testparm: Fix typo in idmap rangesize check; (bso#15097); * net ads info returns LDAP server and LDAP server name as null; (bso#15106); * ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link; (bso#15108); * CTDB child process logging does not work as expected; (bso#15090); - Update spec file to fix the optional Heimdal DC build - Fix external trusts with MIT Kerberos 1.20 - Add missing samba-client requirement to samba-winbind package; (bsc#1198255); - Move pdb backends from package samba-libs to package samba-client-libs and remove samba-libs requirement from samba-winbind; (bsc#1200964); (bsc#1198255); - Add sysuser-shadow requirement for packages using systemd-sysusers - Use the canonical realm name to refresh the Kerberos tickets; (bsc#1196224); (bso#14979); - Moved logrotate files from user specific directory /etc/logrotate.d to vendor specific directory /usr/etc/logrotate.d. - Update to 4.16.2 * Use pathref fd instead of io fd in vfs_default_durable_cookie; (bso#15042); * vfs_gpfs with vfs_shadowcopy2 fail to restore file if original file had been deleted; (bso#15069); * Reintroduce netgroups support; (bso#15087); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); * Update from 4.15 to 4.16 breaks discovery of [homes] on standalone server from Win and IOS; (bso#15062); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * smbclient -E doesn't work as advertised; (bso#15075); * The samba background daemon doesn't refresh the printcap cache on startup; (bso#15081); * Out-by-4 error in smbd read reply max_send clamp; (bso#14443); - Fix samba4.blackbox.net_ads_dns_async test with bind9 >= 9.17.7 - Support building with MIT Kerberos 1.20 - Bronze bit and S4U support with MIT Kerberos 1.20 for Samba AD DC; (CVE-2020-17049); - Resource Based Constrained Delegation (RBCD) for Samba AD DC - Support building with gcc 12.1 - Use requires_eq macro to require the libldb2 version available at samba-dsdb-modules build time; (bsc#1199362); - Update to 4.16.1 * Share and server swapped in smbget password prompt; (bso#14831); * Durable handles won't reconnect if the leased file is written to; (bso#15022); * rmdir silently fails if directory contains unreadable files and hide unreadable is yes; (bso#15023); * SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on renamed file handle; (bso#15038); * Need to describe --builtin-libraries= better (compare with - -bundled-libraries); (bso#8731); * vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback; (bso#14957); * shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes; (bso#15035); * PAM Kerberos authentication incorrectly fails with a clock skew error; (bso#15046); * Username map - samba erroneously applies unix group memberships to user account entries; (bso#15041); * KVNO off by 100000; (bso#14951); * Uninitialized litemask in variable in vfs_gpfs module; (bso#15027); * vfs_gpfs recalls=no option prevents listing files; (bso#15055); * smbd doesn't handle UPNs for looking up names; (bso#15054); - Update update-apparmor-samba-profile script, replace non-printable delimiter with more human readable separator as sed can accept separators that can appear in the input data. - Fix update-apparmor-samba-profile script, sed doesn't like multibyte separators; (bsc#1198309). - Update to 4.16.0 * New samba-dcerpcd binary to provide DCERPC in the member server setup * Certificate Auto Enrollment * Ability to add ports to dns forwarder addresses in internal DNS backend * No longer using Linux mandatory locks for sharemodes * SMB1 protocol has been deprecated, particularly older dialects * SMB1 protocol SMBCopy command removed * SMB1 server-side wildcard expansion removed - Add python3-dnspython to samba-ad-dc recommens; (bsc#1187101); - Use systemd-sysusers to create system users; (bsc#1182847);- Install a systemd drop-in file for named service to allow read/write access to the DLZ directory; (bsc#1201689);- Update to 4.15.12 * CVE-2022-42898: samba: heimdal: Samba buffer overflow vulnerabilities on 32-bit systems; (bso#15203); (bsc#1205126). - Update to 4.15.11 * Allow rebuild of Centos 8 images after move to vault for Samba 4.15; (bso#15193). * CVE-2022-3437: samba: Buffer overflow in Heimdal unwrap_des3(); (bso#15134); (bsc#1204254)- Update to 4.15.10 * Possible use after free of connection_struct when iterating smbd_server_connection->connections; (bso#15128); (bsc#1200102). * smbXsrv_connection_shutdown_send result leaked; (bso#15174). * Spotlight RPC service returns wrong response when Spotlight is disabled on a share; (bso#15086). * acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr; (bso#15126). * Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1; (bso#15153). * assert failed: !is_named_stream(smb_fname)") at ../../lib/util/fault.c:197; (bso#15161). * Missing READ_LEASE break could cause data corruption; (bso#15148). * rpcclient can crash using setuserinfo(2); (bso#15124). * Samba fails to build with glibc 2.36 caused by including in libreplace; (bso#15132). * SMB1 negotiation can fail to handle connection errors; (bso#15152). * samba-tool domain join segfault when joining a samba ad domain; (bso#15078). - Update to 4.15.9 * CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). * CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). * CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); * CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). * CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); * CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- CVE-2022-1615: Do not ignore errors in random number generation; (bso#15103); (bsc#1202976); - CVE-2022-32743: Implement validated dnsHostName write rights; (bso#14833); (bsc#1202803);- Fix Use after free when iterating smbd_server_connection->connections after tree disconnect failure; (bso#15128); (bsc#1200102).- CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). - CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). - CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); - CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). - CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- Update to 4.15.8 * Use pathref fd instead of io fd in vfs_default_durable_cookie; (bso#15042); * Setting fruit:resource = stream in vfs_fruit causes a panic; (bso#15099); * Add support for bind 9.18; (bso#14986); * logging dsdb audit to specific files does not work; (bso#15076); * vfs_gpfs with vfs_shadowcopy2 fail to restore file if original file had been deleted; (bso#15069); * netgroups support removed; (bso#15087); (bsc#1199247); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); (bsc#1199734); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * smbclient commands del & deltree fail with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556); * vfs_gpfs recalls=no option prevents listing files; (bso#15055); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * Compile error in source3/utils/regedit_hexedit.c; (bso#15091); * ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link; (bso#15108); * smbd doesn't handle UPNs for looking up names; (bso#15054); * Out-by-4 error in smbd read reply max_send clamp; (bso#14443); - Move pdb backends from package samba-libs to package samba-client-libs and remove samba-libs requirement from samba-winbind; (bsc#1200964); (bsc#1198255); - Use the canonical realm name to refresh the Kerberos tickets; (bsc#1196224); (bso#14979);- Fix smbclient commands del & deltree failing with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556).- Revert NIS support removal; (bsc#1199247);- Use requires_eq macro to require the libldb2 version available at samba-dsdb-modules build time; (bsc#1199362);- Add missing samba-client requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.7 * Share and server swapped in smbget password prompt; (bso#14831); * Durable handles won't reconnect if the leased file is written to; (bso#15022); * rmdir silently fails if directory contains unreadable files and hide unreadable is yes; (bso#15023); * SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on renamed file handle; (bso#15038); * vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback; (bso#14957); * shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes; (bso#15035); * PAM Kerberos authentication incorrectly fails with a clock skew error; (bso#15046); * username map - samba erroneously applies unix group memberships to user account entries; (bso#15041); * NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES in SMBC_server_internal; (bso#14983); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Crash of winbind on RODC; (bso#14641); * uncached logon on RODC always fails once; (bso#14865); * KVNO off by 100000; (bso#14951); * LDAP simple binds should honour "old password allowed period"; (bso#15001); * wbinfo -a doesn't work reliable with upn names; (bso#15003); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Uninitialized litemask in variable in vfs_gpfs module; (bso#15027); * Regression: create krb5 conf = yes doesn't work with a single KDC; (bso#15016);- Add provides to samba-client-libs package to fix upgrades from previous versions; (bsc#1197995);- Add missing samba-libs requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.6 * Renaming file on DFS root fails with NT_STATUS_OBJECT_PATH_NOT_FOUND; (bso#14169); * Samba does not response STATUS_INVALID_PARAMETER when opening 2 objects with same lease key; (bso#14737); * NT error code is not set when overwriting a file during rename in libsmbclient; (bso#14938); * Fix ldap simple bind with TLS auditing; (bso#14996); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); * Problem when winbind renews Kerberos; (bso#14979); (bsc#1196224); * pam_winbind will not allow gdm login if password about to expire; (bso#8691); * virusfilter_vfs_openat: Not scanned: Directory or special file; (bso#14971); * DFS fix for AIX broken; (bso#13631); * Solaris and AIX acl modules: wrong function arguments; (bso#14974); * Function aixacl_sys_acl_get_file not declared / coredump; (bso#7239); * Regression: Samba 4.15.2 on macOS segfaults intermittently during strcpy in tdbsam_getsampwnam; (bso#14900); * Fix a use-after-free in SMB1 server; (bso#14989); * smb2_signing_decrypt_pdu() may not decrypt with gnutls_aead_cipher_decrypt() from gnutls before 3.5.2; (bso#14968); * Changing the machine password against an RODC likely destroys the domain join; (bso#14984); * authsam_make_user_info_dc() steals memory from its struct ldb_message *msg argument; (bso#14993); * Use Heimdal 8.0 (pre) rather than an earlier snapshot; (bso#14995); * Samba autorid fails to map AD users if id rangesize fits in the id range only once; (bso#14967);- Fix mismatched version of libldb2; (bsc#1196788). - Drop obsolete SuSEfirewall2 service files.- Drop obsolete Samba fsrvp v0->v1 state upgrade functionality; (bsc#1080338).- Fix ntlm authentications with "winbind use default domain = yes"; (bso#13126); (bsc#1173429); (bsc#1196308).- Fix samba-ad-dc status warning notification message by disabling systemd notifications in bgqd; (bsc#1195896); (bso#14947).- libldb version mismatch in Samba dsdb component; (bsc#1118508);- Update to 4.15.5 * CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target of a symlink exists; (bso#14911); (bsc#1193690). * CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module; (bso#14914); (bsc#1194859). * CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks; bso#14950); (bsc#1195048).- CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share; (bso#14911); (bsc#1193690); - CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution; (bso#14914); (bsc#1194859); - CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services; (bso#14950); (bsc#1195048);- Update to 4.15.4 * Duplicate SMB file_ids leading to Windows client cache poisoning; (bso#14928); * Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error - NT_STATUS_BUFFER_TOO_SMALL; (bso#14932); * kill_tcp_connections does not work; (bso#14934); * Can't connect to Windows shares not requiring authentication using KDE/Gnome; (bso#14935); * smbclient -L doesn't set "client max protocol" to NT1 before calling the "Reconnecting with SMB1 for workgroup listing" path; (bso#14939); * Cross device copy of the crossrename module always fails; (bso#14940); * symlinkat function from VFS cap module always fails with an error; (bso#14941); * Fix possible fsp pointer deference; (bso#14942); * Missing pop_sec_ctx() in error path inside close_directory(); (bso#14944); * "smbd --build-options" no longer works without an smb.conf file; (bso#14945);- Use pkgconfig(krb5) as dependency for the -devel package: allow OBS to pick the right flavor of krb5-devel (full vs mini). - Do not require the 'krb5' symbol by samba-client-libs: this package has an automatic dependency due to linkage on libgssapi_krb5.so.2. Automatic deps are always better. - Do not require the 'krb5' symbol from samba-libs: samba-libs requires samba-client-libs, which in turn requires krb5 libraries. Samba-libs itself has no need for krb5 (but get it indirectly anyway).- Reorganize libs packages. Split samba-libs into samba-client-libs, samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba public libraries depending on internal samba libraries into these packages as there were dependency problems everytime one of these public libraries changed its version (bsc#1192684). The devel packages are merged into samba-devel. - Rename package samba-core-devel to samba-devel - Add python-rpm-macros to build requirements - Update the symlink create by samba-dsdb-modules to private samba ldb modules following libldb2 changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba- Update to 4.15.3 * Recursive directory delete with veto files is broken in 4.15.0; (bso#14878); * A directory containing dangling symlinks cannot be deleted by SMB2 alone when they are the only entry in the directory; (bso#14879); * SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used uninitialized in rmdir_internals(); (bso#14892); * MaxQueryDuration not honoured in Samba AD DC LDAP; (bso#14694); * The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token; (bso#14901); (bsc#1192849); * User with multiple spaces (eg FredNurk) become un-deletable; (bso#14902); * Avoid storing NTTIME_THAW (-2) as value on disk; (bso#14127); * smbXsrv_client_global record validation leads to crash if existing record points at non-existing process; (bso#14882); * Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call; (bso#14890); * Samba process doesn't log to logfile; (bso#14897); * set_ea_dos_attribute() fallback calling get_file_handle_for_metadata() triggers locking.tdb assert; (bso#14907); * Kerberos authentication on standalone server in MIT realm broken; (bso#14922); * Segmentation fault when joining the domain; (bso#14923); * Support for ROLE_IPA_DC is incomplete; (bso#14903); * rpcclient cannot connect to ncacn_ip_tcp services anymore; (bso#14767); * winexe crashes since 4.15.0 after popt parsing; (bso#14893); * net ads status -P broken in a clustered environment; (bso#14908); * Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before smbd_smb2_ioctl_send; (bso#14788); * winbindd doesn't start when "allow trusted domains" is off; (bso#14899); * smbclient login without password using '-N' fails with NT_STATUS_INVALID_PARAMETER on Samba AD DC; (bso#14883); * A schannel client incorrectly detects a downgrade connecting to an AES only server; (bso#14912); * Possible null pointer dereference in winbind; (bso#14921); * Fix -k legacy option for client tools like smbclient, rpcclient, net, etc.; (bso#14846); * Add Debian 11 CI bootstrap support; (bso#14872); * Crash in recycle_unlink_internal(); (bso#14888);- Fix dependency problem upgrading from libndr0 to libndr2 and from libsamba-credentials0 to libsamba-credentials1; (bsc#1192684);- Fix regression introduced by CVE-2020-25717 patches, winbindd does not start when 'allow trusted domains' is off; (bso#14899); - Update to 4.15.2 * CVE-2016-2124: SMB1 client connections can be downgraded to plaintext authentication; (bso#12444); (bsc#1014440); * CVE-2020-25717: A user on the domain can become root on domain members; (bso#14556); (bsc#1192284); * CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued by an RODC; (bso#14558); (bsc#1192246); * CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets; (bso#14561); (bsc#1192247); * CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers (eg objectSid); (bso#14557); (bsc#1192505); * CVE-2020-25722: Samba AD DC did not do suffienct access and conformance checking of data stored; (bso#14564); (bsc#1192283); * CVE-2021-3738: Use after free in Samba AD DC RPC server; (bso#14468); (bsc#1192215); * CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability; (bso#14875); (bsc#1192214); - Update to 4.15.1 * vfs_shadow_copy2: core dump in make_relative_path; (bso#14682); * Log clutter from filename_convert_internal; (bso#14685); * MacOSX compilation fixes; (bso#14862); * rodc_rwdc test flaps; (bso#14868); * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal; (bso#14642); * Python ldb.msg_diff() memory handling failure; (bso#14836); * "in" operator on ldb.Message is case sensitive; (bso#14845); * Release LDB 2.4.1 for Samba 4.15.1; (bso#14848); * samldb_krbtgtnumber_available() looks for incorrect string; (bso#14854); * Fix Samba support for UF_NO_AUTH_DATA_REQUIRED; (bso#14871); * Allow special chars like "@" in samAccountName when generating the salt; (bso#14874); * Correctly ignore comments in CTDB public addresses file; (bso#14826); * Fix transit path validation; (bso#12998); * Fix that child winbindd logs to log.winbindd instead of log.wb-; (bso#14852); * SMB3 cancel requests should only include the MID together with AsyncID when AES-128-GMAC is used; (bso#14855); * Prepare to operate with MIT krb5 >= 1.20; (bso#14870); * Heimdal prefers RC4 over AES for machine accounts; (bso#14864);- Enable samba-tool without ad dc.- Adjust spec to use pam macros; (bsc#1191046).- Adjust spec for size * allow some Recommends instead Requires to be configured for cifs-utils, samba-libs-python3 & samba-gpupdate; (bsc#1182847). * remove fam, undocumented and unneeded.- Add missing build dependency on bison when building with the embedded Heimdal Kerberos- Update to 4.15.0 * Removed SMB development dialects SMB2_22, SMB2_24 and SMB3_10 * VFS layer modernized. * Add the ability to set allow/deny lists for zone transfer clients in Bind DLZ plugin * Server multi-channel support no longer experimental * Improved command line user experience, unifying the options in different commands * Winbindd no longer scans trusted domains on startup and will use enterprise principals by default. * The net utility is now able to support the offline domain join feature * New options for 'samba-tool dns zoneoptions' for aging control and to mark old records as static or dynamic * DNS tombstones are now deleted as appropriate and use a consistent timestamp format * The 'samba-tool dns update' command validates and rejects now malformed IPv4 and IPv6 addresses * The 'samba-tool domain backup' command correctly takes out locks against concurrent modification during backup when using the LMDB backend * TruACL support has been removed * NIS support has been removed- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2./bin/sh/bin/sh/bin/sh/bin/shsamba-gplv3-winbindh02-armsrv3 1704181770 4.17.12+git.455.b299ac1e60-150500.3.20.14.17.12+git.455.b299ac1e60-150500.3.20.14.17.12+git.455.b299ac1e60-150500.3.20.14.17.12+git.455.b299ac1e60 samba-winbindpam_winbind.confntlm_authwbinfowinbind.servicesamba-winbind.confrcwinbindwinbinddsysconfig.samba-winbindntlm_auth.1.gzwbinfo.1.gzwinbindd.8.gzwinbind.xmlkrb5rcachewinbindd_privileged/etc/logrotate.d//etc/security//usr/bin//usr/lib/systemd/system//usr/lib/sysusers.d//usr/sbin//usr/share/fillup-templates//usr/share/man/man1//usr/share/man/man8//usr/share/omc/svcinfo.d//var/cache//var/lib/samba/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:31987/SUSE_SLE-15-SP5_Update/5d6206584aa08ed2ed19252942a3645f-samba.SUSE_SLE-15-SP5_Updatecpioxz5aarch64-suse-linuxASCII textELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=8aa252ee0ed5e2cf61cfac40eb9e25283e621cbc, for GNU/Linux 3.7.0, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=8215cc28da1060bc0f5ad4d5d375419df490abbc, for GNU/Linux 3.7.0, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=9e8009d67be57f92b177e91bdfd34f9f895c8f82, for GNU/Linux 3.7.0, strippedUTF-8 Unicode texttroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, max compression, from Unix)XML 1.0 document, ASCII textdirectory0JK0RkR R2RQRURR.R[RgRRRYRRaR5RyRmR]RWRR0RuRReR4RjRRR/RTRfR`RZRlRxRdRRVR\RRXR-RtR1RzRPRRR RRQRURSR.RRYReRuRRRRRRRdRRTR-RXRtRPRRRRPR R,R RRRsRQRR[RoR7RRcR RURaRRERiRWR_R3R2RIRYRwR;R]R RyRR0R?RGROR*R5R"RRqRgRuR$R.RARR~RRR}R|RRRRR{RkR(R9RR&RMRLRKRmRR=RSReRRCRJR R#R R^RNRTRDRRjRRZR:RpRBR'R)R6RxR%RdRFRbRRRfR+RVRRlRHR`RR\R!RrRR@RRRhRnRvRtRRR8RRzRPR1RRmCTCUJfx /usr/sbin/nscdcronlogrotatesamba-gpupdate4.17.12+git.455.b299ac1e60utf-81ef6a3e60b5b9ef501371dee909323398d97e5fb6d9b26342a443e779fced0b9?@7zXZ !t/] crv(vX0}++A^FLv{ ,"k@LBZɌr50=%5Scz3O0Hp.[IlLR?yrHZ=Xn9lz2 uG%')m'ߘ1:)|D [" !Xj]jƥ$N|q.H݊j~oY9y<9&QmrX8.Z%Lu&^Ƭ>檳lȘLG\;JbU^*V&Hx?܆ab-1. t<;ֳcԘJD7~-r₫q,*?$bl".~cܚ->wneBQmYBuP^[$}Bd2 da"|*(Fiȁ$|MBueH4V^ k= iDmo~J&HyJ_`ߦ⛥w1xn$vq~LY@bzVn/d+_Wr1hR.9Yg 9rʔ4a9hbWk؝ř(tW|Iu:5 T/^XI>*gC _?3OArhE J(CJ<|ްubJj"+ wx6"vd)n!+yIqXh?܎"22Z?Ll}]%wl=@>|ڂ$%ݗ|? D ٳ`$&cP7>u**U(tzYv&0@{2Gt&Qp nS*B?z%OPmhbn"ӧnJ Z$:L5W%3/4G7Nf6Yq_ ]w<{):$K=~~H2c2&qH's(L딳i?kH0r/iДea^ wN6[FqAV2 *p4SX- 2_XzD0TD9A,KRg{:mI]0 ߤDQX ԫ`|M4%/ 9ENeKlғgnMTm;~`݆ҿ& <(aʡ\X"8jѡõ+;5$\Zgd.m 4RGxKwRSz{=EonN)˂uQyU8̺M3CWe<= @RO NLau` D<ۺ|X&{?ho]Rkdso7%'+UN1ZPQYƶGrP@+T)הu[Fmt0#.I}t.b5^9B2dUL$#B,BJGO!Z.z^Z{d=6vZ Dxc0Oܨ}ygר|پ ۓofpؕӫi{7^ DyeS#Lt*JO ,DwYTر`ܥ."W@W!O[S~W"!*BQzE;T N8ĊrE͝5.AL`fxQŤZ:Ћd@J>黎 M MS%yeòe2-('QoBTCRaGU_^h5PN_ /I<*e`UgAG`4.a `OyBGkdݏ:&&@Z}Y zaMsUe:oz3`&S QeR@Jmk1W1b}-S'˻ 65R?HGlxVE9WɈb!XRr Z^bRpKΞ[A%ߡd81[*\)&"nwF +Z׿ F/u5GsJFXENZ'p OYy*24S~r5Wt$&w< Ұᧇ]L$,4$xrJB/(L X#b%Gh~)^u.c +&͗^kHT6"4߰P=xAԩ tȎwwؘMɿBE] ,37!ew9(e`m6Yʏ?[ 6=#ϩ`҇sNl'r,@tCheL{\W %x4Fp3ӆƒ};#]BkPsgpQfmJEIxո~ P"- ]V~ؾ 5(P3/z$faǮKS~BX,^0//o3P.pHO .ȃWu =ou53H1ް:ػzYX)r,EJ/TBNo4)T3L,ok$$53J/!Ro䉑{ 5+ak*KircЮOb#i@1&vy-·.:Jj*,ς\fX[oZ.jd$ FN?>r!H;#^e眆PJ9k֮GPDD9䭪SJ>r0Jt캾6=a|- ?Cz='ާ36 i4](^s_,U$xAC ~'>S 貈%8m{Qhja}j7-늁y~ij|UzO[/mHŔQ{( 2$]IMW/2Ϳ3 9'kL LpI{EnP#Ȩ1@a+X-9D+Bx1\l/'ͬt+㗆ʞPxђj1dk)n%c[Qι)Yk~_r$/d~i =8M]Lӹ#EJJgl[gU,E~7dQ/4YEآlY9îA%N!YP:ЁR-[ -mz_EWtSt0ʘ!"DQ!^l~ڞ5o+ 3 4alf;cxv¨g`Be:fھ-JJ.)t#I EY$T''f{kJؼ]e-)DDzA]峼֞cx Ejv|M/ $Mh812&1tYF>rPd'NFSPa8| _y[:C.c:s,\X%" [o;{;s0s)2fS3mZ_9z 1OiKTVܢ_U[)oϷK۫8s, B-̼kKJ,j˂#[XyF~H1M[KMS.cZ& TFW#Hȅ#G6 xiM'y4ۂE|jvS1 QwS1 L.U }[UQSV&"Y83 A_eA 8צo0$ƔNL a(Oȹhk'CZ9iy ^;|*oXQP'!n檃Qxn 2i6!Ė'Gρ$%9{359pJ*7yƹ;` y5r6Yx9azuܾ8`^纝DZ:j=rbς8X5I"+XGt1^Y"/4i9`2&ºOlfwn0_KWCIB a>}9w&@8>qeX ŽЖ㶒BZ%y͈'l\j˅GaO"[ڑhmpDNIP:usz٩;-݌Ez؊"3&/W,XBUb|Φv([dޝ7sݾ^NaIȋzJO  # GUéJXTjV=!B], .F`K\bRy~PztGg4vÄNbgo:(0.|9gWY"0 o9E6O TZ%!s ֎/DlEu'=APK`Z]o>\NrY޽ƨu笷^]ITϝ/fӞ)e@8qJUQLߍʶ̜WU<B"ZF|wJ0 c% *B.+)auTCLV]fğq@>7ewk z\+ Yl{$gK] 0KQuTRZ>Il#3rju'ܢ;fWWvbJLШHb4'9pxLu믑Oo";0u>:d$rIKmt;xUB,43EʔdlIx]+6xy)HCD&iH cu?qOPҤjM]-)#S?@\na+%f:piPK()J7gxɘώ?|@,f<cdqxg3 ޣ AdՈ*e[^e07G$5m@D*h:r^Q7FScAo+h!?Q,9t#nBbi[&/):,Ξi5KQ}|`0-ׯt sZ( #=RV+ !:jeTl7HCQ9Jvn/d0*Uiw7a@dMlSmE$$5pu`>=x/Ǻ.^xWݹg2wzMYtn* X| j0iru!4);tn}\rv*:/[@cM|L3N+ s*E})t| q٭@OS'/g-ُpc6fo_p<;ʌZo&Z~Cߟ%4@al&))tk'eS5狕a@V96`=pWdMqCfKP_>NhNS{2N;nԍyt41mw@#Mc;U ; BG ͼUpBp{v%7s8@](rղfHv^%)I&k^w;0/mfA&TE߭m#n~8a#@L"G`RW\D*: .=2kr0NLB+hgѮQB^y˧"*:r4B`|[^ .Bd{Ov-BZ6oϦye5hTc*ܬpѕ'hm9:=kki(; f_iN|w+"g ,~%R 5<ա3-Df`9F|n20mu Ш-;AloztI>f=ä+#+ުؿ.&l0%]!"l\_Gqghz[qFdhT8Z =٦Mj)ӫ=xm5(Jc(TcߵRYPm#t)/DhՂTҤMd[slSL /Z,l_ Gbmu.4,DwMxPiYBN&:;P$;eܬ+LAġv{41jyRĺ,ю6=rsCE1,A8"*pW}Jߝ,gLW)KBUo(8fg·J ڹdExb[5$WH!X s|Aۨy׸ Nb[|l;hs= ݭ |L ^Kd97R'%api3d+'r9DL6;VR瑕b>:fQ)f_HIZt8LֿE퇽hLOkS_)F_oV }2͢aw̚U#]C7eC䠑GwA阖-ܒ{TۡFrTm=Jy=뢘Oͽ˿tJgB )J)KZgÅ[ ,qN40S$N=OSu@8('q~w9KQӜң ZxtS: ӅW3?؀ԣ Du^\o9Pr`AvΡ~Zq2z8WǘZK|x0QZdDѡ,A 06zT十`X,=~b2U z4KRL4yf;HSqtiB.$Grד| ɃKv~m>&=)؇U( ZZ;{TCd;.ϻg(+[U_/$" v (xUT elpIpLȎ\dYqN` 5CQD;#o?D+>rV'*ߠ9<2OeT@* Ě92ڃ5imCWb&8(;/pYC%,H 3 MUz)*Q1Lu҂]F} n{I;0N:wJ2ɷE N>?ÍGF&w<d45xy?!\“(C&._A \Wq0I5,ob|ܔ߂9?g6/HnZzNr68u~&^dȞqU ʢbso@Yզvm-hBNoDjm`y ʐtODbHB@0 ߜ+MRmjn^ne(]ȧ!kYT+nF&HEŠiVt@JLYXTꈝZk|ʑ$suQLr+ 6t^ sX3~G X+V%3 u=(vyVY3GPqIORxéw^۪BDawzhpԟs˝,uFeY]̔@`1|OJFTf2p_OH>2S.@"I@yHght} 3":hVt)g\,WQ}D~D"^eѸRxIrTuKT55@xM7nJKr[9eCb=o>!A@X Hn}>x<찉3g+kɸoMYׄJJH*\T)JE3!N*tBҟ\۠6pH7Dy'}V]fቯRV{%7Zjdqy%csml奫9{#,zUw6/Ҡa5P},XrFwҙb-  ?}WИl?6Ó`&K\ݫƲuih*PU_̥6C3ݕdnBzjx:6 K\9B2=ywB3 jlR@$`nenǼ)y`i, 3ΰAqa\P|+bR\Mn>϶ş3gLذ> asyͷѷiV^$jF+c#|֭0+@kE$#=8'8 `B ^OPbˣ3jMWxG.9#|X1vR_FyKrb5V< }IS/RŧdR҆ƫZwَqfG'Є.Ta/;λR6٫_(%;7`zOgEM=UMr"Yhg3}&=LZ+twr#lgVx<4jn9S%ͭ`Ǹ\b}l43%7Y?rN=QaG&]Ա4;KuX}? ۾޾%bZ")F^֤4xWs&2HlIZl9ŵ}cK5_DT`Wޓ/#meòyj}e7h)㍁І"Aiew! r1ʹࢉir'փfjT>^oW;,eDHd@f_=ln!/USkj%* *(3JFf-@6S>rYP=4L?g%_NVFR3fh2ɟ$*_bճa4 ݪ+Ny/|n rY6#ef;EfJޑBTg];z-c 0 rӐ~%;,nrBgdRt4yZΛ`F6 FO0hWrp1MwΖ ȑJarceڵd2/=(P=l2dNjY=p@~=XSީsb [M6,K,w%"6v=h8Q(p(Q^؀7 I•Cl"58A{\3m9ûpnpX?O]YHǞ9w9?PU艔hSU~W\L1EœuΥYP"YWfX}˽Jяv+ZU%OJ.%|(xS+? 9d_AJ\+yC FQBCcړZNs@? *IUNj,oۈ魷]i,^y)nvji^`zZऒ1+>4ɲJR@]1F; C A)a"2)0_|ěL9 x!^T _7@(vNSHVtb\>3q䬯|6Y1EG[*GdᥟK;PXW&fW8KSLś F e 2r5 ]MFeK]S8q5/$> OMF`9F{+Ӏ\=`;SOVlфF$Ԩ0XeD Zد5G+C'IW=x7O_j _wgMTw!J);,׫5cectA,fQdaAmkYe#ߴOPY/ N4OBߚhUҕp{g)ʎ8fƠ-|X_YddFN+\Eg^ڈh~͋+\/QZneDGi>2BUW-JNhğp 7-8S2Oƶ' MjG%"D'/g!Z2n'=\𮭘< `wgHcD4$jF'r/;0s#"=WDM( wB1+;{J?%$OLX_Tyc>1[PU8 2u2l'Rϵ] %?(D}sU"j)3+`!..T?-r 58GڙYnO߻a|dev&rh[MCJMvӖ5HƹbUޢq?$GEσQQHg%Cɢ $"|/W`+pK& $:}敦M|}w*DTr7}Of^mȑ=y_ ;]\:6i " QbT\R:Uj*P 'vD\ u!#t .j2>=/EMG|\ rrF:Q7}JeM(J,AӉ+Ph4bh[`3AwnȁiJ4:GsS[ $Ց1<댓Uv*\q)"< oVɽtF`E 2ːEA,m a 8CmMQ#p_VSmoM'TԗRV:W̫bCIKX2ea@:@8XEbȲt g|ka/+x]Q/!ée뫌3 Xȹ~.'/P~z6U2wmXT4=,Fq<m=7өs bzODŽVD0pM wĤ!K "Y ߺu.zo2{:OlB{~h5egݪJhֿJ~0 0˗(P]])x_ Z ޶RC[~7{!٪ie-_Z4ڋmg1.q%*0~&.o L~N<}3Ų( '0Op]BtO/Y7mɳq'' yz-x 7C:.hڍ Wi;0y*BB]ٴjA_:l_Pem J\G13?ͣ'ɞ'F؀? kxH?xƛA ?__Br@8J45} ۹[uO|>TY#܂uU?$Fff eoˆMR)m[SXo䐯s,^}'v 3 o>FgImo5e}Ꝩdoq,kGEoJ2ſ ףl. 4/5J dqE>jvU9z6!R94xil~vѹ#oT-$u8H{(p{`(vݬbrm86j #M5cPyD˫ K$Ci|I8,JdzSI%MS%q%g4h$ˑH(QG{%#K:'Ea8)~[_'c;Wrd,b<]>/gP51q){ LVIin T#Fib9]uÍIp0 4iG&lKg ~ܯ[=;6mCX b CjiO^z B!wjZZ\Ne2Uzr&K+Eu oY2G GIoExFM5p$RX `)%ٕp];Z|? z-:v D{d w.kjf|AkZ٠g$* 7X$A]>{ҋ^g[FڶWӵ' ҞZT~`N&y3Bڏog&VeNɵdex4 ɀE ‡Vw` .͞_/W9t6yIXN=|GeXDXOݗUڏU@u{y h@So8SxJlM k\\R̾g|['Y:ȽB^+ڡ 4wqodڀmց8K'fhNI]v}vFױ>s{b-Y7e]ï{*}?=)T /~iqqOS"m>2./ⳡ(Q喋9|g 0׍3ߚA0cOY0uF@rgА4 k`j~[pdd @za&FgpBӐ. ݡaD~X7??INJ<7ڿHB՘>Kj &^,P ?Emҧpkd(=E)BY?Wmy*c܌9'@.]wq"z5(>Eܧ)*b?]v/cz:IK퀇>lb#:D/]ɪ cm)'I8A /ot0o0bZ L˵I{-^4ҽ+:i=Q4p*4xѳ gkx[^F#gzpLFvz-r/EcXf9 DijX'W10.x6z[Bb1YL{UzȦs5lO] =-5>Dӫs?dӞNS[.o' _eq-nB t'?ޞ |~QFLlMMy6ل(nD,ERrY}<-X8v|dՈ}WڻVPDZ@[}}]f3S7W !ZbʷPU5`R_RF-.Om~D5 ?5pן0 #2BJ7_#K !P`a ڎE@ QwE͐&~#Kz,a >{JjiFF0kzr>%SrF9L(A9ejիN|^Q o ^=| ( (p5' ކ~Ӱ! y'-'<-X>l?ԩа8FVL?Sk0#O vi_l{a4ZxyYGLJy܈ފO2F2:vJfc裣Wӄ~v74նsC!ZO?hll)ju*ii˺atGer:$;ǽpB/"i3 Y(/w`vKj#fS^ΜjveoM%;{5R^zi>lʸ9ZYx\y>Ud]t`29G:7 Q<$=D+(z 4+p?Bf|n4yU>F)vrBnҕ%{4s'y~\3[D D9}U)zqa!=tBh&ϾX 1,9#Cfl06"@:ք9h*R̅H%aS)u,L w 5jt"ɝďDk&@bM"Bw<6k9z1` $鑣W8=|]@0DΪ']R ]* 1wD3yf6$,g7T#ߙ4U )jDz3;5H5aѺ2DɽՕEE50 ĺx>vą X+faံ(cGlso&G&I4绶H$>O P f5T|Pr'm(O /LJ|Ogrp4ż ݧo+,ա1 %O^Ix'DE~e+kĨf5 ߧM/ΞwNMR򢀞: ٷhT0#d5cI'grmxd j$1 @.<}ΛoѢMHEΈO+D]7T{4!ƿ-yf#JI@s2(m[((W#a̖) < ISUiy9#CwHA~C )rrSx v",3/4sj,=װP0:XBDX@$SµMA!(0rѺUC-PNJF_d"/ }fW1Z:ۤ͂ r|1S 34PtY;ACʋ_ T 0>]:R9 *0˲$267xYÇhn>bu}) sA :dC"!6,gj6wʇø\4gOw޾}Xx̨y}@5<+:_j~F:^aس8o +A}Z06>PBUl/"X:ISTL+b(3 ued[ ]QaD UA,)ص30Jt)\=c{:LJEc5fkuА '-;1B {QўJdIpMIEXJ'Du_ohØzS\?K,Ӄ3 (^-x]PՑ\/<(y5w}̅n0T '>)WXS9N!D)ƭ.">H߰f@+1]7f' XVt,!uR) S%%ag]FCsIE`}0gZ+85by84>zޖVH>7rņX]G]T;mYJiCa2D6eo-.-$X땜-qwcF^dIوLbիWvB"y8 jahM(H|sIe%=/jHPa%M[8~3US45UjO ->Z] h=_{ +Մ/(cYp_80~>S6*Ч\lא$ pXA\\=Sb<CԚ`2ѽoM{'МVz=g1=~#ІSc~nl :Zf[,A-3;jn뗸?e::X|ᔌ`r-l>8.NP  uAWɠL\?iFxũGwE.z^1bs{l؁y5?Gz߿̢*D5"(5 q7h (wS12.I(SdZtxE"1O8i=\r*|AFWp6u [GҫS]t *.|^ҹOώ[\u*LHP?mo5g}z]Pmq9æXfo" P/S\ha'3,>9$I[&30m;s^nY~Yjs2au@ܱD9Fa鎓ԅ<[ҖР9[ďY96ʰ\ڻ+3`/FEݔֵYLJ=Sm>WvR?T@dL4-zl_Eb\7\Vʄ;VʾgQ #gA N3|m.}:xݙ $EXs̞vRӌ(v7~ o_4lPե- Զ6(ud@qXdefWQ>jIoݲS1m,;m&U|+>qڞ+*+^j7sSV^$[]lcp t3{d>/`QPp;iQ9 0%u+W 4-s#vi*N;E{}@ ͛e_({|)]Cm \yQռ"i[bpM)sƹs~<8 -&|7JBBw0WI怋nbkP[mx0 w ;zpXpV*Yn}eߔ#جXjBbrrJunm0xSa* dI$e HP; ,a/v @'H&UB~a"9seҰ[HHCKlr'!F˞XPt?!5ܕSLq_]h`Jϟ=AXِwG46Ō$4 LUa9POhbJ1E9bģ.R9ՙgd,ʡ+Xq)y T HBunh"q\ 2Oƫ֒=z@(+8|~AL0{+kXHsT^e5֛kHϾud~pUHGhfHљ8(E6pի:,cLHCi _ո9z$(ڬ$[}t#~)ʹzˌ*{c -K2d;׬wE+; ZdXIhDق,]aU*O1ļyLO\b WaAUmL˜d0֒Vw`AQ깪aŨf^(}2 &^a3/ׄLVvp+fs+aq-t~TQ>uӀ5~wyEd/ * n#|`C4lO+ ^!]k>f"Ok 3+ 9oj>tl)<]gtz)gH`vI=7 U# mG":׮7HtTbץ[5sUPiK7l`y䁋`jOa]W3v;'Sw:FÍ=]vՠqfgB%ֽwMW6oi}UZWnP-ψ^=.{B0`t=sވ$F4`3AH]0s spJ0&b%AoQЭzSylU_ <<YCպFpZ9w)ͬiy>I>*{\{8YsdS7~JQZ 2{ f sgʩ,ᩜ\Ua*n#{8~}|Rab!?dIL}17)5 k]h1LkұJ0# %"-4W~Aw|H j IH@Ƥg|dHt=-h?L/1Ï@ɹӆ8l;s(L!JONʤa*i%Wmzb7(۹V};=_W_o/sO T4)d/& :EgoOXMj&gZM妱/:ƄQpnn8o{YRZlp:DNrOe6QD)dVP$8<:Ȧ5/ZȄR3]H@+'ZnBf&PbǞH,d#, -8w=hMj3 @OXE (잖iwRƨOW]=lB.-O'=#8ypQXe7H-'OEOlMқ/pqZl ӌȝe_+Ɨ$\ihl2i>Bt/YBuϊZ*ktQM&)Up=_,N܎}|T1U+: SK)Ŕ0ea ]<':F ;=JtKӏ-i$6ju2K \sU0V3-Z$1/֝m&nf dNɞͬ>%L%-ʫ_CA'B9gf=4WaiX[sQBC3pg0^'/OIta(dVrFR1B4Ə)@Y]x˃mtaZ%%xmP29 lloh l~v6+HkrĻ(QVj"A]A&7*ex*.H3ua {2.5GĵP(%{g ofHյt;7LzLK096.jҌ1VT2xRi(=tV .XוHTa bv (1$Qf0c]4]e@Ix%]P:zֺ 2~JWR|0GqH#7Co0ۅoY;{s*7njr#GX*Y5vQ(,R) L{LOCs9^8U)"AB'Z+Z鼪<{8c7RAR#\ao#yƮdRz*1 iuE0"U$Z{A\PyM9 @aipXnMPvұIGN)F*Aul#D}hg܎6صu!վ`N%c5LZsf?&PS5 Pkj_3{O#dsq0d %Z/ypVOH9T`kW\Ja\o4<\%tA{"lֳѧwO&P>,m[E=$ MʿpΈҗ,^W̢rD?5wH6%i!nhp9Fѕ~zOyq j+۳| O 3'c>վ`H{-qWvg?[ \1Q/j.]ߝJOnBs],$\a] ,ZPEQd-$ A|M9^M^ 8VܭFNݟZLc-m\Ud =*J  Hbllk5yVȘC*޸&ýL{Ie ]؀]A_އR2$#3Yg'Tsv/}/C$]DC˻LtvnCeex޻'%"B ^˴Ij@0ͼP*Oݖ^٫ubGYJ#ٮv(!9Měexf.ubfwZ8@@@ejwZE>ሣ7sULil? g^:%%ldjgIfK v0,R9$+}7r6Ax䦝 ư3h A#oҋp'/^=#Wk?z^ ))\Pzϡ뾤]8b}g-+sX`hn$dR4Uhg%+!;^rC ṇ(+EwU\dcZ+Zu)v | ;jhDR*r=j߬4!C;4\L` R9g 13VFPG咔d旔DxuIԐHFA:/`A?49 6I? LKqWTkX,csVyjh<=vKuT1XY {1tdf%( x.Vy2ٽ.vࠃvYirӚ쀫$ow*c&[۶fʾ<|Y0r Bש;f G_PbU2\bUhB zD4ŎCL(|:/hC5C9χcDn9ƇZРw +@[;.PHw}ä:q/n:  *lNE s 1ÅgЩ㇍+ۿΪgɝא̨.]聕8S>q%c(|rgg+l (D0AӬ(!u1TZVaj7ǶT 5k٧n-qِ`ʳ䌰^) <] v;:|>!>X \^b[DY |.I ㉁jEl#PO *ƙߺS~`f3P_ YMbAa k2'6p\3:a #>>Nn{ݼ'K{IuSjR\WEY>s±i^%,UU/MW[V"h"U+0tVW"%y - \*҃򦖒a#.'n9kHEOz.^7D(I7ǑpM; (TECSlLYzePfZ[" ͚€x0vbw1L #cy뵠XWv0sk$VgfLTV[K'KB7*3޼~FZJL 8 'VPҮ 0[.!h"Cvt >pMeGŠiz³UBzcG7N=oE.UHE?:v+G:Iw>{Sply $1,4ji\Ym\Ѝ_ά-dE}1ԠͰ.uyv*-@%wg;mŰ UV ߺ,Sͨ/zZJK_1TmxEE\ Zrr̄|AG\4h^ϴrh^Sr5n,0ia$bR4C>5]l;ȒYaMZ܆oDQJ&/7|kgeR3e9Հ!cK? ĔA'}g WԤ#`nvڱtP9LZbIyKvA=CѣÐMʇw?ͯ& vm) .aT=O~!Yw\gd8r+MV=,BP)[6kr LEH&_/u__yĂ85 ™ZfMmH9K P"562،O{Fh@AI Q=3C<),mJ"\'Y {3BŌ&P \-"*H$<#=%18 @^n9[m@sJ:--jK iArp1Ҿ:)*iLGۦPѽy8ӮSUrɓY!8~Dt,u8] `l1&84?HA*li ~Bg?!ٺsL2x2 +&JP(ԈA1)>MJxh<30p[C}t{صz. 5tԒ;+"$YVV~ht| 9Hs}Xô~X yXH(7Kk \myP"s\G Ɛ0(҉Θ!YvWt%0-Er!9˔/ZH}ǃZWӏ8-#2i׶*(EyD&Kc}ma tKLPGNw'2TjKL,d}j?%1fN_D/fjƚ;{(bO$kn 3^rIcݹ6ȟ'K.MHechypieUqpX ٝpFl9xD]_M%B,!;LO0'hlػ?JҗCjb힍P xu!Ʀ_PӇ4`eۑ]}?Pj0]3\IpY:&c^ŃL!k(^RΒy9l~87Xfm*!"3Q4|V>JLEz uQLtU ʗxۭl6ըUSВkB 5LMR.֍g;߫}-"GyJ-C_Jĩ<1V q؃Wlm 8#IxS1rJ,/ }VŚ"dܝ䵱Wj=l<%ʅd^ <+/xܘ3;quWa9 w+_SUy^$.-5"uQeڌA2^df--cT]G][򷐂p*&b|k /[*Y|iKnТ$ sAZ&&/M9zߓ}SʊEvxE2;,u ε.F6:Iޒ^9vΟL˄?TvҼRۿ%x0N' ht^R^ Xts [ikx9r ԗY o0=B(USzIII7np`KH)!Qe7j7Fi36mZ`۾q 52Za#uSC~v4ڛbHք'bC#?ΫU_ղgr5QC$<{ÈV4tz%F@`5yc(xHwv5_p[Cʆ3]@ d(|z H/̎ݕӝMJm(pR J%nQ{Պ#O|+_!Kycŏb,byzsUn Q>2 o y;SbQmfm?nFJeL.ֻ .[| "Weʉ |4 T50-Shd˗F~QLeNX$OAeymjt.\8ij_>:^e0 VК:lpM;y@95PHx4؄q}0XLu !:jӬ8js( ox|wT!/8n\wHKaμzxJ;H5  +'M&,5pO -`rc"*w}D5ߦKov#dG]ҋ/N{Sv>]o7!9vؽ>+ɥɕ1^/&E ܭMU8hY1B1Z궧]tRkp+N?ܘO~e-YTSMfrt_ uDu'^!MF9y7탂fl!U >2CqWAaZF'@`Aq<{_=3Zj;bK6}M[a2m`gpmiDe*-Hd(5)Y LvX=$->oWwALM.,U^\~ҭf )Jwzy->k|h* - Η7cC6б;M*/ZN_%d_6':Iw䌎Y"V2*g<=$"rHPDzx,T 3VAdu~E$~_o3GuO 6 j )]:  Lܵ3SISB$bMh$p>X'[6JeWSKƉE"Nf\pyn/$GTJ`s&1 :IX*j*j#Z3OA4uQb )}uT`7?Bqcn/VP aK_Ƙ XjTm j=INK*d,/`f;WHƁ/dZo(kv[Hptԥt+QD@JNֈl}h UvpǭYY}k>0 `&Uv!zy)ќJ$@gB(XLG`r I?Mq׭*M|D6"$!m,:'0EMiU-;iPDQX2BQvUAhHɳ^uRGC/Jk5/9k ~#^L;c4+H:m&QzʽoÚGorbqD uQyh3dfБg?Jn =}.H6)ٞVhCo5!ܐ>X$C:2y7N`-_E73H+28ڨR:NiEoPGDԖ,4OP *uȶ)sz6_l(&a":DVV $LdA /ޡΩ$F<+?``_(!IȱT|x0Zf6Ϡĸ``OJ@YW)EӃUDjudzv<2D sH.:7Se)q@AzispDúWjnҥM#d_/Eѯ=z$byQRaED{dȼ$+7؋+j 9N૳h!?G@:I8Y\Qt$ Ri)j)zU꣣e}.xCn6B*F)ZhK^.vL 󍨊8j*a|Jv.3E! QIH>; RP0kݔia"?&4d m^>e2PGyQ.{f4{4ijwl`Q},uD $DBl#%*ѧ+}')G@zn"C «s\ NȪu|-6ι8FoE_5-~O}L58hvEo>+>HRA^n;ϔ @9U\dGx[AN {@,:WWiqKZBW $SƊMTGcfhKix.=/H,|FFǧJ Sk e'W~fqp_<`옵!&;Ђ(~cU,I03hKOӖ%?bX9c /*IN[=Tb:ǵM3dPDav5s4J:o5jpn 7Ӹ9{Ohh=n1 ",Uܖpԉe]H^.EnK1$`FP-nt#X#SHK Bro;~ RPqW] lP4&|cc~5AR[S>~HS(3鮢;_[;9!j_;.yLe]8g'Qʸӝ$w:ߦ! eY-AHZV$b_ʖ?u2f"w>H'$D qfH@pm}wB7Blhwr'lPHh+עǨAda-ҩ^cI䯮d|Mryxo B11 ՜ GV9.H454Lj)__yڠJfLF:^2>Ubu2."vOkd3"I7JL$x-::$ғ4Vѱl"γ^(HxҬ[<OIb 2ڙzˬr rKc Yg…,WDM4!B({Y:@}&=z 36 jO6`a{mNp4i=_`ay*)e!_JxC㛮ri8t.:IQP^Ml٬ qdR?rbpz_oʋuT/%~9XCF5D캰tMl RD1ATV6}?L˖,56g2~e}:\b,[O ]'UT$tF\~& vXJL^_{Ú7s<8X/*&;%0.ܛVk({.I urY|Z7ɭ * nN^]YɞHB=XP%IWZE>cyl =No#BcŴw(:^zr'>d,hO$BW?m| O+A=;Y x O,,%  S~saHv cdbie:Bd/za'\1_/_w1hSAՍYDqʺ@ Gh@T؊^gO AG\6ӄ^3Ghz y@xޝVSe/T.y2b}'ؠn|c"<:={JH ^T32<_|tMT UX%4N彴¶I#U{"<$bFͫR7_9=Qkd bep^." O =| *yɯNĴl [rzbPX_U  fBtHGam.^)-<賈$ջЙʂIǼ jz j]|Q ny} 躯gٹȫ#.̹>#׭)#Diâq|"=2ͬ" @!&{$AS/UO51on/fh?g`e@, ˃WWo?XMI[?Ԁ1Js[d3 siހRuvFSghF=":XlM&ͨ[K$t—A+)|ȋr7\}Y=T&Q)( Wu*}-GS=Z1oXǣ6 Q uχUq&58&k[log"g"XE-h2@ߣ1|ѳd"g}Zg +Y%>eڷt!9")vSAdV'eCo32PjdWP!ɵ6'[:P|rkl\sխ/cs8TKbFaS&o!rޚNc3G}~ HTܹOKi֔#ۢ*(̭b 8>gy]m$,:ab7*6RKg&{g#~ 4'#3xHp97[g_kE( %.Ui*zr'8ǹCdRbFO sC܀fgzgtxDjEe&~/&_]3jh6z"OBEz €ݔ>!N)1d rPšE0r)ЉСjm Bit-.^O\7@đ5^˄ !Ac^Ct4^{0_f\r] UYN_!fÕlΟ++?JkUyBH4lm%OX-*ɧ suWKnԃ5 k6Q݃uؘo2'uS#͋}^6(;2t@6gs{_b&\~Զ}˂DS]~~csz#ct)I_Yֈ I޶cKt꫹cnSdK2#O1U&Y&)UQ06M%"Y˞%$cHJpeUhyݗb}W7"+uJvХ1LJW30ccYOfwx(b@RVMR5`H*jxNi0w#$ͰZB~)ae A\_(.uupJd¦55#[7/h0}GJp1ʋa;ְ284 03bR>Y},?T4uYQKO27__zI|s)]T%p$5] @ 1v2Mo{HTj XsxL`9>ot5[O>}u%{KMMNEFMoʺyC22qT/luSwWJ$ʒ | n3r1 qmߝU2,Rʠ?i7bS[$  m]2M(Xd{ |Ȝd]NȪe5b j'H)c2XVLku&h<6f76=*<3 lΰUYfm7^[UެT kž2}If&)YXQOpA ?ct##c:l 2̊?R!0'(@.Eס)f/sqEۤ--U_*c+&5Ь pFczOM X90N~K'e2F=~Z6m*plPxҽubP E<԰QWjW)ߺ tklO$n:|)V_3iݧu5\T%o+I2+zlsu7lqy?&20=Ϗ(e6b|fMtߍ2(mwy #[ xl+FK1K׆H(Ԧ5C.. ^ N4$ vq.(_0t7)]`m@[SDyN4~MQ:%n#Jb ;B32櫁 ĺl&nsHk{{$W2Dagt'r Jzs(sg5^a+BNݯWЈv|Oyq0觬M [M.ZHZl3Lc#O5x?.q٭F +epG f[-۱1v47$%e"27 .)YsLF槇vte捫a~RکHpFk FUY dt}?W4JYTOG%DkT,D9V?CIZMF%d-!Dmheu{L V@!Sv̇TkMdOs.D3xYovX 1F4ZRsB OC4pɫ{V6Z H_/-q(OIMFd[VMQI.Ǎ,ÜX[E3R#~F\ֶ3)6nG듬'.xLK4?B$4X̊"zEK*z˹`v/f"o6QME":y ԛ݃XocH9Idgyfz-Fd@KeNMX>e9 y/p\5}m 1+EǨ a5P# ѳ*/gyW tj0ӱsCa4ID,Uha-6o_bDJsU)Ix폴ȎEa_G:%%㜯d].?6U!Ґ"l)RI`Ϸgr0n׃,6sk-]xb 9S?zwFTSBTDw0u{pJ[Xxp,DIK@goӹUЍ<(R7G+_ǂ'͵r+3eF~[*+EIb;\]7,!C>@WnF2:QRIyN(ti8֛ylgs$2>*:f?w& Qc j@|h),Mpw!0}Yt^>xnקyit*$Q܇=8KMȸRfPavQGCNtj9Ҁ.]!UWZ'PN']i  -麬"pwRcĩEIySz= 801m S.:u fu): ²ۆI@s`5(Kz#cl1 H7+~3>FVa˦H7}$׈yACw$Rظƕ~[51V 1}p5[D(woΔ%ϼ0/Uq^$ gho ' [ƒ75EW룛rT{w-Tԗ.>2*YO]v2k19U}R};ڐǵt1,f? hAxmƇaD.-uB؈woқ̅\Ra_{)ҐĈhDB]PϧStw@E]9&rKd/pq7WNqʕyL%8h<^61&Nu?:fJ[G >{yRT^1PEp|~"so:0mYiRݬ$r|,KpH3.DM2 `9?jW=T4 PwbtqZ x$}T.Kdɔ2 ̝<@ZoySb˝9oB)*w-܈u)O!DΔ.a(~}fPM>I}Deي5.KZbL~b'e»_߷Ԋ`rEm1>TI/JR}?}5ƗÀUj ԏɿMqzF;hVc!!T<_ݲJ">CBԗ lmkrg{*Ʋah846@" 5Q%. 0q748WjStɱ$+h q/ ]UݏO@7j5od2}ԶJHBqd3Zꚓ9s))L/_kT_vzYUYJ+1A1)ON>5XAb?POs;ȡpTr6RPe9腸#Si/łi()m̜P|Ż Ŏ}b lR85KP/E$#oˍ<'żmH{1+_Jv}<9'7 Ve MRy Uڳ*Mɺ/_IWYSp_+=~wޔwf\^&{>=0bOL"*,cLb{:!3 {~J9 Rs]eӠJΟ0BF44ʏHp>VVJ@y(Q RA:KsgBZPĐ0¡h0 ZdwlvY㬧q^e  ݌Ӹ_GL\f;GQ}P. c` 4x-$yRlv%/`<ZPd"S^Nxu\ F5|:6\0n@B]:5o Z[\yJT@A呂M b_ % .j,>&V'mEK?Ƙl8`k@ƌ/A"r"020c +l.k?n=S1IR,Iz{ 1 a]o>pFn"]ٕVՕ/zʕ3b y1tcOLzD%#Ƌs+c?Ö~8qS<]K( eg=Ndu(a |7T J*j+$'R}(cE%9B;Z ,Ar)]ƆLTQ6 %:]0Ҡ/^LΩ}nB=SX!@$2%P'D  5 51Gm+ɚd@|!;Ij%]JUHIEKVYLg(6- cm$y7zPNu.)rZD+S$=VX{{#Xʏq d${E[("~bgӤB)І! ;5yOX–Z4lDM ˻LE:vq$aOZ ό7d;݁Ai!n貗w?'3]{v[,<8Ӛ||N0O* UEb/Vb)8h}0vduڦ9/;Cdz:οOa?{JH'WdHXsbCeP(?H;377!غkXH g@UqZOÌra.+2?X搗STOe2ćCY&\shf\ G"41y#X+@خ:)#6yj`!(^ǽ2;?~ѨxnoUFfؑnv!yWNHl6JÝY Av8h璡'5 ;7a3|&b~iLdm<؁rK(=iHr&d#ŗ2@B s_ LF_R= NmL`f9# JAfU1QI}oh$x5ca[twy [D v^:/A+d6)NLGUcnnO4ql%7* H,)S4^ǃer7CɄ4^p`+bX 1d »{Mr^D`;sEsmݽvyͰ,/C M8~RUi,8$,ģ哖#([MCT蛰R]6,%"Wc<@|x~w~FYvG5LUԠKSB 'N'"ŧ6)LiC\Tr"(k*ޒEfƘV-[P;Ëد8ĢMW.DA8!ƏU@'yWj(Z$OmDǰ[Q3xڋZWzʒy|!4AZg-^_c Ww:ѡ&Xp_mP{CF A逓z>U `[x>d2HR߻F`|܈7e(r[y rLuPV%\b{4sLd v_bo$C0+y)d=]gpL{^j]:=1 -ݜn$=MQ8` /ḑFK"I۰KZ3^0$1]55\p#|x-Ky)PTLtPT~C3eӷxTs&$DDqv:R-+SfFiro*ѬCm):˾Žc$)SgԐ3̇db|хl(3"#)6iD׉Xe}#.Ԣ %a6=}Eʛ-PrzUcb> ͉DJ:kπ|cR(Id(BmҏUcM$IW<ו0a@y(|y4OL/=' t6̯k;NhStM_DQGc5תR*=PzliM-QIZsTr,FMѩflQzѼDm?zjڗFw,̾aX&= sQ\T\gɦNҪ=JaQRu_!,S2Ŭ+Șl᧐ rHf.b†/*gT$vOO%QŰJTMC%X-1sV@9#rľc`z7VOD;& 0'wk}oF&ѳkr"QB;>ܯG{%7>|or5DT^KaNvfG/'_bطez -  t-`a3I|a?]![ݺY\we0 # FOdcbPJ^o͏E<:L1@"h-*[[4qP%e}"mhKg uf|m]@45l e!jքw7~%.H8ߦ=>^Y#Py,:NNMu☥WVM I MW!zCDXZ'dUat_^Fx+:n;IwD?K|/7]Pj)9s8ʜqح$Z)Qˬ`-C*à} >)2QDMo(?3@lLdzpB3f{Kkۻ*Cks=^0VCk"7P 2 _Y(K6UY_P}e^7$&in8rTjX`y:p,iAYGvHNG-SXPW:MzٚN@dR\j4+OXRܕ4Y*"*CI̙QȲ 5e)F9L=bYKN-)ҊD{zB*$/11 hXKΟk8M7wX|Щ-v=R'Ssgpy ɽd61#R\Q FVx˕nNL0^cJyphYS!qJ6ZX8)DQg9 J4ŴLfaڸc&!i̓Kc3.f&Y)XY(HDDt& 4~ _Vi[(OTmr<۽e9xeOF$a\2@Tzmomqrkqn;ZC)sHn`",6\cه^V9 8ӾjƷl 2z-'цyWǡ$N>q#6C#F)MVvHF./2T ?b aPtE\[-k}ؽq,5Bbm/wG*j'zŌ6%^m/ХyyJ*o.1KG&܋Uℕ$Xz\s6|˃J5xZK@BA_$A4GLGWW!c.ߤjU~SfM9N{O`5~Z֚Lf%@X}p0v)p#Rc PtB%:[6w幬nL1Ӥ Zꠘ^t _7 9~UyKs0qh#'f6*}"s7f+H|Ho?"R0$>ެ|[wwT_CV/ +t9%^AЕo{񏜏a3dMhq֐@%|,<& ާl?5u!3HWꕩRg3dXBexܟJۋ[6-`7T}+'AH~Bٲ59@ mg:XY"ݟfݦ4S^cou$Uqbݍu 4h/`uY!} /U ߩ9T G/l S@MBͲUӑQ~?ٹ"j[7+ %z@ڹv1g愜6q?2|Lc֏;BBs*p,YCMEĤr=HwJfB $4+6HnZEkI$ѲϱqA,hNHhuMzY~vbWǛHO jC!*m)cHΞm jL+a&?ʧ$I/ЊRs?0!bKo EG 1}/Yͻ|ycUl(EcɶQNn<Mpk8'Pk)RhWj^ =)\"{7Aq3)WY|2`MK*#70c8&w.e1ɊJv9d#Peh€VD7 Ú27}S}g䔴y |%pHhS$r8l+aI";C򗺳D9>VM  ;U~Qm|_Rd[}1³ƂW21wSG!snn~뫗2z>'mic.cηoQGfR;GԳ5J$JgʨԬU۶FkϺgKQsw f :}adUS`ӑ5i> /D5A+]U,GӞ}()4 >* W=ţ3>ŽGv6+f$wㄸ. lԶ \&j=UHʤj(j(x*JF6/,x }lH Sm0BȤ1^ 2_ZI [МtM0bPK0.~Z(`-,jSޝ~.5kŪGD2\])$keݽ7Cƺ<Rq5ER14K+zC Du%.׾xAb=T[zONmуp;xuw) xфwEv#9< \A氅1_S6p5IY8z:wGl!A+~y"ب CƸEt#sPT"hF_ʼnyצ.E0ޏu%M'6?IG,)cp~־459H8,53!nf;#n2NCԖ1X FAO;N%.>]5mc뺸-"5ٷ@A~n0oMvjƪbɘ4!h$"FS[ G+LNqXmɇкb ;,Q:bg!Py<K/j;^O.] #/퀜YzK֭q kZ`U|WעntI2J&RqL ٫'JavoTEj  '[ywU\r?49ȗ9=[q5h&uC(:tgKbٙu5K iM4EaBIeR|\XEϤй9laʟz̼}$]~u "9k'|"f\vG>gL $'ĕ.z'6c[\9K(8`Œ{0 yVxkm9&+ek4PuDWg$W0m?* ]+搭"|3z 4ɒ E7=ʚ^{\P6ލiO#(mWSw ?ViF4& [y% 6=ԔC5 "ÓtԸ80Q>JiuGn0)4{8@MHÁh=?KkWB $D|_6^v8?F\ n[J_ UowLHMh>#_⡏HˮB#a8 鑃7Cp0!m;Qc@*%Y(nKp?nHOi xI=eH0@ןv=AQ ܙNVnזS맢2mDMqy$ljA-3a;,pMjjghvgߥ\BtJz_n o>݇tO^V-ɞjF8O@( <[p5Nל oSPN:JFGƤ:T3-7k}|oDcykM&L"J%'I͹&nڃO۰G>Vm|զ#c{'(dc7aJh{9 fpIB< i',ŭ[A̳JÊ;r ;@e+hAƩV+Ǎk=+A*Ng:%?FxʜgѠXu8>GIE|jݭu DYiOX~dl*YW[(~HC,;aq!W`?_\ޤ.wBeAk5NuҝWuӘㅖo6:U!r*Nf_L#ۜ ~$N+S-*XC5(4iG1\q}l r@c78tK2K%j J4q2Y<dJ Pic黆(!lj[w_gU6n3ZN]w̳! ?@qoNT|->qYJ 4%| 6W=z2\J\ oS)ߞl0 Hdwqhfn&1orbH( |xsci ,|)o\b-n]ɏnt"z /t,Ȥ4o.9ճT6ftUF P4B/gM),63#)OC +?f܈7k-dFkz3=40/n !u)L)FxCT^Jz:.?z\I%Q5(2Qݝç&!#p1P,8-zusD hcSwрqV]aWGca X|rٝZTHfKknB|P!.#׭ZUZ nl SuA*m<ƙ1g ɝ!i ab0fgPO0W83SL"*m7Ǭ)ǏOJn3*gD MÂ}b&KWv'>H{QtG_u }29ẑ4>!0(E8#SSWU꠱i-@ief+ eJqh^g^ ZΎqX[/=OOɸFwsuEYFG1K4 33Q-h,]34wY*WM*7ܘS%ի4Tu(l&`pEU{/"l8$M dTїA+co~REe]TT ) ,?$9X|}%'cUT"LȬRDm!&a mMX.b/kI ?d@sq}7mcgdS歆F?BFOi^_uRxmװUwPTHGs.5y4),rp8愴`e%< *N,r?/%n![Ab׮j|M!uxn)f@9ȉD?06&Q,͆ U%uї_^rjЂS:;`ꊵ iEieVmtadhcZή.Pl"y~ ЊV"pig8>h эC<3RꚆf) A/ v6~?+A,Lk}֩^Щ<>ja -m#jƏRs7dme|H`7cUBZjQVxQvO &zy{f8STלxA&`BY5Sۦ"yIzD XCBO9h CZDOWoәRNcVPٖ'd`DEoJc``:mzKkB=}eV+5 qʓ,ڍ w6/;Hhӷ.7Kff4'4;C69ޣmTN 孀4p<)c9ciN :f?6hxzx3_`N99)A> -2 6u8R釶aTJ@!ŜCtDh;N p@5@ yХ1GGbter0M,ˏhϼdqb@bKjBsE1]Ko@/jY*`I P IRԕaƠYhx/̓8^SSNw<"})wpL:bڟۃ(:˧ǶRB 8@//Ndv)-$آ/b=_5y_"ѧA9ZEsa\d \ͦ&3aY/v2\c"wg5>(sX|o{ =RɞB.g` Lcfgf.ӄw`Ȑ>=Y;_h@]Cs8treFLI@"Kf L^KzA@ <|(iRs+X:g7`}9NKs*Jțg/dZei@ kՠcwQJP(I٤-iO6 Pc! Sd|c{h㧢ҳ:^%/y=jʔr4Qa{8 eҕb﬜ نfyqֱs+7IFtr AuB?^/#^Ģ="㶞(_bο핒3*Ɯ4 uB?W=ُA˖?vJ̽<S7@hv$1!GK)Iyl'1W;_Ix۔ZAվ_O JŷNNaB&uf4$yXvhD!) (HÜ}L^A7Lp`d<3VaGOqfI];cP416q X ()2b(uoqأիL;ϘɁzaPnQePoOR`EQiP~*!*rhI *9McVYc[l9|t})pv2.A8ojzN zo4 aj$/p? ]pYU̯O=GHa^(N,K)\AKt wq;C[/0ڿ[4T)+@qB[dt2[IOk[|Ve5@oڏlf ǯ~Q8%'<^vh?Uȣ, »by6s S>TR qrE kt!DIlXrd& JM7ʆ:,{CLiW T[:՛m!p>-xR̜{{svZ!(+۾THe<BO/g.?Ky _;]l~1} ['L%Ҝdɂ% -VOd%JZHnZ>9b߂g%;3(NG<: F><>y 9vLaW8(+!CU#`K##R+@<).OĒƶeI@?,|SV~ՠi*x27_nhVYTVٜOoJ"x(j'7[cA3+wM~US@+`Usd @Wç}nѢI|'r0 ~wBXt;cՔpT|kP7[Nݝ/8l'{?C:ysƈI')Z'>>l c;=8 r r;5S ~E`h$'x(0/'i<7Deh9 BKUpfB~lu-:ߣ{f®W=pGqNs=bw(y_4ͬ4mlː&K.d-Ⱥ_d3yPOIݽV>/IrR%B`t.cPIs沁J! ڵTɄӱ_5mOUZ}<\pdԷʈ!i,-xΥ[gYnR yqܒfEKTSrȮ&7>FVٟ,p>i:ujAmcq\WU-n%( ǟ )ltYBM1 \\\5^0UIf;ltlQ'(PJ^Ҷ^jY$UIaИ%[,=` Sn,}ub_'Lkb!v*eFi+У8֎k \e:tW;T-t7HJ_&i'RxpEI^`-C+z Bpu# Pu)?;3gm8 %}ʞzq :b1{|#LRC}0ev43Dc[mhɿW*@bv6ROł:ţڝSQYӷ~l\:*)1G.{jsA 5} ok97aX8Kҏf<< џt/ 'u1DƄ(l!ٴ&&_Dz { tIze&ӱq k&M!vik![ ٫`9;{vbܴ;n,4ycn10dػ0ĭH؞5T9.w4 Ϝ(x1ieiIR/5\jzU X/+V_˿Co#,DsQWUpdk45d<v᫔ ~ ͦp$/ `rzn(4!z @P?dxDsM"T"Fg^IEbptaVd:]{= D"MTH״:ָў% b~Eb@aEna42u1-G ;.bB>ib9M;ٕ1Kb;ƀlA76j^(QoH :BbF〕f+ϡl2&OMHw},10J.X^H;tv7Ǣ7*JIY]3>+*J9|6^P-;ю 1no4WwpN-慏ˉSe 4YBE@<` g`pųv"`q8H/P/~xP. ޅ'gqGY.hK!9.Cdh6fgfzd Fo.&{'nihI6&j~ TS2kEfCdxQ/? !; ˅AZ5tN¿7sȵTKKTb@W,6 WTIx``yH;uZz,-dd~{ńMQ3+3 G>%w2uN˲rh{Uųl[ xt*C1ywhǢIGoJ~ ;Qݴ *s+$i\l,x8oALf62zc"ZT>F{[}r7qWXȞgkFI4x4xLvv J~  Q'N^\y|1h9Toόq0 ,[Ɨ>@Llj"pa 66pZ/Ʈl~.X@0(o/`m&K\#WgH\~j%1z7Μ xXIFiTD_HxM#0 ,}O4o̅'Y gbFѦ:|!ᥜ)8w4% -ޡq}h(0mBb;T2爆K*pBPY5hZ3@:z.lTio KXc9u*Ȇಪڟlz%˕TraW%P WϬ:/&ChcXlO_4H;]yDg78}#K#r{-+b+U[VU|1Sj3>Gzrl0%: >yIotl87up-Eʩ 2}wha/CU}{cw;2 ')2*2aA6*`<͋Nlkُ"% 30A)IWdcXB)#+ ~-{Ű^L0eXk͜妍X–=`a2{~3n4T-|R _azXD^лM,wT{By$6Nn$ JFͲ~VV_?L\2j[\0wEU̢/v{tK^UGd]WucVJ@ 1TKS=[B$Ct0 \C"OV׬Hk9p݇wyD<J0:w)\!L6h64(V/iӘ;=1 ]İc!1b#52,=cf9w:4!ﱭ9U'3o2ńBKc廕Ν37?.?[veD|EpMm00bB,m0I]Y$N>&to,ٓxhI8֗MQ>#bOr5<W׺>4ʑ& < no(Z"z LxlfFVֵ֯B -!nA~I*Ϩؗlq+|)܉3W-uן{jshMQC_"{[| z.ѻmUW6~a A@:X6hשno(f~ık0}@HqXI >, rmi٩S R_ ˺ Ju"odܐ0bWlHx@8R!O֙_4'[p~W*lS=V*h!f:vl*FTkXe4G̽"AlIp7ڳ%- 4J^#) VScg+/BX_4.Kw"\2ú,:vUm qX 8WL\x^k`_T1#p7a̒[GԐ|#El}+T6#EEӡ 1w.j@ulׯiQVjÕJ;@o t^ ;[^!5P]S2yQU>FQ`8 Rp71@uUȺF`CX\Ŵ9qkE*H[-9gWi8|x=aȴO5)Ey b?9LG-=P\i FbSE;|N~SC?';٥Ee!V%6m7eS4"(DbjLRxipyjΗUXLa{Tx>Ⱥ1.3(j/$V<+tKxɐm`Bb~XX?Kg61ez?ҾJ ?]ͪɪ)"mگ 01!UZcUA)pS4 R@mOkېHXOA59r6T%E 2&?b[ƅZ2 +X7RL"monp^oѤȧKXk'3Y0(vk֥wWYc ضZ N{x7ŵIT=yY*AB> Hs89@v2˭oLB0]$ſz (13QQfB:i0< .Iq҂[wp7~z&/ۊjbASv;x/}-⼣/rg>7G:o^-AR;sFF{LD6#jsFI /3d6j)>Pe֝ xM˴َZ o4Mqw:s ]ꘟ@RqEC"9!w>hХl%{V7BmE癫27]S(2UXm_] m5Ɨ\L}Gn 9Fs"H՞gtuUn^0 1Khqן mK9)4HW-V \Abf.'Y *U0:Wb"V x(PNzI pY=S]{^21[pF`YYYþ}Dͦqd=%Up*Q?d#B *=I5"zIh1%T"2oHT9v!2ѥhBZ˷x2C3쩧Z~:&e +1vce6'KW^?c?zSZU xj_8a9ױdJݡl8MtdP &=  (38.-uVC+!+~nN0{Up*65iZgt9"sf2srGQ='pɦʡgIu+}߁j}++r }uv$YYB("sp\]c9> ?PGeP)ݦ[A\.;ZGb&|$9Y+_",fxL ;sIM;l5sK hV.#98IԜp2=fǁ=ryN0؅&j)@ҳv;nvl$0vQ'0}HI8;8i[皦۰BОp I{M'׺{8iȶǔ4ů6g ϟN[E%2?2y(QiNޟ~- 0 `m+ 3FM!#{SǏS`AL1`m[w]`_~na˺iOd*Gɚ O6t@O#gg̭Wij{V)UCXd~hR4CzӵHd./ã>ce`7"NJ\;}_I X< r4؏­~LA˳2;C RkfOx2M58YҖ*]Z:awsvT7 =#jWX"S96p}% 2u!^Rޡد!$#8Hx䱵;Rm5`l6oO'[ YoKU87 @Zu,.E@xĕ~І55?2ZEԅ5$l?cR]ZKݙ:> -"hor/?4>{)Ђ#8p$Ѫڃn1߰Gծ ?@vP)x"^2QcYE2֑=d^%-ooKF%mƧ{a3X~բ{ U*,El i1׮P1)K2FK׀lXna A}t:34:ƒ\9LokeOe_3QpA ?=Gƕ96v |q/`m\a(bT.7P6uNkT-T`Ɯ+i ٘H[?H w<6nd'P6Ӣ'nK}c/wBm&Q&y=r.:;8Wb仨I+Gګi- o 87n~9yX(̡L`(ǖxZR^ ɏ= M|v mW(%ւꠃjeoP1!3emp7 _ .m *IkkS]SLL9 ˘f ,{YFi5b6 Td߮u '7I\4iZ RC_t=*=XYd7")K^ EȮNdJt' OƮr`y8*b&Ү1]EC&^&bTW"ceCr;~> סձ,po98Sh%4a)whN@Td]58ss*n8+?͌j#l;EK}qk<ݎZ?B[?2s2l4wרPk9J7kdoDDi8Rvj뾁NN yw#;=d:#Xe+N2nί`U#DKx@&=죝^ŹnYk/#٭ [5!q5j[ez%{/N{,-$hEwUBwcG$a'kU@@qh[mZ331~9}J\`f&?*4c=<OGp,f!ݑly' A4?N*[塟߼GO"@8VIzRF'grM)[ {#I1"橐˯zd!@o z|_=ֺA̡A-E\ l#dITh'TYM(9LW33z 1ƀizͬj>5m51o;<v0Af,UC7Bſ?WgMET}q){V0E?ݸGNsa_^O,#*-Y_ Eh͈Zxip lOl`Zˬr\u 2-~GTJ{4-.m%]od%d¼7]`c)qdoT(dpC [jaI\8X1JQ@XE/9> D RF#Sݝ|zr e L7蜆|=;D֒*0a~m_1Nu_L" v4a1!zV"۠x4w-lLH{]nqVP둷˾鈜W./Wpȝjͺ׶8?kwy!BDy:5.e3vݰ͋jpm 8w_4Jjz{+hlN'հsݚP {"95>ovy1z(8u~+wavQ%;_cs__ :+([gGވ픩e0͒%JP8}h[ ۙ%YJC:Vi܃~KB_1t k}H1~fix(?O%l|+ۖsʯ0`YU=Y^=/?ȣONr ٖZVlg kb`p+v_Ahq~ 5kt{ţ0S<O+ސwiIv&݁+&lܯj,';8rU ](!blBSOdA]cFۓV JY@ߜ:(S|븀|V)nJ^?:l#4|i"bȵ{s-b2%QBC a:20uڛ{*EUWԂ7Vz˝׳r.+`$& -Ϧ-&7 FJTFyȗ$Zn5 KjqsA%#%zh9sg7-F1[l~W<,ڢ@Wk3{.U~?)x ]sɳ L*t8jJhwX s9vvϳ}J@x &ܬx7$2\Q/)cESL-o%_{w78X~^)b+ziY?~nC| Wiv4lVA=8rLCmJ٠$RW >h~ ]%^e:ﲧxԈ;^lZzfL窱¡ ǴՆڹ 9"l s 6amf5$E~ #yt ,乐9DRL 9<sOcRt5FwfwH=P$'BF_WVcl|@Cw$1Է|iH 뺣os&Rgvj8̦8pȤpLHx㼺!8ߠ%S}@ n<|f+,d&\6D"DnCX}Eu0}?mw*FL*q`45̲32u9bT+#9^.eȁJֿ`& ~$Q,PP'$WA)oF[ĸ*Jz|4 ڒ\_zg8`]Hv0^b|Ws n}9WWhѺZ~1wuoEx Rk`ZGIN\'CԊ,|~ n6m3L![xӴJU/=U% zV~AvPTϺ_u_J(_'*%MCf_Z>?vXb5Y%0 lXWD܊fT4|IouQevqcdz~5mC&>mϦ2>|nx^pn\w:'uߔ6`B@_XX)m.Q/Bv|:BӉ)J] H+8Yx>8iM>pYz[Փ,H]ԯ@WB[eT)MX'(T m_e[\ ׮u]%REfc,NW[ yU8>أ[Ꮆh}fu: 1-r+lHo_91;D$|!3{1CəhZ%Dqb,+ dO$$BdEL*pDz+8(?+vPMqֆ?'ktcyiB2gta+CE !Nlrh,ՔoxL)2G:;ysA3%)Zw]>W7#JR *QfAhG0.9;dHn%S< ^0X'Mp=L4;50#4ʚ&\jbk,o3~O6>CyB0me[hDA{N9b`ԯe&IP 74WsciMSw cDWf1Y_M3 R.Ȕ&Z>3gqj*92(^mK-ʟ4  a噦u2ϣTtnI '>S'舘JR yf 0LeBR㍒ HثowOݝ4$S]ݫLvyh$x~B"[=DL+FzZtġxG&)Jy L:86\@SyQwNyt$yń5%ow3Y%fȊ>B1"ħ_&d".ݺ#>VUXnʄ =og4%w C RC>paݧGMV+Xl؞|dS]uAX2D8@yO*@4,W TYQ >rj=Y gO3R%.ZE/C ͬqYTqR cM_{?cOa=m+&6ܱde ШJkѥ[a]X9J&"*Yk9_hc[]UVNURhzzO^Rn?^%7 cb|*YqKsvzL1nqXš׳q|U!~)(7}u\ Ls,=GHh̙B-G+>.&h)~{gQP{W-:uT Vyߝ 2ppd-q461̑H3hvZRl9GgxSrJr1s]f";<=IO̽bsC˃ϴt}xOΊVou~TՄ+f[@xOsY9[;  }%2e@y(:_~zmR᫿?hSf BoglGRa^oçk K]h",rjPfv.n_1wOyB5o&5[>[ݻXJw:#̪pO*37Bkw?H%=TN/m;!Бi}u424 <,k![Gjw)xtmpJ(Wl2Kc2@ }{qhaaLPbujuIaޚ  %pFU_[ @Ȣ@Ϛgn{΀czuaMqC#7ֈ/ .V>dh0ʎb&:Dssۼœ z/N)tSoFYeJ42e k-]F$w f[!X|a}O_m2 )I\n ڱ{U)IvIzUxjYWYoj޿뷤;@/Uy)ޚR 'swF_i_^n 2[4Z.;?qu`8V2:'hO}@˰T3+mD.y(Ҝh]{̿HOM񐝿HT"g.Sˮ ?_fߗȎEiS+YSNcDtgx曂5D<㱑HGT%ķO|)ulDQ:"h G_ZTdž2V uqSH0~luo9T;9қ?V mx}lz/聀,-IKMxavOTFBoEӦpg3 ¼&԰Ծ.Et$-ٴ[ ӗv")e[M.:8Q^k=o~FdGA7XneմAjXL֝;:~ԭ( .ېl40׏ei]2?p*탯ϸ+j&-|_І2; rv{I'p~t0-|/wNKܖHSŧ1fϒuM7=R3%$+EMD3;U:W.Iggvmb ՆH$S;-X/GƬ72;(phebחr" vDqggOpn& 9U&l*3LGK6ʿyU̡}e3)ѩɩV]ROjޤ\?HU3ٯtrE]dc$H  t{~9ظAQ yD/ȩi06@j]s-y2V6-)&fcMb!v"%Wwu3)O!*4 JEh!;;Y C1VjNVy,hQ:aO{~kH_iqB5CᗽL]VDu龼'"vk봧==T4DnZX"ucޓ<`#t _1(#o뼧դ!tƢf xS`,D4q?_Kgg?L'{\S?bZ[EcKA;*3Zf̃L}SHKnD]3ܑ*&Ͼ}y%R1`(vt/L*(*y6i]l-%@@=)Pێvaugt~2e;e^ͤ &ێ*+ ,[jH=e]ƃ$?np}0;΄dPnz1k$}r($O^ۃ×!lS$̳E!5-{!o)s+Nz̈5qǕw a _yHqE#\Z!8@oJڶ4񍗽ġ*Fع"Szyu}ZVcFJ?F{haܑj / 4,)r*ۤ2*ߌE[SBP=a/`PYYm]|k=[õD }itll9B5 yûmE:LfUfk"\b-MumJ.%:\RKFxsђِ'24~-+)wh$({ 0H%q 6P_k3+h fisx# a.Sϊ"#> Vc٧%`擉㇋$N蜠asu֪!*~j}nFe܃2.C`dR)f~U jW Ղiʑ%Frd$Bs^fsƛ M"lnq2M[f%ݗV}M^90$MϜGrDȚ \Ʒ%.㘃ױY{;vHKIQ+QǙ~BAKޒ(b9?J-xnw=~Z@c"4DS>Xsn~ e[;i$Dx ~(߸LjUKtX&ߠG2J#d%Q#Lc>ş!Bf>WRǯԤj?NK`z`{ AyQm}( <7ʲ`=?g{NkOJ̚颺}A6ut=khd1Ddծx܈(HĬacu5$6l w!tTo];yRxF1}u X·O>̄/4@Z*vݕ%tb *ƖY82. AN(&$>Ul+vh/%-ej(ƯkOУ\ >׃/xU&杅S#z.R= ࣯gf&uNTLϪmz2&,sK^0A L97-,kDxqJܜ~MXJTN L K$ 0 1mQ`#[S_ Z؄OM>f9:"6QΕ=Gbj]W9&GnDZޞ 5T6 4Ũ5>rWln{G.U*S9ljmG{X%c]ps~VDCIA./;ml 9N ?f6*E:nW?Q(Қo~Gé4W\GkmoNvくY>ː;s/a&GeS։ 7]J61BL*cgg"DɝCg mt pWCu9fvL?FwToB zFH'$@P0z%: @+d38 30 9B/Dyo J*–*&L@fy坋[ 4M|0ը iYL/s>Nah)@j`h/:]ԸoQTu?l2"rzK~.G2ТkLJ,Ϻ$:`K/$ԛ≠W\|=IǶ'KsDsJb Iξ'FАFXky ѲF0Ni"o94rwgd\ wE bH? dNi|+*ԥ_-lUE4'-E΁|ܾWE&DpB\N|o,Ũ4ֳXQ1E6)X:>\׹GwѦ/9X,*=5mbƢ$+N?DXclG̮%]DD .&Qε _wa( XlHlZ{#lrD)$R'h;̜(NeۧO:[k@[&!5nZJ\5{@W˶d ;0'5_ 9J)XH"7Xm'ژuA#B+Wi6(%e#:Vyڢ޾B!{跑;:=N^>hDu6F3rRpb q үHP|EA9J2A 0 [S"ZS ¢;tbhY;0!"/UU"Fk)6T],}5Lqsޕ>5n)ЋC %rt7,>;?|IP> } a(r(7JE3-Aԃ[}֯ƈNE[ܱuQ_݇`ͶH˜C8.4ejcU)**4ClKRAm(0QlRCzkAU5 ^Az6aA{㊋M48n4>0@\҄.19l~jԵBfGCPp2TX14vc#l4Rl3ɝ\iիVih>Hܡ ^3c pfۋR˭#(CRqG ;b0#XxP5EFɅAUWS&bF{K8v"jiؤ ԤuږVppVG~*O,Vgi^NvQs." ym3@Ib:ésP jѺFA_7ُ򵈏HHt듴wx3K⏽4E-+`(%!l\hNz}mֱs/y~SNQ@hI儳( g%03g,Ey(㢉!K&4ęvY_MAci&Erwf+I ѽ- D aB-.y! ,>oxZ]̍. &ِ0noEny-0[C`1 p.^; :H]zP,z;7lO5~9GU^im&85E<I|.>|WƏjm`l G͙7ϯiʉ&LQ:ҠNj@)8y/{=xfj=R ( ~EwGU/=`$swjrnSy\ nPsG` +'cT蔐Q^Op/ni֪L k^DL˹5.M w| KzQoɇν)$ߝ^WDUr`z^C!Dwd@(pc;k] ]4ʇUZCǜ_nj':N?regB-) _gdhwzgC6n7J\"ΫjlX@@%b1!롤<#2~]bUٳ F^4q~0zMݒG ۊX y47N2qOW x![q {=}#qVPKBZm8GpeP^uE j`4R.[ vM'0#2JR@].FT՟ƞKmh4Apb 4З]ITF g⨼ [J*g#$J9_ER*= WO@0}wNNj2Oϵ/gB!=iljg#jxG>\JIkfRi $x 7m߫u6 ۍݘ7Ti`2[*poG`d]^'}C'7g"خIwg K8OЌ,0i$Yc6Q4L7HkP1\F'RfNAI#Kpf&Iy+U2Cm+u, 6:i ^浲j)h{4DUsɓy HKǐV h9}~O[y c0]J =M6/R$VRtWؙearnޘf7W/ _ G*ɔz  ~nXi\,f2E>ʠF*RIz@}MϮ~E`-9 ʦbc;~U}Na 8ٛ~>Y(k EFNbR]'¡x {:nA!0Eל9ZS%u9n* #=tۭ8&C.2ٸ=֧R: j}IfL*|Wq4i8L25 _?jx'{0lku#htv*ɢ #"1,z_D/LTg2L b}GP_!.ip>@-> d*4H]mc~bd.Ph62& VbɁ(F_gx湌hc,BڽHQW2cΆ0lrW[5g&a0/"=@Ǟk\ *|s874'ʉߴ:)u V9΂ȝ }4(l fxsҏ4s` {@z; p`{Ipy/] 1_ӯeU ) 43h ]|6u8bqOSJSB",ƅg[:f e(x&QS'A.D C U͆zK8#+v+Yj-۷ 7}ٴgRaJ4GDB,gDW ۥHS;W\R@](gΜٺ?͡QȄs)B1A !'U}m 8}u c29ûPq]m;lvjl5[liS|xpU] y>᪷\'J}]u(#}$uX\נzML0 Y"u|Ok蘣g*͉&=DVzZyFI֘շ8} =۴yn?k !Y7Y #v!ą:{^[aNIbwz}s/*m=^ znedj,1T+2ws ߭asBuV b)kBedwӧ!2ɧ%!@\OIZ|:;]cȺet6سV!1qjQp @Je5M`tf Q%C茤U.PRK5D۰ӗJV.ߛ&Ъq4s/1CV&Yϯĸ۳: eEV.-&)}PBct΂9W?Dơ  pUP)~NC3!idgBdQGPg< ,#ތLbO%乻di'7bo5%؞,3"xU_`'z9MI)1w0"\Ol);4hWQlA SUlb_"Ca^ܻ'囧-f[};n[6Q%xsyR ӾTp/(ɫ16?].53:t_negU' 㩾rXї*S//ͨӇ.铕>HypZWE20,ZEmd+hm/i_CM'0-ZU Lm絝O0|ග Rc^0K^Q+LL)EV8  ՂJ.'E9$\2v{oӁKxED,Ss'[bCEH{wlqPUSK e my _ `+k;9̎VD|yjntvְ6E-S*8{[lPvjIqb@RY{Y0Ѝ{]F1 {;t֦mEelp{71tS @4ق > kюɼώF~Vߡ\,։g^R<DzGz;@`=Q7lQ&Kѵd4ѧxY5l, 5[H/=e Xg.~tNYWx_!\Kr0is#Z(ݕ":'ʫfo?d<X:k%ٔ7]ZcY{uYk`B@-aM;ڐ ډ8\XI΋ۭ"؁Kyv)Y.vy&I>؋y7( pa0UE 1_OP?X"Zw~&K`{S-V9s_.ǷSOu5O%U9cMmceDQIvqۀ4nJ kQ;8%4J}< Wb˟HOLXt/^5h1cý/&7no6iKR}B5Ǟut.H#9K6[W 6{*\@x~x#(G]-E.TҕJh`}>OM xcE?AlUwhې"2SGCQyqM.5W׸.Zi$мٖwxs*5[Hc)11otDFjS vy6n`qkX=M,I;rsq!\ yy zaz:B~YnF>ǽwhӜnp\ DL*2Km 6F=m$?aj^pV fRY"@ԭYeP!\ȯh^ ( JX.JB1vwn:j˭!y?OJlLuqN'ӿ.drcv峤iA%|&^G~0 Xsp1ҳ"(g h^J m?둩؉o O-M[0JT3fa-P@^1> %ރ+u d"dh,JPexWZHM#"BFJ/ }1|RtvTok)8v(H+'넂P9]ԅFSuHߧ{61 `s.MgΔU=u-,,ɪ7Oz۴Mt2!f<uHU0vryYn ] |J2;=Ħ{e?imJ#%V:n/`=%V)/;ǵy_C(Bvmen.n&9ALգb}Ǜ5s}ƣf.c.M1P1*# tkw!F'^܉. 9Z!h?qvǼۤUN%ީf[<2GW BmP}5V+d5*hȂk̳)TM"@XfŸeǻá ]Swbw{nɝNJմm\<њ%AVR:w|#"ힽ{]WAg5NwOv Gv} \aY1RtS1d?Qܡq1dj}z&>iX7YGi c; dۡ%W?md6]{j) _zbHOvA >]ˡ@E FE0lãM jٟ4JQ>< c0ۡ91?[k?~ j,غ3: ֮ύ"$,ǯQ3xPsֶ&t!zI8[ ߒW*E꬞hux- @ ZÂ[J ᾑ6>DN!~$|XBkɟ(XT6S.MSs>?( ŵC23W몝8Al 6l@D}bJX  u <cJJc=:eZRޝG\^E%vI9-y6M7Z;vm,(W6h4VgFPkg(X:` خX A3G0v1~Uf"t5QBPԘVKJx5pɜ| o2cUgĪ&FJo7?ro'~_PTM'Sn2T+ N(IsZT,ĕHDɘQ_ܦY^]Ls*%PXv} 'o hQg_yUpAQxC)vh9PkU'QDŊY]pIȘzC뒱 Bqz;ZgE\Ӳ:ncOD4.Wg2e3,mJzÐ]>f_KHzB8@h22eH+ub>_`Fz_';xQ}L Ӛ[f;Ue5,O'1Zma#-o6pO+M%W7A+hgm|\M }g O{ 9Jd,VU-%(^~TDuQ!of\2Kj (sT~]3DJô<v`hMLN!zI\I>c`1RFӒƭ gK^H,rf90qcXCJ o ͖PSa%FNxA\r׊ 'Ø߮2Ğm1qU\azoiP~5Ix;}DnQs`sօ3ιE9ֹ^v1< 5~_` JiR$NFlS2jR0) +ƒ cxM:NZR9ӁwBKÔ/?bi]df4a $m{*Zo߭NXz6 O7UeјƐa,rPPKL yy4HRhl:p=k WjćM^b;3M'*768ҋrVPM!(?5Vm-"A s? a|( -Cwi]4b.>?Tbjd,k23%{3¾Hڪ)k&}_YY홬g4OꊶSh~.%j,zرףd1rf()/F{zusH!ibZz`-2.—t?uaSX{>98f[&WJ+Jk<8\Xrmֽy8bFd._I B!GM]]F _|ߥ8Fe=҉e`hސxO}e˵kF Zԉ߉snuekgv"8؛hr_ sK}=OOѬ =E 1nWu@]W3*/}*6y.Hlrٙs\ƩGwf2[w}4EM9,O(|&ڱn}e[7>,Hq3*fZº@'5ʸO sS^tO,?{;{ŃXvJJmnTJqܾrBe:I~UXŊT1[v|Mb2I31Q͕M%4 x Mp="TxC#{ LQ^{xH(J XY#9aV(F6s4̪6{W \O҅Mp連ůq*.1~9 d;~Dx#3霝+*Ե-dlؽ[zFwCפ7j!o!Y qr)G>mj&}U~fhC/TğE_QtoEv֟Ύ{\fEX,byъL9uz>U MIt*+ӹs$t[VJyc8w؇ת4DC>5Q$vv$&`T{55zB$[Z#dQlFwrrt6M1_mGU"XH4.)xӐaCuG`&(wG2mGc oyN)%'ǐDTr.0a])Ԋ*>R|tQM+cKgDe3U0;{-& D_Х,K%' |Շv\ZGFi1$\l9(ӿCƦQЬMyC"v s3RO$}{fCMElnDp5Gaw)peuQ&i:If՝!lI]?q"$!!%kGa{"HW>#):b,<G%䂲_#>1o-1KZހ5Y]HWGĴRq<М[N.|]8d,8Pb;j7k*내Ss/ c-td!%`EO"%Z_\u( ]yڋN覢lpwS4Y|Вgؠ)Fג@l& 0!K^?ZL5e4ZL[t&ޯaW%ڰgwe3;ZQf(V>ѓ|L\"aaNͻGg >s)rplu M+v>2FӓX. |PC-6w伸B~BEF9 N*hJUňc ~ڪub*Ҧ6x'k=C]W2 0Za= (0^2.=B7%_5R9οK~waTx*3.sstuV=, r'1_9OӶ,7m9C MWq;6[ВM>g~7.e2(5$Y>x68\D #faK?8Xcf0%A:I*U&: [#<(K".5Ǩ#@=y7OԭCf~%] ؐX ~;\nA¥@BP44xcJaDĞ+j=h_ kAL& ypRԟ)fh1oMOVacUJ D:틫l&i zayskW:9N1}N%ڜ|ݘRM`@CɝЀI )4~\Iዠ Vs.a6kHIGޙt.N6yZs|ē\iB'#-ƳodRԄ>Z57a=d'?~4ś1H !]_ͩ1Y=AT g^+04yb5kN!@Ym fo8D! NYh?#3u؃uTpN9t($A øpI栖N9\ḒX :ΌXLF9O ţGrHֻG:ċ-No:"Eı',ɷmX W50S?i}Iб &gۭn-׏QE_T:mz~J.G}Ə%] $""Y, 2[3`5b!9p$:Xz'ꔶo }hq&Ks"|MD%D ."X]#Kӗ^pMՆBtt9ϯ, l(ݏnCZnݐE'T+ 9{ ]cϱs!Rv;|N%{ch(/XpV. ,f7*?7"_ f}OCe̷G!. (Yq*@ֻB.t%*?( P/,N4EgR U Ql!'R$3<0\VGnA,@hnbjs\1 +ZKv! N҈_D܅Gtt84=NFC!Nيl9ϛ|pOMvVMI^n![K*s4r}'a)b䄊XzV˖X4.%^ZS|&] ;5=G+K~w2ϳfPFЂ2ctߋ}+[kz BtA0kF&;( ( ;^ ,hlbT"a̽eau,ҿSa1`d?QL"LWhdaKoC hd9>sd=YR6kKDW(JЯw&X0^!h3Z0d=0(ӥ,4.u o(1+a{^3n}b-'9PtBօM:dJö~)\|hz2S_*(KroY$k,g @\vblI|ҺpW1mػ$P;u]qkS(;j'9óмRXiHh9'1). I֭_|QFo7h)0B+JP Ǿ*@j즦S׭Gh lfdr=uJW)L2*aj2, >sx),OyA:4)KMLT30nN @v;aބE,Ybzw2&5^v1A=WϐʘP@ONTI"!msg䣽|t愘1y4~V'[ +-I0'.{+ Nzd,)wЦljhB=yN;,3v'x3k94)/p>Zd& mgMDF?/fP|,y&l[e'WU)ZC53C]O!x!J(+^kě%?W$!L|U|z}$1Z_!cy:i{-ugy=&n&β$DFωHsfCO-ȧGd(/:4Ȕ,}|U^.)tT(2SLV򊻹J1a!\ s"JB?͂e:_c{"w1c9*Z[Gk )WV*㩬]C?# `k6ȩ ]٭Fbkr閾@XTyӃ:JnLp!ܿLf~‚N6em7K2ay=,q}09x0I(7!8B6災&c_'lPi\*QIdm{6,R=[UU{) -6VySZ˧ }Wg3J-Z6CO/PPZ3˒SA)"V"/Rǟc$rxjS[ml 8~$BDfNS V7eu(13a`BvFE:ցHaEg#cdt|[45&G9P uM7LJW1]LiDN9빲_}|׈Pw]rB<#y];(l&*mvD:-QuKQ|_plS67, 2a#F+ (e\@} Q5oҳ 󹢓׼3ږ+]^Akplov=Zx kG %zNΩg4+ Kc B:M{L ㈷qbҩn~#kyPZV3OӱPafA, j\(ҶPUSC؊ A'P3?>4O6ac'G9(=fx5]\8fKU6&DCsٗ\[ǼLinxE|)VV՗b70uړ]y?p>⮦{PTèdfj3l{B"ٰGB",Sx ezu[کJDwb>RwŤ |`zYSO7'9rzs@CӾ1_X<}6yiT̜ȯɘ䩚ؐEL@]}1 ΌpmXp6BH~`OPbŋJnw$=9 >aتNHE;"!vM-^]v >YR.$' )xh@[Mw@ ?5l~ QVy졕mˊ2{As}dA/W2$p)~>aXOdyzmJ=@Yi9F.77ECK1O{Ŗ:@XBT1S{O$ck^脨8F'&#P`@řpȊ!:hyʣ̖eczZ5[-XZ W6B*Ϥ[d|~AЮ`K9ƅg@Pu m8i[VX鬫XzwU'bð* BTP;uzFWOE4˻^ѱoE2wT^& Yv (%, o>m&]y}+r =cUKP=+NveB6 V:=IgtKP7 .٪baŲ؋ޛɝ5;,}ح :WT/QQ$m9Y;6\+!<LJ/Xik\?Yլt ğCD =hBg%BF8\X9.lv,"%ean0v`<[J4%&ŁDDs/Nك"%1ξfq 4zr9Ȉסt`fIhLB:W13 4R|&/ Ye\Q١o,RN[0LŰ1O|k Dۃ1" S9*3 Dj.}W-Hޏ35jqu+RF쀇lBʾ&IQ+@M7[$o;,~/o22E"; ۆXD&ztkVPZc"lrc@뵸 !yf+42;'YO蝜)b6oEXw٠&IW8 aw/Kl5PbU16g?6=MNF(n&5 VOʽʏɔ\Oק.J?u ,XFX*Ux7@-w\xH$L>Qji" cyy eouZ/kyfWVY]fĚ<ٿiKiIdK 8f vz|%w/'? TV _g~KIUs~ŔkJH3Oџ%k||Fu~iZqI/!ТDw00u:$C_ڤvYo%ܶ >XI417U`hq= %ZArxuPv$~h g)4FFmb4DC H8Jb v@}Ƭqq 0u,kmp9p%;4}"xaX- ١'_᳓<#Qȴetؾ<v. QJMM 4V^T(0"3`f5򈄞/rfR֎ (VPЪa ڮº]m3B1O3-5yj< 37L@g:mp.΁!/ oՎG'%OKU߈a:rlĬ}* Kͳvsl%?= kُ"ۣR/FkFW4D7|x *\9mo$6{GUeP 1t q{tnHmzUN\x5}qeԱ4[?:\AH\@l̨ SI'/=#ֶvbu9Ά#<< 7Τ UyQkCcʬ!勹EUR<~Q4lbj /YҏeaI1" ONүtq\Y7*Dh2g6tiu2磸2BpG$tJ8P0ut-EUHsAF` N ڕHB=B&# m `7fxTc[^ZMZpiԐr=6wƸD슄iZanF8&*8h`ukŊ*yy٬=}΍6??z+0=V&!~eUbߤarhSS2ѝ1&Da[+iɀ轳h'oE$U@\]w aLcwQ/\z?PéiuZLJs<:_˰w9?GLGK: dX%$@G9[E8X1~G1[HNmY3, !.{5g`I@i<&c ĸM^݀xIZ ##skђtDL$$:W |ڠ.{mQi~K6'pٴ/uYbf+>#BTŖEwK}5 ial(ɱeO?aO6ܚj^KTٳi@tSߓmҹUU`z;kw %D(zQaA:DTbgm ;LkUJq$ynN7v*7V[/O_畷J"VgnU³Rͺvb!؝d< w|K F_N<2hc3W3a⋑.ҥ޶$+ LCkc<[ZsdYҚmw^0a:y-w.Ծ%hꂍ£,s/˪FTt]m@ , `8sqvy!(*P Bo {O[N&ߓc^8:n4c ?*5ķy>%s/fVs f8$88} 9Gsb1+bԶ|P& Ƶլ;mU&~ǘSD]uxٟOp \: l$H](^ך=Ik<*0Kd/%f X89ۻJ@Uu_vrՔڌ(l FÃ"=:P{F[(bܕ `!w\SrV ʅDcɮ[rׂFP"mޠ#xES*&PSߖ}mGn 3cH&T\Ǔp;[0" h}[Ehʞz;1w6<3yH5@v2W \EPᭅS:.WLex#ȣ1\t9QX) M6,^ډVA8p"+̓u~E#ü*\4q]*LT6MoyiBi=H2[Sl6k虢9X[v]!/K:ݖuo 6 m^} DŽj.$S1]ӽIZC΢9ʓ8CEh2HZM/b**ωDM'Ȓ.2 jx5.+'Ӡܪ[N *MtiU9d?R k3+H3U'ӹ?}! l;YjDn-LHî|ՠuDE7AɯzU7ub=ߛha`pu¢fak\[sjYkѯVqO`xpA\^-ˮK_8lKX,?33)_}m. wYt}Gϒ+ndSZ1Z`@nnf6*o 멹@^poa6 G@9 r\(jP(;?#u4O@"2e4KNsCw*Y7qnwD}q6Yၫ}~o5KE~ac38QE8d;zzD`\#Mh+nU4?X<-{C SmGq  Xg0 9\{ܯZ?4\(e81]NW+Xue]og Vnsk+$tT?t\ ˘Q,K}q%H!\s~T)câ`Ш>R 鬥cjn1 /\;@s=Q3[@dթ@f9d )n&+HoX3p8f=NU߅AVg 7qXLYe.w2=!on3Y\D ^s$[:;|bj̊?Km(~Oo Y6ˬZl[#C-r&+\ QSR|{zεMھHL>xѼӉ9_حj򻴤z1bzg!0pЮG[u֗$Mm2,6%:8bA+;LlYn7kJӏIm]kw3,g'5/Vm `t<iz9tV;dR]7~F(@xIR~ >mr/x6s{]a#E/wJR9򅴒#3~vQ-@T3!CśkL|@c[މ$*=뾭@Q JyP#uM'љR&q՚)顥hcmLpV6Vq2ģcyf9wu>Lrov(}Gل”8aEҁ0T>j1k)XO12%%_N 1 y%y h#6WU>z 7Nn u_bAZuP9ko%t $$Xcso`n:󑰋.Dl (t K:J9jbk# eAM냓FQTXjkYAC<?1׆QcȖA4VHB*G./Ͱa'BLOs3gtF S BQhC}r^Q'n0Z6`x#g}Gwj?$ssF! O3 !=˵{>qfc`@ml $7{)c֬Aܷc1װFNEa'^}ޙ'/Œ;u(|}7 }WI11%I-b3wM<)yYԑ %2pkT+?iG[ jZHu4C}ժzn+z3 !#Isa UX)rVDg& ]4G3wOӵNt/?A6AB \zKTzz|~RhxYpC$&gV|t1J, CNCƿ1 Y@;"N ehk+PBa;רn@1gqQZ%gca]р ni޷VEw6Qwތw=2j {XOi5wCx64-k8i%œ"ޚ+9KSX32:LpQt4ù{KA+=&+ǬuSR 87[nG<wWG7L9G(.)$D&U>;& XaǗ8St7dY_fQ}KNl)bF(,:mug\bĶ{_fU0YJIO-vԮQ7Qd >b-Eck$&B!󦙡jLj?9- h{>ıJ0PT޺ng/b$/ Qe>c^@sV $Jg6OUNTZ#Ә-"t3JʰRŞk|};Ҙs1cB-&HHЃSbP!-wC5+$N>@roI%E`%J巚!Yr66ؑVۚC]qdX./ǻp[|+{E eṹcUa7AWi10H9>%BweP2] 7(ᯂG,Tz'nt g`_q!M60T}ʬ\BYp@@ J+^d笹a%C:G$24U&ݩ-̅=Aѫ`dhk9{eM4= ذP:y7nCxu8F3SC׫u>>QAUncarʜ.|u0("C)==]uSuʻ4HBuBoeH{T! 0r9aat:ڶA=$-~V{=ѐ5d0Z> t.z#/C:CԂhsb[9,3cy^ TS5=`LΕ^-i/hʼ$B4tzoщܬJҐw]!q `bDS~t Qxۉ-h ؇}v<7}N`NGOm*9LVy0@kut iC=>ӠihB@<[MU"@ p0V|ej&$ 8 b:w&ShvI^ZQAĬ.2/|A =]0Mʎ`RQgI n>Y0~D!xMi8">pW4CAD`'p\ULE}Nc4#/S2zŦ7u=Wҷ{wnCvmJcѭվ ;N6|:_0‹Ԙl9Q(-.Ajd!L2dq+ a%K2!Wah gRDNSW)8^A,=#ٰϓH)FLYO-3RDž˸M6 8yQ8x6Iʾ&J=b,%nݢ ,>A;p3n3e&G-۔M|C"gll %/{8I@4w^ V銍.̥rl/˹BӉNǮYaM`Yɽ˄eG)r =hیmdN?@tae(1I`G; ,EP+ c'z'DhTcf#W-/?w:pϻˬ"Mst5\zy4s 3E:KLZ]&m%D{~ȌEyW|!r`OmoQ÷IHDݜBv)xo!i}y`2z f2D( I8V9X_9<>^Jd+sKl'YO%Or0BvU`U~Уa hwp6sv1i*%9-t%\b&Rt40aoi!*kc-wʈ2H~X#OS,zыyg&d$ab}r3wtH\M?O+мR$1Ὺ$E$VV7+yqj+SI#Z6Yv VpjOtlLISuq<%Enzxx!t~Fk#~ի& WY $[.,&_$tY࣍rEp$ؙAR=x|F}e% y`>ynB޷sA4F{nn, ">N c:UyǑ v2i[{a,C=bCCLyCYBMҎLɥrEZ=E<: `A\C<qnss<9OL- I|(h>t0yTȷ>]-Yَ+YؾW;zѐEq_E\5eb" ]t´ (o^G%R 2{\u _d0=0ir3Qp q=جGqDr,[yzvzoAd3z8Aoh>veq%Ɖt\Uw*]c#Wv)6)'[`MPzeɼN|Z5> ?k<&{}2P"?;-޾Ӗ)9h8=ͷlS- t*ꇨ+RH |oF (F ' L.LJ˱_Wt:Q >o];!-SS:8i++ZKFy$jl0 O[gSwYfݔ4ڽks4;ĉO"+i j}p_ \gr2,Z>W'6Oaxo HVO W&JbIkѻrcXg5E7fPhʈ{puuk=%%6J<! 0À+p cZ2=;*)p>&bԌ9Ћ# _z}E{MF \WlV;G#M>( 98nLpheglZN+VG @^xa& W3n/,biբqNR1",,o;7Sj ylrgp۽'dFe㧄DWɨDpuO"ȑDbgXS~GLD \5ƒMܵ#K}sT/L#%O>N!i='TTlǧRnڠ]hkHhG)a~)$UZMeLCJybc'=ra1Uw d1&QO<%1pm-"PW3Zc+(TyGܰAyE::uOWʥ m;R+%˿mãN=Rˑ*\gr\F[ u:vϸ! `rHR/ kFipLa[V_z(r ?Y(Ģ@`C%ԬH[1K|»qK5_B_hGKoWaA{]Q5#GBltsT1XRL%wZ$ x Z1EQϓ^TuGe.tz99#q#?Y1vPyVߨk0It"j_uF^*՚E˙5ye`4VvS [./ZcgZ%$FdA*#AZRu3e j {luwC78@L)\Iu#73zܤ 1Ǽ?AZH|X$8մc& qWNnna􌷯7Ct@ݝ R,AalZ1uBS14u"#}چ/%F0f:etGJ(;i?&h,1yːZbb13h=RCkZM+}qy׈Z8rVUZRqQjL ;L{쁮we nKN~ul~1^PTס͚q64lt wÚ騰HYLFFceOzN`E {io}H.[$ |ԟ-[z'zX@/f9>;d=z NL̯D7.8=Uq-:&֤Mvm*H_j=ɋB٭M8kY;U6ro=u.CS/ax'Eyг:͇w.م~F5g;\7Fc*Dk"m͌ʏ\%D%!F[Z27QYLA,}Ks UXjȊV+@rhH]Yĕ\a'@ ]1h-Fg+AT)WÑ+'ʥ7Wl8" 3ɨzY/0 i}FWh#aۀ9ThA@B6GM@{ANN2*vrPK1Cs MOrx'`XngӊuN' Y' =>vdv3ө'n3Fr:5}'y.9_EÃ#({lZª`j5q8>^7WuEFvF`Б [t|LÄՈT42-כuiƠzjApiRuxpX:"ڦ$2[q۩l~/#7aW8m"VAM}?Ɵmwf冹&ȘD/yp<6#u-#(w ^DYK-J5ڤ}}R+0ץÇ׿rxq@XFv '0\U +U7`aj6Ud0*(՚'֤Rd;gݬWⰧN!ENX'y/*X[ߚJAG@#+KX,2Apnݛ;+HPLOr"1!:]̭|j",EO6U$%&;FZ08Fc\i~0bOFSG.9ZhhQ}[\A"IFv!y##'TSO `jxۅBTJ~E[{֌8cBt&EUΘ\Ikm%ϸZpDߗԀd0Z[f-2ѯɣ La۠%]nXY$t NU)rڇ=ipD. -)M=5::YI9ڈz$MqCW{"8 hBbZ>;!EX’ޙR-6z_bs::~ۏhM,ԏh;}{tEK> xKT =Ps;8xZ ‘,'65[#7uA ;r;Hf,n4:xHf*[{EYQ>KBāk -ԙsv6:'7txxI4l TuU9a'@S] QvqR# s *u[. 1gNAShk%Sn89Z3x}}/V`vʳzMO2nPa,/ "œy)Id2V.nc27tJAwCrP2d4S]ݴbn)y^4tҩp!<лt1wL:R<{ړq䠀?z&!7yr" H Ur&llDm떘u]-p>^ Rv"5YSut7*=zR:kd~/ݸ @bgF`G}170mB]. 5ӵ _iL WΈȔ ͂N .UG0*Ѯrm.ST"'n})xjDF֯kEjDv7[.i<%%Y] X6 L}hb_*V''zUPL4^aFs v0f~4ܱ 0R)L%5a=$[4?=UH+n,#V#;:2Njx[+}W2hr[B ;4K# Q y"|va׸עL6NDeWnq$1rp>l>w⑐k[{xA! uOSJDOLj5`hF["vR; CXMWJc*ltٹ*'&Iu˃XpQIH++`tny6r!sIBjT17Y6'S3y4:DAvEw,]kV[h?Li&win>2̬e Ka q/WζK߳jWww8h&J6KΔ@^y(ct9\ <<7Nj;cg aK(~U G塺.#Q&">BRHX),:l٠s"u&f]{R?hd# 1/%Pq!c"iF\KA7 >!Ъ hNv>Qq7bj4|E 1fa`?4 `YjNW@ ;Î*+EmN&e={tjnx@6zpU|Z>?RMZ\2])BDHؕJ:>#c)6ق ^%li(6*7d@DnAX;yDPH@Y ci!Zے ^"kLϼ^ܡBJD<KL;h)bb\%ÀA,cT5_p⚤&$#+OMq¬I$`Tsu3#%!::,N5s0N$ro& 0(QMJ)zPDq:'Ukd&hShQX%u [WBf!f\\:ɷ(nT)թOe|.W?̈YdA FS7h䲬u`2s}j!3xZx(L%SfDGIf~nG%dά4z7l=DR؁BCZ[!!ej L_r+1*.jU Ŕ-OFG)NRPGg:T&VHvI2?~O)(lt=z0NN\j`=cż hPgCT3OOrXJYLV['#{{7hj؍^/gr,$bxwؕ1`)'+G.nW 2]c=.W;okzcX (aU%Td+bEW,vѮjuj&2QG7k-bhl#(&\v 15+@}]HStPYycK;ҰX{ 3lGm*lj!1n֋}s/H0#^RX;Y<įY,]v Z}~Jxo~5T/9SZatZt늇T)D!\N[ieƐJ \VPVCheJ߂ i٣m 4#xbh]zcn']U"2pG)v1yS~ mC/,Ft;k^U.:n²Ļkg _ukd胵852C%Ek@RBxxzzwZ~T .#eb%U3x}4*xB"cm.le#E8#?MçV/`S`?7pU_[Z'd{#Y9ȷGzsFS*g?f}^wb%:э H;?pb借C_ fANOmR8QkMtLf~.EZC߭79PmI˵qqqEiᏳi. 6lK\v̊Q ;+j-!:;<+°IOal?}9bIY_ܐCK)OiW4566IV^EcvY)pd/*Jbc~T.y^Fxj sP, hh0X]~\-1?<~Yض0y(f*ԓ?zd`%$YH5+̖(a/`Ho 9;I|x%>\ZZێLH=&}kuQx[Lif kd%NFDHh}MEu$ 10뜑ת*S7x@h 0%\(DžܐU>Se̐w$PϽ, / ٠Sf "iJy"%.ް7~GNDj.۴z kUݻB56K5+J,RN/LX6 g{{H󇢎^`c.+K_&'A"Go!^La EdEOsx!3Uj&2o/4Df[Q(8nq|e8ƊkF0q-WiAٷڱ+`u2^#H+p4fP^5O,o\4u&mߒ`H-ٳhֵrջ$֣tQ{m:}VgWW}| ]4s[b7gnProh8O{<3#7⻸_/B)aI{#>\N{ZD߸01RP=nyy1ZRF}"0CV$M~9>Ģ@QU$.M@øD*,˹EDGtvsza-8e ` 2=Q(!̉a v~@r8ah.6 c;掂^M{.Ynj?WdVRd:0ek?v`FSeuv}C Ery*ZG;UG]~.Z\Gx^#뉩3ҏeE 3i o3$ CLRe^ʈcfs4D|~[:Sxp BFhǎAs(u@kk/;X(DG[\Qxe+uZ*a}l{=xm 13 B=2搅hQP\#J"SR4IZk.& `co rFN<l-R TpID7@( Y3g8lA| [vozBfh5p_F;2[/(?5 V@cVJLԚO4%Du-g yzGm"ůoYLU@> ںkbWʐ؁D䂻Yƍ_V>L"ìpPD!hwOsIs,%rS[m0q땶(\ ׽ $gdO_=7U+)~‡2x!c$oeܵc%@gUT1$54TMߧ%z\wלl9`ǯ}45xVx#i{o@-H$ >yOz6\YB}fCǘ 2d)j;'҆E.ߨ3~4=* Sxno\}ަq}C[gMw㎚bnj%iѭ8$un& 9>n ~t Z 8ոT 9̔m r2QKcے9U:SVѯ>0ڐ&,b@Ct^DIR\{5 U(HaP^kQ: p/I#%.hՎuU?э<%FZ޾OH٣i0Gk+$OJ=s[$.\|~vBAe%KvMd<NCϳjCħI'ݸA˻9Z*4' }A汉E yq4SS)+h&"R$ )_ 3i7^%$2ţ#}RvdY3Ta~:cΎhONe>vg_N%T+0fWzz:<OSWo4d"40hA~J<Cak󃊵pB&ުSKɞRtg |;8p laNGƐSs,Uw*CS@U#sne5kP4eZC29H!8Ih+" m\>@(CX*yam9,,fK[dU?-iMٝ19>0g[ĸ넰.n!ސT$Ѓ/7 {UʋHwLZ8}3O#o `8E#}Żdӫyޙ_ln54hJaqDtjʘgjWP;K(m"^bG>o_ų/ͤlTtiJ:H{}%&*1Y>Jd B@_򲇓l:S*5Wل>,50n# /KAZ6=սzlnvvW'LΊ'ҙ{^ɢsT`}Δ'Q*%YifjA&:qN=i^~#Ȇ?-]mF5g_{+`hX;&\?ւ7ڹ.Nܙ@3ׯ`݃@0<;78l%){O,Q# q^#N5MLFm_{v L&0oo՝\\ nWE]LaNaUk +joE$*N3^IE`-S5zɦiFWƯ*pl5e:kT@(jJր94)" C!wp>w0єM(y,onnoaOl*eY86rl*(1"z{\ R}H_^@2h{V]1Qlxy ^ Q( uWq՛Ц $ҎqZ!{& ̹ s7@-L`B%kbrkYy6Fʓ9xkΟVbzwAV}9f| n_\K.'hdf@,c\<R"  kt6Ym;gmPARP7v!1fAUa[G٣ h?t·&^ȯ|PS_`q`REX©^!#ŘPXswyad*i\E ^p''t8(Z EL$l7+n-X +BA}^aaJƅ4.?qN|o Y(i_kK %Pmǀf!"dr{.5uf,mkz C(a=zxg)\삯>-dP:*as ?D4\ٍF}#*A^3c`up{6(Mu1#P9* wޮ/%݃kta0qFD{>LR}.a')U XXM60JUK!Y]X(X])^zCN51} {O S[kݬu_Dc1۶e趥UAtJa#Fqyk]Ȱ 9D?wFۆKח, dB5+%=/zgPv\>XTmjXC @4R"74 yRarːH :! a!\P0ked?/Բ٬Õf ̾;6C)iAܔ%Z ۣUJ3^FD'=j`Bem\[e iV 0QJB1gNqA& PcڔE{,kx!Pa%ƌ`D +bNU߶-)uqfM%.# j𒎜%yO*s[^xR|a!pQR$Gk%'xJbݯPF6_;>dy$A$7syrfj %QBʄtmg=qyО7O0D.GهԌ~ |ojfX_ol="R ST^ ۱A :2ܡJN!(9b6BVBžЬaZOhBu?,UYX؁P:IʔdKV!~{bzmi4ˠ͸Phz6.pKu Mթ"D:=fbrW1"+Ci~Ij*R!通Α5{`u9 m.KsҴl& UQmn}e,iveUɑ7Pp֥c/?8b=Ղo|SApv,˧:t%6+ ˖~ÖR{҃2-eB[[]|x˴_>lBVyӺ@̕D|LI29Yp{lYK5*IkIZU(\H sE Kz\O>SK :W\RQ cwE__hnWxk^zv0H+Y|(z.2n3)yʜ@jh5B>&!4sI}p`1A[ߊ:DvkwZPaJv5d|Ȋ?u&.Q-5Hs§nhat06@0T%&o82BGi')J2S3& X`L>u?}Of|eI{\4VN+U{u|BPmlE kWr\Zek𐬄~sYM}aCaUHV׶QpnL`b=i@?ҡRxXN&=\mM/28J=k$aZ$'?xHW1WqFC0 ڏ>M42-ﳿPvֹX0UWɁ^)E<6L4u8$Q^9͙ Zyc hck(r pt/bJ>QU}eoHL(VAU>T$TsR1\dmmՄEnrP+-®=lqH?yi3}*Dl] 4* Bh34[ڔZSg<70T9o]2؅fQ-G iɟ+2'lh@a!%|R[!d4'w0kDIsMaL,t._JfM޲.LVysCIV0{Pмйkog*a|~xi?s%\(S6xqBժn W a'|jvO9wL:m B܃?cebms5vru^2RZfMXJy Y!kY4!km6cU{5yRK(,rFo &0zPy (k q2clBUm8je;LJjAMvmk Ye2Ӝfk||{G#98±ksi@ ۟d#尭!UÆh1GoX:c6W&3ߚT>ҷ:"b$ S1`xLB$#oaM-^87vѴ&ɕ7RmEDVc%HqH0x>kNlЗL.wHv,ou}*t ͟]4{/Q/#P'!ؓ^cp/G旋~)ne2AU>Q"K?2|9p؝nJ &7(]\olHoG.p-H%D'ESjSLu-Odm'J$^BwkNf^L'M񜕙CK@?IC*-4dl}hidڹ' 'pɆlޑI'iVcP稈1!N]7+^mi|a!.锺h`x'9*FKCztb̂p& a6ы"#f{D_r;G'F$F3*|@^&gi^z?4@ ?T~vt+|ЩjIE< ҏ9a[OJ1n y&'"uHnjaXz_*ӈ>E'dI%/? 4^Hu8U(:?dYb#ƨMBnfTUI$ vZð4ؤ\d^XqWlU`ǧ"PtQ]85ø)އ5A 3{3ґ:xX;*KLAe#?lO-DM[F!5b^NiAYVV ʖK-o/֎32`@#šR:F1OfULVjW<(6e^^Q %F p5s(!Oטb3+K|Gg? N?rvLviJ9]]ˉj˓_,r㭀QE; D]y6ʓ\ЩJZBѸdl.FZ{Mb(m <_5[w(St--dnj$#޷7sF0gIz@c 0=c縮 9R6ͮ[V?l'ص&Y!Ot V#7><w{+~ҿnr1@. mvzHUr&[C 0Uʦy֒xU@SɿB hoOU^8>˳=fcjlfp*.h^Cw*D8 ¹pK67&1_%ͪ3,5 U ba:Nݫq$c~Qe67d&՗J6Z,2I `Zs4to2AD&DE"Vv%cKgWK 9+`n?[#jI {Wӂf9r9X!a7]``? -V5A _xÌܧ{`wI@Xo9  "bų=KMnb˞S*3(9ZgH8q[Iو 97) ~'_u5'_$_֦Vu05OZgY7ڙ 1ޞRAg@/g<~O%^`Fd g͒Ѱ+g%%^h2f^Tѥ$SN>3yl;0fkS8ɧ-*h>5N4nm>5f]5bİdO'(D[87XBņ}Hi}G3o>;0h2@[Тz{ц߃={>xu hcZ{5;bMV l+PWt$kDZ N&xl|J*5`lFEd)Qmɴ%לf0z$m0U.D}ǺbT`J2cK|g+fخF1-?Fۍ0->< H?Rش _8ͽj _P!^W.ă3U`/t`zh%׫bs)x9D4bi.5u/dLFA?ZVOiX4c߽J5*+H}/ MUUVpDdE.> &3Ddudi:]N@p6ސ )'9jG@H{+}w`X>leX$U O1+ĺBT%}E?9cжgHIvCQz&6~JTs_l)tDku,e0[2ce^pl,8Vwc+VLݙ?퇨r_lvr⑇p HA t"$wEEN}#[ 0bs)E KMY̍ ?ڍߐDKmŹ@#L F]t|se3ƽB'[WV~H B^_W@ s"`FiyqhLxAJYXwy)O[/y1L3[}l⃎I9WHle9^gԬ;=Y, L/SH^FQc=cVg1-=KLdbڒZElIG-L1[KTy#|nF̈́5;iXA>l`J2sgf3}ePH8bOjt#3Y$731z7^BΥfuɽ?}`mw~>3c=mcBrӴ^y؄F{֥@H3<cfX5,mWj;;t(B;;A\~g1<5PxTwobz:BE\C}I<8|7QCyQ=tR5" OOWMBl\bQpՕsđH)7hT`WGo7 u%88N0lnΗ0xy^&-`vNI,|>lq>n[cQ8Pg.Rc~EjxvbKZӘzڶHx$܁GdfH7CZ`Gn\u1{_lZLS'Y~VTͦ7~)+)lUy+iSrr {%Da\aGRt@\t 7p|S;΀wIՂnIN P͞C"i6zO,߱JPz e@N¬/@+.e4ePP0ľ!mfߣZ&ڑ|D~İΞŅ F&I G@%+]bj]̬9"%}o֗h! xfX t|]9F]P͛6LikvdY)+a+\wǬ ^kCI\u@ݔ2b(A@gŒQ;+ fIKo#kpP9tsLrz!I ņ"o\+Ι}z%5lnI`~=lA4u93n{0N, F۝.\&:(/ ~;Dݮh*j-?G?^Q%0)K,PXKAfdoѽvȔ;TɻWjZNS85$vk}2y7 3\˹ ]D?|Q Fk1yj?.Uܦ 9v|_쟡g~~5.U\%"4ڠFYx9@S׆z벬ICL;`obSk̦+q$12*- CxfHZw"e@*EZXUʩ3=qYٵUp[bvzy7?,9ݛj쉪4%Vyӹ)3op(~HGܪMW˗ $ q-_s/P%[A"#i:aH6a?z) L#$Nh؄cM=oڅ3jk>-2 qzg2kWZ]z _TBqԅ,[/ftn;Q LTʀǸ(+r`bjs`),1bZjY+"v3RM@ݤԤ 7\ iXHnȼghgD3bYrN1yOu SȵLBȶTH,7nPjdMAc^(2w9W4'h;#M[lL=g!0,F;J`٪,A'+%๚>[ʈAuvFBsf֣KV*R;Eg٢kZ? e앎JtqkT{9GRDlK]Nv:{.x%} Q<].Þ:D.X9{/NR=Dū& Ӛ[Uezgyga <(C{ЖwJᰒy ֔&@+kJFW@Yeas|ĠNv ,x͋_enlp}ݝD,iϠElβQk+s*jT^`m\Ife /}iȌLQ ioTP(F5 ŤvdCHm^fz]J!Ϡd?&8I?q7bAV >*mW\.(}00g~'OByhK.ʵrY奞YѲH,.֮5jz^ KB-I4$Sa³Š[zk#%F_bY1އzLDcz,Bpr!+nֲ2pHXZ$zf*¡'#`="گS-Yպ v w+\q!FWGJ}cW+ <lP~i|WP*sF({GPp&?ęhPEHR !sF cЦQGJT.iwֳ3hZ17xS& ܠE}>ӊe5'HVۼpS4,Kk쩚0zH0seL3msݷpB]Yv-`}^U7e~ rQ[4(}=Q `O.=?"QIꢌYd%.?f<5tTggp`BL}'Pe4 Đ=h8º)/$_FYcEW)a"{5-7&6t[T3J!xJq47'[-GNE*uj>r7(8.HǜۢItm>#2kTHw=9ğ֯ YvLL s1&PWBKʝT|H=D鞽FSx_@$A[>7C 7 *ЁG֜gt/0O''je|E^+Gүf, *J @NWpwz8v}thu:rF"5"zI\ymZTUP>4蓽 vjFQd#;ߢ^J.){Q|cY7ئZpJAZr^y^: IXO9P"izoNSQ)&"װPvblxA$3/38n5 N{̹YUYibG?K!G7Fj9O2Cдh9h="D>sLr3Zy@PZN^eXijj_S㠔~U@"6| ,ƗhJ4&Rt RSK8$;g[φUɮBbj&CoNf`D|0Xur Qx1DlH:_N&3#ذwwη4V潐jvcĆ! o},O4z4w-$ V?v"'fJ bt9%Oj]M:dծ YN2PYk --f-=oRvvtZT%QSOBr.x*M?x鬅&7r^NiHƩw&44XJ@ 'E+Q^SUfq7]Ԑe/|r#\;n{WCQ,6rЕ|7Y" PSzv ݫs+ ^?_ȧ5E4SRl07^`Sf3K-+Hni00 ͒ 0KTFGVߒfdDs7Y8?I?[bFRtˢ1?d-M5b%_נFiR[x4h!ʫ.lpME댰Qo`Ĵwt5og4kmN_]h39̙F)s_q++$LޟfKY**-x&hJCsC%PYU&]Cd̕>3W(PPы)Fȏ[a:K%1CËec+@\}gf muڡ]H\p ȭ>pw`X gٝ+_Q>.ȾsHAsÌ62]g : v/jd44%JnXOvk?\o2}~NLy@`+|#@Aok!}"}vu :+cOZ$:]p4@Tw!JHHٞ셼^z4YJ<:^#yOsv*!O9ti@"T\2蝽 r u%MLǂ0X?qR6yR7}5x2~CBp قhJ+cpJ T7Ǵq_X65!K TI&ODz|q  0 ?-tѻׂqf#EvhWg=Na(0א-/ !F;)Zh]w1TՈa;1&`h~G& $S*l("w8Q$MY@&Z7bZTk+ 4$d0=/4)C`HBs0*O tz޽1Fa3VڊI30g7aF6Hb{:ˮ) ι*~ 2KZ֗<]C P9!L Uzc7~Cث=?{&y;kڱF{)[Kf 9yo ?M q[adcQ$&mQH3b-ApjAG; fZ%~@FHtrȟfrb |aWy,h&Thgw;/v@6RKOa0}WD*k -\̺6)Hk:c䉞!#'7Z bOŘb/BHA +X>ŧjX,8~?C$ %_;נ<77Z[ sSV8m '""_r oÔx9p+ŞJ;#n܅A<̲ڋƘ@CtTA㤄 K4$aBnъW!MXeuT >A ,T \B38u Z2Ӑ# P֕Q1/; ~k0ճ*ύwфK zۛI?/#@3;% ә(ґgQkT\WzH!TPzg(ڶ0VDɊΒey5^eW%ב~DzO#c=<9>=gTFɝ1Hn/5+=m~ o/qrJcMf|i:oy 0[L',k/*"_wNLJtsYԴ=2Yluz >נHŏ4G1}8R JL=Z!GI ^bdgG̔4RBz16MȈ(kV0$ :#|YھՈ;vhHcyt,;vx.uw"FⒽLR$ۛkrQAw '_l{4grv0B|ρBG&<Q8"/G|opP/_ϘA17SbDQ"sAM|wVƍOk[wHFaM[/4m\n3(c7j>PIM!?ic#,-߉^ʞ@!ROxWߓfL%x@˖D0HBsˌr}X PFM $*kiV׈BiK\unkn3/htsNۊ*D{B-sYo!= رQ}*1rE{9dYz6- yװC9HpIR.化ۢB3yƣ^4 6c.a 3^k|𽆩_(W*1A$pQ\YT:צڲfjX9mM=_JN 9䆺iq t KװrT uqσy#=XxM'Xү ñkb9Mm-fk> ykzzI_)J޷ũ=9JA8g#s8M%6l-if-&jy.eG4 #r`B_)~&Ku;xHy 'W]$=󥩍Q}sا@W#X(q&%+Hc;x uk7T Xe4ו}zyLpZ{۩Q5{LFLSR.5CSqJV[HB4SU-dF;Z+?27MenI~լÜg KaO gŢFqjbG_=O[p&ev_.3Sq-I=I}ݺXm;T06l\ if|r.90v,=y|w,'.m &Sa4*Ey`Z);>k Fp(gUԝ7‰eSЎC'5+ X,ECcBY~p0 bkDPPdXc5ʓw-K@|85:E+/]U{bLd-7a`ěb)t%t:ӎ|!$v@a9#Gp|Ms78oMbf6NGgun7UZlQ!Ցb~T 8P2#!=OGiWi̙mr{.dww!d-C"rrE>=g/w]54t=&j3ծ3)|{(s%5kJ`_(Hl[>^Vú 74C8y)2nzI&Bť$!BӪV3,Ҭ:glI ZC% R?4ou.e.9(jbWE*H^fㄶ2esAix BYPU9&jc%nTNƸŏAg~0>1\Z?l-=^,FsLıį) (I!2X273S 5X,r49`d bt,*OG.2IU_0x *!kĂ;c$[)'CyԚ& YPiv/LUυ=[t3IS/s ?rWYGT|IOb>dfRsKN1"@w9220R- =-Ď%39BŇ|^ZJ8Οk'ks#bR]yAoNq8ĩL"3=_"xT+(~yP͸6 *ƣKf,,環$~Ad-C[/^PnDoPM7ufHΠU2:-KP֤*;@fr5ndV|MR%y=_Ix[m0xv1\ sՍq"%Õ 6ˇ . wYg!MW$m7+ RNbjOȣ ]fЉ.8(y잯'.V +9RV?=RjC;v-dEB1@=L^ sNlgFM,N)aR3 6-,7ڕqe@4kDH0cg_}聕mkdUF" Bm~S<<4mD_#9mʳm4!f"[TVlmp/KeU.7<T`h&҆/N%r3i'PBRqL 4h*+$Co167' "BDER;p1{6]6몞a+qyRO Ȝʏ5F#kT]$0w$ϙt)+GaM.>5Y ҏx +#J#ꐠ#Kh* <O@4ݟtÚ ׈Х >`yO$紏$m4@\hf.%"-@d, 9m4b&tRfAi[}OX*,2Uy;KŐ-b"DbGLH%^%T Myy\ԡĊEe%dI[^M ߺKsC6*n%yʖR,)g:5gmKI..kEa)BD#cuxZ+L6l/ ik_LE W{2*rO}3.&8 Xw4k-Q㻂O 1\}]Mf};o%4c?0R Űj@iBeئd8({ˏ<}a@Fչ`ݸ\pjH ݦ<P2!hٶ%ʆAQin"a@鿕?I`D𦗜dɑ]0s !e\ ͺؓ>T}\*WEؚspmGRsd6m"[ 7Ki;:y\cmgpMnْk &U{HdK4Ostâ0csos><18< VYn8')RUB6[ رwzLϭgnCWB!H%o 8)us5\&V8NGWa5_wOK,|i9zc\nJYDQ[@S"ar'&%jv8!E<ɲYkKAKL4SZ@CCuGw>s.cbtA6ZHQ8$b[{w[ykR!->_HH&kNΕ=]=q [/b0dǣ! L7p .3ۭFa(eޚVp04f j .t fGoC{ [QWC:2gd'#S#8)Lb>LXᩌUiLFy(!RO hkt̚&Q6lt{BЬ}7wL |]˰da#ף*e04K!3^zUK+7cL!{,/ VJ:ԡ|3^pJxN"7ÃNXSM1,xT~ɵyQW/jCyLȧƎ ~~dvM.G)dQe(膋hu|,RD/E"|4 /?Rr]"0~&)d 0%!.R^Rcg -Ȝ{HX?J[-9i ,Ǩ˿Z(F&d%DWHAygBC3qO7җF3qF1De[l'|X8EFȩS@WŠoh R Τ{E@5Q@dH߉U71_$N̽-H7R,1-" P}`L{ALͰ_v@OFԼ+,\.B90;c}5윱=~5Lވjy*!h?C,$T1MH1i\,9W@ ^^/e^x§)0U ~b+#˝+xCaGTuG?*/,7:z=K9%Vgӟ1- iuSv&g/%yN%?Rmo(PfNdzT̲3rMT@mO83D/?虁KNC#W`VWZÉ}y~Y!5X>>.ss ?T'turH'̓vυ5L"]SrvXzGϢ,Gr jb#v]q!&sI\ I&r쁅:ou[T <˼ :q ODhgdQI2!!{?P?VtO&I/AQ yUbA,UEuP0noUc7+VBsH' 7"1ґuo@ŅYI ^"[iGxp* 2W̕3+Wo4)2H3A\oVRl ~## ?yJu}!`&p-K(Yc9üo^c54,뾇KEܞKO[EiG;!+oP\]J>!QL;[zz$%\N)Z߅=%l{`}!)sJ ա 4]fC:ldzvNf<> -'klUbs[.mzf_2^N=/v'0.F㑷NoOE k7~ 콩N(%9e"}ܩ=iO_gQ,h9C8X"?ԫV d&5H( Z`I33p\ TϚ߁w7ќޚH:kY93,0 V&^ckdF%0)Y$ uQl;BDӉq)~Xj)T$1@G6FsGK/(myyPG^mNw-4?kR|e=B`ft[0.+8ʴ+I*=Ȥ2/م5 tlEEqI8J#gM81n>XRɘdw|ƪo*rØ|2.Ds5( 6""V̀(N-BqdW=eJ$rqv=P#딊9KFZW-SɌ'M1`_ۚyX3PB*ZfE{;1T Ӡ82sEcaW6z| bE?nlW6*j=z{Dbip񉱉qpoKLn7Em F]r pĖC S35"E=20ٙ'r/-rzH&H3WvֺacS:iSʿPnPM]%3>CO]Ř5ߤLy, pA_tפuku(C6V'TygZeGWhlbp׭r|8fV"$G3Swok@ Bx["WqޮvTdDL*s[-jE+`BybLRAOiZB(9B{~ $ʅm:/E/yKjOr{jtvtʧDb{bC*bMzK9 6P35irB ]܇4Im" Et+v㼞IkHT+B=z=}JQŤ/%} tM-t&x !yXm1wu= oQؤmGXWn:?-s@z%MJ#Ė~XsIa|,$m]]]EuD!,w|~~CZPqԸCqi hoɥdS. oǙsTi\zt4*Ji<քw}ICؤs )7к3W د>F"w)Eyc9E8PacwIXPRPF.9>ϗt9V/5uB0B\v!:wϘÔp'%l<Ά9%SN,`*ߣS"ɦ/ GEԉ)b%E|8@I>}Io*JjU w Q<20+٫J!("/"tݎ|HU'U(;'8#l+;:sX!)a1sk*}֯wP<&B7BNtdtRg"D)8\>+A Do=IOlt܆{XkApSƏmgXrc5e7o?aݺ.Jh?H\#5Ms;60DRMVwwܘ>9MqY$~ޟ9^K|-``ăB+.5 ͽ[zBv(C؟I aQfΔi֋޲Ȩ­ #}]T1*[ڎ4_+GU0{'6;`Cw Ct&msSӧ[s8c| E.OoGG Tqu#Nt*:his]bސ\W]B; zUܼip>TS'u8bd+hE읝_.E?Ir)Ob0@u$ ?wo-(jAv꤁3tq 805(P^ŒBVk:+)YÌeuW^89ׅzFt8%X*T:H9AD:c!ߘ(HY&T /JyTGuKࣄoox"mر5YP"g<Dm"&H Կq~y1+PfD%+Trvc? U\&LҴ\b/{&w6Afa9uȗ#ѳҐv㔪PᅆW5]Häg xV9 vjÉ8*ފ*u@gH57`ch>x)<ⴋ=n?*$Fd~q]" !tLU+ A0@W޾sm{wpRsr}NaD{X(I!(-=2Q0͏LԷO;jA7K_Q_ -pNl[snķJt$JONHr 3QQۨp0'[S.UaV'W,!Tϗ"1-Ahꊝv5po|CV[Fqū<-w1\n,PUX @"{//+_{J?!ښ]UmV5*N.9Vkv'#ԦlF@NC?S7kV cYSġUl?x.ζ6WP̄tGmO$ s6v6TJoD#8xEoSk'W'# -~ў.l8C+I6VݑV,kTh%] ua'C q%uaJFb wA$ꧏ6J<-\{2nL]$v;2PAZ[(Ǎ\jtm,vOnU|G% :_~Cʆ{~8K QDܵw3dP ox KxS f2R"fYFeZ_P 0!-J*N`Eb'#MY y7~'۱Qˮdʀ<ɱu.$c~{ Psda5-b<{Lءg )0R9Fs4R QL.@pL'ZT 4KJa61|Mڪ6S&J"#4IBGh'  >yK1Yn G`+p}\T{bM 8%\<ߏڭHeaiM}ԴadGۆf3خIJŢS┬oӵHw7i8HYoSJvY] n7*[-/AJ Յ~{ 'L2? bn8B=a\픑d4Pil2ؔʋQ+EuVcZJB;'.DT7@sEM`ΐ>i [#!jI.;^:j*}CXzSɋ^*wk|D{[;4%GS8;+e;B[5q*x5ZؒiG%BtP;@í@\j-%J Wāc"dQc$kHD)('|j+եN!2>GB{zoҼĜ|TJh8QtӉYaɅuiɆs_po~}_|C= -eA)/uD7uݬ19ԟzF+6å=4#ѭ+f=Y2-(64mb>"1\V2KՔ}Je.pD./XbQwsMSobҦ, [:N+r\J]7\UA&2- ѩ wm%wsAJq/bo#?ZA#5i>3.#ig9nFF6*qQ$`q3ysW+ƫ9՘yR)khr&g AQ9R˰n"hRrh>,1%LL9_oU輨 r4`Uw liūq#~L 7EMu& 9lnfϱLUP̭}-˗xuQ9ol t|V0숅ݺM& 58l|v,,$zXEBG&d%qgn0^t. Wd["i4Q7wϼ$@ےoȎqoۦ{:wr.$)<3&e[k5@97<,ß8n3Ɠ /+b |>Qj{yNHGs ]kU{*DɊ7`PCo7haglľ~ ׂ% l`AKnIk)} VNHO >.'Cf4퐦upܳu֔%#] <'@G~9oŗh0HL vC eZnHՇW#w5!*4<-zd!7jbJ1k=a䳻wQm<C宵 Tp o8ke-}4XVup9:}&i+-J+Imχ=:5kgCK;܋N9᭭,pM$624U%Qgn)[2SBA4~Z!Ut+?nㄌIlgTH[9l,GqȕňqA@[ l@d<Ʒ'.Ar9xha;$g UwS(= 5>+a,%0_'`. %<kmGGܳ_X ~v[]st3Z)x By<wJQ-B^kP*E)8m&]t0Sl[(Δl?j#&B㢻+cu[Et+Q20bz8J@"$ؼo"8'uF" |@2xn]@:@rCG$q{ejO)ؑT#Ң壛H+<&?FEMyC%m?2>q%A `xqp8|X1,w$A+%6~Snc`ƻL2gJ{b}%#]1i_A/;*J c`#FJ寣Q>G^@et|,/kD`Z4[; ĎU&]2 N,ˆ?\f[O7BU^k=L#DkФ(pY%fu gV<2Wi@|M>JTK))1se)`U|yۛq2UJi-lǺcKI!ioGc~"k z޿]0_Vuu `x^/o&'ka82Wy/k vK t~:xgggɦa elvQ톻 UKf3.9t\9]: :bA}]CՓؚq/ M kgKjbIVC/}] GHpWS$\1KeS6?R@P~ _J0tt?q~v[k*eWIbFzsu P0}Q}64V;G=ՃnkzܖW]9A@NǤ,4dNDX+R}3T?4PDž/pDZ-89-%#b/PPpE"7IFH(y;:w6J{T͋  >!ҕ8w)w:$ /i &"y &ֱlVŰ3]6!-MMu1cxKkޅ:M긂EQ |^%う_g/J]J`: /n ֳ-_ſp&$pju2S%UP鵹8Dk/4Y4 "R۹CWH*`s?wm}}CfѶ؟:Kq-3p9jd_oYB-_59`Lc%̦OA#XzG^;Wҡ0WIwS[3tR˃[Q>]9I;(v(LJ9mn.HTv0f<IEm:ѠcVd34b:J& fB O/Ft:)pSZ AFvoe'ɶFNa[O8@^yTnO${v$ny0;sqd͍ᛀJqSWP |P:.͜_.h[x*v_P`D2Eu9hiG0@!V6*@ObqW?/\hU xki8uEҟS =(܊@KqJy]']gMy-Yvq591ڑ|PEY@fVU7~}Zޤ2aϚXӓRWxHy$OM۳)rĎPxc[s쉳dg24_ ]x`HyI CBlĊ# Zt0P_ GkиEg-i]+&gRĕw<_6<2;Dᥲ Q,X]+>=(cN6nA1i .\Uv=^}ˡΝooz őMUw.9_7iZ8חhSH Պ!TEdi#r~ʃ?2k0>&xl٬!VG`1&5cÅDY;ofZ`!xN0e?ܓ50dGA+K MtǠ Ǽj{5i~uh8m5Np ăKC b"쨌 TN`bbqY?޿H-V[t |A^ISܷ7ڔL+]&ĐFi>mW,RpUuʑA*m`#hbBlW# 2攘.vZ:5l.MUWRVL`v gV8xA6kGDcG*)p̃,&dqN6D/sXb\BI?nAM3UfCbKL%3BʖJ,ٲ}|uZq+_5Θ̶rbґ6gv$B%0Bm(4>*Y%j; OPjZB3Dd\4YBw)|Ikm@z2JM%܍'iKAH|xbW_Z#M2Q?_P@DCٻC!O0f?phmPGڰ\4, 4eyb='w/K(yRϩ!}1Zdۄ;;iR#~%" CڣAgRp6JйI g L7wwϜ*r;A9qB͇m cR89J[^莭cVaK*9(xD$n %];эpS\ǃ !Q ޳Z/aKD{b.M=¤C}8AJq]ؾB26V`զa7m$uB<3Cl鍮Lo{ |l•CaYoј4$DZk"ĥ|{lƞ芁3@qB $%{LRe;?J 8Q1AlN$'A*mZGdDg˰q;IS(uZ4:X2a$[Br\̈dbl%{LZ8SjW]-N~\!) U)]u,ܳ3P#ƶ @>ߘc9e)6]^DqTrQn)EOn<pnfa 0|z#)G M~N.yر*Ϡ*B5Rbe=/גne_yI\p`m)ޑ3i儩$<Oq ( sl=/*36bEi8;eՈQhZ0 P`Xb=7JAu/%'|ЧCE侤e>*@:؟x#9EHaHõpjV/\`*&ȍ؋cM B1pjF|&Փ@bPUW=@*;.XLn;d|?yRwwgvxBZIꣳ+.o2`+@nLYd[9۝¶ ٜUGb'2" -TSBI& &KK j~`˳bvL\ G CD-(rqZWk~/4ZXuu.z !^_Tj5e_7[Tdr:> iw).>^LJ~oDz8)A07@X;0C&C0U 欏hEϽ8Ƹ5T)$+ƚ!Z^ăd3(tTI@̦&]Wr2Y he M? (U GeOa 9N_8uM[̝݋wD'j XTwO9A,gK WA"S? Kk2mXvm;!ȕ79 K2 L"b&O*ӆD ۰-l<VQ:쫊8pH9OIuȢ;sh&i8NRx.i6/f=/5s)Zv aQu 7 'h7ıtNA&;lg epےZο#bQ6[̉f[+ 3k~ E}?)C*E4w]Y k|5A{?nl˫W"$zZ MߓL7,Ofs.l C֜2{~iQC[yB%g桖.Y-f]KCϒqwjF_.̷RZ T{!֙d;hnZrDX^u.&APի6/vw)&-H,Klsv5uXXaqҩHXaNl]Nf?>b@!߶⸢UmMHa| ]tf/ U&/+ AӐo IZ$#O1~ pHRs/'fVsxLE;Bc06q9@:J IuZ~A@woƨ؂;&V03 V+5wRusDgr y 5#qp9bOhrzտYQv_/z+s̬dŖ%vQW/mw5Sc kӘvV]RGxx<YpUK~n̕U j9(H8]@cKsk u5;7ayrn}wr_ۖ*q^(4-Jzg(Ʀf&N>ź#N*x"bs@V3pJ?c{u#؀(3b$/ !. 7(8mL0jZ! PW*H⍎BSP t<"h?p&Nn]+sr$by?h%;xryr .2zBPQv4V6CM#TzPv(j"e#J!!"w1K r<\kn>R~4H}uk⯺m;R7u{)Sa/ׇ>)բA#r\.) +A \9_uu9"H (v2g65̋YuKE&/OY07ahu'qtAaޟ^Å1waD_+h=YskT1 h ^CNJ~E D eǜ%Hv4bwS^gZ8dS<|ayVIϸ^ӋL#4h%}wpͅC<я2wJve'k" .`=n)bԤ#WJz- P5>t{O\pRuXB) /q,!=)-"vQa} W)BbtT?Nd.5TIp$wёt~9(ңd:z=-KȖ2W+E?Mg*(Sv*WеAqc[^ O*/W;.1jY{z~]K7!cvQȷA:HC|ۂ,O=WK89C6-97@'?oۘ`w1ay ">|%Tg-m'P^^[ڋp86#뗊>X 5K *7}\w/$ŷԧՙf:J6]ñ{n%{V2P|{"ߙ){bFv^-8%H`W\c>9u'}VFi'((eRKa}k>7k.MJL{Ϩ2CHa=^Hu'7D[ԞSA{Պ9LF5422,VY z/}sOl÷tTF4~w{gJw({{nQaph%wXUJIgv Y?6\8K{/(&'V{ƌ4u&:1+wQhA{z@ m&!cm>`%#} l,;!Iy`ZXvr f{E1\{C.c,K<&ᅹ zZT͓ӛvQsi "oMHyv=1Z SiPI9Z WsğԮ;j d,A^%\N'MUQX楔w=SD%WfԳA>+4p[յbW9A4).fT5#`)j u#SCAw 1H"!0pǒDC30Hb !l4  &nuo;޽ÁK[v4^O`4!>646قJqrX #YKt(ds S4+g^)X*͢ZWJ5~ M$ J'Fz'w'qw?]=2NQ@4$m__FȳNԉ-SE^nUȠY)u~:^-DZZ"@}X ++0-ݽx1RmIܢ:(gy v_HN! s8OMI򆽈C߫dV2+lˤt[As+Lj+I-90z%yX4ã]m:&+Uz?Ք;ؒm|钟J7^?6wSwhINc!_HPf(J oM2e}5rO-ν(b37 o^Co(kXɷV3<(=W5 ǡHbjf gYgz^) wTM2(c>7]Y$ƃ$`Vy4p4mˈL@TW 8o?^0q%9qv% JWt[#fogi6rI'S6w loh: [E[C۠d$5EcxF3r؛`GR@^jd dԥC/U$`]3}E qvYZ.8zJ fb^ӸI3qhYь6ocb{`S)Ϩ KA9D1Q4rطkkFA4 ,M$eZ[5+خUū:?Cxvx =,2nXvǽâEtcg?^M$S%IIgGby*z8B f;)čO@ӍR53]r(@[,d %,ՠ*g@Ζr>FYz-TsM'}xQ *8sY0ġ;"!+¼%2eh =rz/)059J s`X#O>B[Xyl?I|pjСF-Fs?!oc|xc Q~]۹=D@Vkw!j-;˸nԻVK.Ƿrpc) ק[<`û˱ea~PAtI4׿[,D=3KpNuvhҠn"CDiYuͮw+'6;;!%?6D\$h)TcEq ~\V,\'J2;o%uYn)e3<795簃*?ϽN&ŭbm uG옣7s=ʷ8}`,pß R/ᣋdHϮ=e34Yq-^g^0akAO<Ʃw1YeSTWy7hܴ)߲~>* ,In.P" Oȱn1vr/o;fkΙӡzc1PהJ:x܏߽FR;}^LQ ' 4,AKhn"#SXMޖ`xםJ9LWOfdDk S8w}[߳45s0!@5ar[G xO)(lғϦNE+GV1ROB4ϼ;P5~1u1IN{$a%>Zk(^U \%i_`+I>:g?nd7CXZ{f2p=LiJ*cX߷؉+g~d*VGHY80ٚC'sKyB!"huV Ùd}M2!F.cN(=b1_L`Jz4AKV׳Ȱ%bO/D{7řB sJKd-Dlc!Ɓ'14,=oBQS^xQ4+6|r)l@%TsA"%$r~!ηH9=q\r6B||ŖhzH<$V<;nĜA)ͮQ>A&mS*ɂ Q:IyHPT8W^#'F<Ϗuӷ Q X=o_I<緢k40"HD /fpZa3Dk͏[ TʅNZcu;pG:[A;.T7k0NťJ<RO`g:~SŔv&`BsmifK(3ߕ0]k +Em#3eiРqGg(OX7=Rc(l_=,d)5mc߶2I+RgX@G J@DchN =,C(=+V4cx͛=2\tUEޫS/YGB(A%f'"b?>1*}~L$Z[r/u%pC: zJu~X;ȋy@Y_ΜMi>><"]@MhӔTդTt+IK 4qvȚޯ%۹s[ڠ?\9pp{O`[nźJGr[Qu C$Gp=|+cYƶm΍8T)AN!*zfk9ZP3$?1QT Y"~ņ a!nrh Q~c7sʩIIAJd2ҪTmCahHꘌ]ƷcnҊ`߿i-sm)9_Sq:{ +zgp X ®Z]t]R5 }4p4: ˞ķeʚd帙1,?QtZs=#!Mԙ XnUr5!sZ2S$s.8B]6ZV RSٍ3]aN0wu< $ubhfeo31sO߅O @}ALEq BvⰔ&d{!"wR y"4bJ[XcQ-g{4 ovpZǸ= E % tB yEiywQ$SD`xP$vK )g%3z=gE MzmUTA" +O"漟lmH!pp67MYI,Ҫ{U5q!Oj73\'\+'#MbJ"QC'l&pTt؞fyNXVQ1DWN O6v`*# dkxHo<1aJ܂~3O{҃ZxM9B4L\ $13d8.x~`D|򭗩FDސ}W@lJ /g>9-e3LPC 4^; #GP FE+7$&5UQ|xg4 !)aqynÀ"wQjjAbb7,ďl>?k!:!ӛkEڀ1;ssI> NcVr֔%:^PqX[aUבE.&p#ha BG Ȣ1i~>RfxSaT|sPłRy$L,Dnӻ;p VH9]'f%y kQa@U^}MPZ&f;-%~ڏxCeRcs*ZGWq%D]f uĨŎ@eڛJ; >sLd?/ϐ|ꄻSÅ)V6j5m_muB><:I礔17 Rqb ''h8KPnD \!$A' 3\D3gv Y*΋Tz1#B١S:D =wh19J( זʝi]ŅO'ClLS0HJ8V־҆DoR]dEGvAs@ _.˙o(n[.¨fQ d C'Zt j$Eiӻ\WeAv(kP.*vp$ƈzkHb9Q-:%FF:ɨ5/.3*zOG&'A dHb&!`dԪjAAPC":zir \ʇ^;wF\4,jy?җV !`[Ґ) r'F'LkOnՁ :,lfb]tƜ BI%B ܖ H1_@ i܆LoOک4\3V~K9 u*cp䇸g(-ݸ Re[pd$:T`{v54_f $9KI#QYE"u˯1kȐW! lSK qf"-=T0<~ΗKf͵bA ڇ\BUݹ5Pwgm+U7gf!6e+EwF~nK2~kE'.Ujq6%&>ݴ.1L^*@q5=_#V߷_{?=Qp`Lݬߝ;a\( |)>A%Uz֖`b:Ľz6VV{΁C@!7HsڱOR`>DFP d9vls~H<.ܛf2rR\ևxo2|Atk0f&9A2FaWuQ(y2UGIpA?r5{IU) 8 oڰB Ҍw3]t 3r?tF O,cZ c|3*\2q;3f#MjVQ! Uy"VG Z%BJ^Dj8s,])1J: F惙jEX bz1(e5twc~"DԄ3د߳i 0 # m|O)zkR{9FFT,ٔZpwx|x1ꍯN;![e?^7@=sufǛr721 Cf%$zF"WYa*Y]h\v/#iIR=BW4K]s:9w'4q~`d,b{Hkف2Ζ2]gbUZ9UK1OYaVz PN%itJ&ŠbcJ?v/אĝ}6645:h7si'yש KZ_k )kYEȻA%"%uF#d8Ii?0@UIXy,?.ˬK}Z[BX*/8:ŀZ(xWnkVYk}]!HTUcE̮[ݥ~^Wu? rB^q O}ע1]Is!2 -@;bɲ0Mu6&ΚJa*:4Ja`i>Ū ~aIuڡXv®W"_  { u Ԃ7? ) '7mtR ukF}v@=e8M+ŏYez`䁡imzCAz6ӆ 1Bs}# bY-Ύ(cٜd;-SCƓB%fWwH6垔VRB*/M8NqqE) \Zm mo',[,֖PAYBLAz hISջD Y~JL!8@8+ \`E $E71O!>d6\ Z1e]=:ސX .wÑޓ-?e5&| [K2ļuc"LXdd̍׾P >E:INYaJ$bhrL_`x=Vk}+ajgϯ;õ#p-J @,:s -\{n4($G7; =u}>",{|@ Jr:A P_-Q9v}üˢ|G2A xbw ,$蚃W&@3oO9#'插?Om(Mݼ @ =<qBH!hMF-)s= qQ Vv߿\htlqˆ>}ObA5:z@si>¡u_ga1:,mB>eZV"hA^(w#p2-6F C"5vS D)+taDϾ}Uq.~>Db@w˂ųӎc?^<L6v!N!KK4=XQF6S-G$ Hp=1ra̦@DE"#|-ž]Q{BZjK@.Acѡ)Il0,\t[0P,1>x@ 5DbcOChm2INj !`Ь|\c[JdzۖEV%8RU&9|:hEyR?+t Yי|eW%7 Q3<;oOٿpQ7VϹ_VT FGBI(Ac ~L zU7QZW=|^6JL"DflDGdo cS@p7x"{|.'7)kl>=ϰ!䒴gMLۅ biX}XDr"'XjR96\0''%##\,LIsyoU7&i8E}t{)WĈY#FxQ¶ &\0vpK~,pYG(CݼU[j)X A9ng@KyZ */&^u mQVb^2ڮ+&P䔵t50C퇬BQg=?,|Xu\&Fk͍AL6}tz;NC,V2e#pP˩t*Snc;=U[~fI-K#k(0xW!_xQ 3٦j>d;@+IF` O&xY@۞^̵xD!h(꣤Ql2+RAP>VKk>y ώסKLjd[e[pHeg&.wd\כ&=`ti *ú/ UviIn  o8;b䖗fUӞ{1 5~ڨޏ4x+8EsE!b7k̯N8ɷ`kŶ샼90 |f!ŭ፻EJ$eooRsGsma"m]ڐ1=1 oWV^}A޲3#[2CZI&Py{8b+㽔>2NJOx:FډJ8EW@8ك#5yL/V Y|);[]9_ ={.xLJ\]께!\[]`ڹ~zy/'RqQ]:J(>ף idҊ| Uf[Ew0HP2kq7ι {)S/x/Bgaˑ OL=kl֖<\I;W[KH0R6GMX0[_&} U)T(IBv}q,MfDa`.˜+.*hGYlO#W|Fsu0LT~tjsSHyz6B&On ^qPmZ*Y#K%v%*~%RXܚF"=dDZa F -Qba {fd+'@}E#!e(qRh,#&-xR|dswH ܐ9Τ辻TZreߏn=jyt?1b zn Wˁ9Gcqae<)m>ruadCZ  A|*muT8ߟ0DORHnal1j v۠YRL4 [8AVK}FeӀߩtI,0ƂN82!Jsaꕕ"2q[wh[)9[4ncL_FƛC8~Є."MJe`N &#i&1ʌc{?[/@ybu\VG9!Ǹnm/F]d⼀:"}]^Jo3_6DemLVRVC9lI 8]_cHF@{;bKV|?t/}鶧?Lf"}2x٧ 6SG5Udw9)Cu8Ю=\jC? ڏO99 Z8zMVV,(t.OFCA9/n[+N'`'̥,Fw6!], w4N>5ޥoUN֐Џd٠֏$+OTų5pX+*ZֽLqboH?duisCl^/S@wASfJik?0%ISXC%?kr]A  oQ W@9I.f.}~ݒ6.O$ma%ЅhD):WI I[Ѹ_݉de6nw v|9ٜwgǨZ`Ҽ-J im;Kzoa\A,K*a|Ϙ"Ê'gP#MZ2OP{ܢo ʉpsA&U/>2n"EG8X#1]e㥝EvN  $q'o>< !ö_yb'u*Xɉ|7v!leFygN?nɭäJ±q5%Kꂉaw/8* _#`2*g f.?6F"{4fS 4 |DJtn#E.R>q)XLdV_h&L8 F[SR^W+\r&d'ef TeEEᯪ@wpZ=-( oFNW]I69GރGPbIkAHTx@ P剼0wΦ#fʋm f86!ewa{[`$JpLE4_8Ô2<`S5B0 JNAyKm\}|Bv`cB7 P:#-edJ{y[R 1`~ Gub&miߨ_2ґ"KXQTVSE|N{2a8n|eOĝNULp:|kRW&3ƻ}%]ԗ0c]|@ϓX y+ٙi]%)A(Q(T(ws/ 1[0o tϫIs$De<I07CW`fo7هv7P:8x@_jc;beX R =ٕ[1B,O"6.EImKCQ&΢p屯9v$t* 1kzW$J{E|3矰$*Zk?׌,؊~g3Ζ>Z~4d=h lJ+C5ʤ I,c{s~ % ]U\`SP^0bi߅z7Gjy(ޢ$6QFarra+?L"RMij>&$  wx}(1MVC #8ຢ$Ԇ|(^ ƨMSx ej1mOY3MIџVer9搶Nh荓&.C|'vucfWrY9V?{SwL 1'b > ;,{?Jɲ;\c0-3ǀ}b.0a!ƨ~I6: +ubӖ*ATu fK.5ypk?OZ D;be m$ǷA]ba,{R`Gu Bwυ8d>WKD8Y :5bL!pk/d^%!>㝄X_-u34,9i9;R = O-bP=ŒwN\1#7 'R]vL?R8wS$fn~\0f$7#yN4c) ?iq\%KXiqz79%q1 /ʹ:>dޏNjQU'GO"= IʴHL [Y}R3@\S"{~=nfuiMK^(6e f)/8uQI#r/RlзU΀%KK݌24Yy].ˍx 09YeܠS7I5=i=w@ͦ6'PXRiĸ4u@%xq d\B_C}:h0%-!c^C@R S@Ϧ)\adFMfP `tvBh0me6=$0yhtڕ 7԰dC`v\XbD!27Tfw "`@`vnfmIelQ[s ;0~g1zx&ZF]uKԵ Ν~~󗶺|rSgJ8%cy~$$n!3qUԔ^}:(/|Iz˧: x9])ѷY!:P.r~җ_/TG DuYʇR:b뵒\ܖ5B4Aj;;[Z@a}e,%k!4d 2*2-卷:c06vִxz~Ȳ<6 j¨'ERMޓ*BK̶rz**bRywP t6L_ {x#} ~3Awhj:5}3NXG^,7bF !SK. 6 : );1C tgyX'ֵNE\LyKq[EU.Ԯ6"/IccfQ7hB ?\^.J[Ohx#ƣΪ#!vY 5SGFv1Ѧ:ҟL "Ffc䣞vlV(ؙN.â""!02(pl-YIS{ =_'/ {<_F yKkygZ[ Ͼ* D׹ԫ݆K4^Qdʾpu, Db,"їiM yxu;cF\F@F8Wv  U'[k{a|SX( .-CD& <9NK:R~]Ҕٿ^TkQyqCOm=LPO[<g;65EخIܮ,\HYDvGx#,X]j7RL%O,=-삻IBLW;tm-{cĺ ]e덮D9$b(qtdĠӵɇC;zx.5Rέ_a".2Nŧ@WC%jVv(Փok*gUQ̅$*&N**v%`ǽ2_lOsaZOjk!>y6*wBP60@蚢Ҙ6Bze1|}8qXR]ֶ",cFtMEg[dѵ,, v}:c&&gZʥS.5X}iCq\1Q8KN~..Pk0+Pkq!kc6H@}xd Փ?6 k 6PrMJ=ݫpm>CQfg[Q4nia_|RyYhLu\Uc7 %`#kvpc{mC߷;U d \ Qgܼ'*,FpΘ_#Nޓ;Cx>HS4} zsg y(bU" vWlܲo#Q"A9&a@HXB<,hђ%DŜ0"}mY}6G C +>mɑTɌ;K|ǔcYC$o#|1 Cw9(.V1(Fx)0* +Jk{4ѕC۞~삀zea-봺9o'`w4E6U,.*'2Ŷ&.YJ+W$B.?DFdnATfk X_y3)7]CKT]?t9|E)-y&|/A{S@a:׿6ňI]sʾ?kzM2pA5Jv (>=wpft!pD%Dk+\=@ۛЉWP8zg"Zh3 ×{N:TK5=6ߍIŵf,()mH-gǜ-fLk(HU+p?-Oq;-g2e}l {95~j ZY BLJ'{OusOGbpj )I{-%Z&Y|\@i _1 C4kEcTC Ndv V +ɨHnW y?(49ZKĀ@_W*5WΧS9"=!K6z;0\?gf~c0}X*'Ȕ{¦LxܡBuK娔[uS(z::7$HV/9d1D#G\u!(&cJpD 9-m{6w+vu̥U- "(UV&-`dhҜNVZʑ.DU>28ѧ92!ᰟL(IfClSQ.IW tseU8t.<_i+ug!ݍhJt7xZp5mM/֣Bd] N*:`J.VZe΀7;b5.O1&Y!+LC7\-RRFH~ġ3~WG e9{"_xY;Đb3oBGSQ PkTɈhךÊ3{wup ZbCP d5ș V2/@P]d~.vm@gHڿxլ>/-cӂ,]R5)j^ĉln$!x,Kq~ %nْƜTӛaH}_<%t!Ƥ{Q 7mXˈzD0',+-tVNj^!:τEO+ދKvuSޔbÖ٭iIbPW4[ h:ǠW2[m}%RpncTHQLDfNb:iG6DnV(brS }EseZy8ı` !74⸋_j>jM"6vl O}z?%[I*p75x\*,>6D  f1/6a$Gj?DpGV\˽F6b\]1v#(`c4X2Q1OfmNh~7)7.r0qIdgjqjo(@D:JC92ۯI ^$oj} |Y[> -@rW {PGFJ G' IZh.C![Ӏٻю_$p9yB1dzX1?s3]_7F.3XiG2z10{uܗja2BYt}ݏNDIPsc>l6 |J/"֤As9>ꚬ*knU~¥cW*P?Zh;V(ˆXZ4.CO'>c-Tt[F)]_I-k ĄDsphWEc8`>V,{@Vgt }+H%y,ߨxS9,l p(v˴84";OcٟFWt>4 j*6SM Oѿ#d,OHWE/2j q=l +7Fђsl1#=u@i_HI*UYm8qيyA&G GHGkfzs |Sx2A J4E!:0F-ہ4Gw#D7 iq)UӫCU s+ :)8̐eFC %[ 9# Ӟp۳}ksԵ%?iĸ3լ82ȘCgư&yK(4dy wxx)2Qo%Nﭤ7ӞA'lY0kAUÖ2=5%&%.}{c{ $2;tL}w2J6RD\rlk/ t8"Hr ~c<l2*{;}*bR %̚fp+]w]EHy Pu)E֯R5K,ɏ9lBLuI.Ř%qg.Șym`V]&God ^nF.,x25V;!G Tٕ{N- JuM_ ]7DH,QыiّL^@GISuA fyn$) QfaeŖQpSWtkQk8oSΓ6JW ζjޞZQX;|ψ;ʡuDYTz3*pґ'֑ӋzLoi|>@GQwDDc'؄Α8t^UƄP$) q"p`s%\dxT?:6/ 2k_c}5_ Hk\dFX_ơևiʓBݠIPm5D"W ;{r\3hIS"t/Y㪁='|W/0P+ [ >r^bvA;!&: tthQc]!xBqes뢢H'bIU$jUg9.eY4:}=d?=%] b1]l]j}Sk׎9ì9G;jgz~0;xY:1U_]}o$eQ?gq\wL4|ZoH}b1YP>⡄ ?܏m)U5uۅz/[ Br_ ߵm/R,;, wrSo$P kԿ Pk'J"lY))mI לц9h OpSRgYՀWbl /Ȍ&f!3ǺS-u3F|: YLYpO{0 6/ۭ+ {&WuEW_I⟆aP/gcepOJV߼* )cSθpk pD&ц9#>mO90Y:~jEߓ>CW0[mENp4RiqDk7bDDo-L v4< ]悰D>j_l<8G̴"NcA&}@EtPXƸ3K/ʦH<v_:i ZzOlL~ U+yS_xƽrFh ׻(TȨ~'涶Y2Zg۞$n08(.|1_ӽF60#d /oCDof`i` 0xxqA.>%\Xq4k@ԛ,NnvZ 0mf>;"I@H+X /~EPA%V4#~, Fx%]1sP}+31 JrJ=,IGqʰUqXIly;qL xFo^B0'!]eRb\+Iyv2en;h$:d(gݷ*_"d>~ :~s|Q @A9l!–%&ѡٙ-_j_{:Z~$o+JVHhZZ3X*l9`+g5nݭa1|e{.?Vqp =֢SY7?謹CP y<`E+x 3p޵ 읇otg+o'08B~naip js q`vW/ҊlDUXv}v%)8C8mBQZ:Xɶ"MՉٲ }H^- %*cNt6h݌y-PъN-~Ry1cmkbX[8"*ʜ y)j_2U?hpJVm wt[F_`Z&lY#6qHND}RLᢿZ8 >koqk,bȤosg8u/#y049 <ͺ-9ɸQf׭Ǡ>Xl2lg>GܷM p."m$Γ;۱Mޖ E}2U,F7žC;ԪK2=fs" Sձ>n<[)ǩ6c)'"1{K[< ZXd7Js$pn|@sw^ );|i'v|͠ƍĝp:<7o%}I"~8s:/fQFTGmgм$(r1 B##qw~:$" *t<(M ՈXt quC6gѸGb2\ߋ7vW+Vb'+hf1ޣdؕ@VEhH.cݰǒ6 N4u(kެ-55 [ls YL\E!3x[$<޳s⢆C;n}hyNΣ`1y?QA&T2yLw/b{Ј;6v/\{x9Goո Cw=QQO_@d >*0@WԴ5َ'bꋿ'kb-Tyiw͋$qӌaz o.Pﹿ!I{Ja T}e)u CLVh~ft;t68tdr*`/~a Dk\Zo=?ݐ`ۜ/l`8O0" EU?SFיS ё>αǑ94 2x%(䠂o[C M5_qZ.ⰾtoL%O4:2j/qP h?Al=7#7ku+%YHzhR%6d/һ^ϓ*N`o]JO;* 3Vӈc\Nè[(-VAe cDm/d@gIEṈ ȉ5 Dg?Ř͙ m j:FCH"ʻ֏,4uW匛n mxg{s_g )EnrR]CXdžsqDZf!K7]vV12Ge݀znpUB<;ȳR\x/I9) `\e]@x^Un";hFؕVoϷ%xL JHq9' ؀ E`Cxh2 'kgϤ [lnD/Sd-_ jsA9ՇT-,Ri]F˜iW$')'{w9?_ճ˂;eu[lZbZ;qw-gZuFo ?)FГT׮uo/7W'"C'ugN58ݾ{1ݗ+{1XLkLPKZET}h×]1 ED L vyp\ׂDCsp͵Ƒo/IUNRv j>2\O};vœF_3׺^X @ŚFL=S:{ lՎ%iC70R`"̄Ì|^!n q}ڈNl|χ;1/\|_fV~궚f$Qdm匦wdCkvj騃X`⣝3W^{/B'7d)uw@|n}MEеLPms<0~o e/BJvK\'(yKn(p*9|QH>CԲw7% e7yZpc*U >}鶂)! XYcMbhQi:q6>YjW.ǔ%B U1w] Fo^2&Ne: 3vًDR@~(]DN[W6&K7 5 >Mv.C8C{˖ogۜp:u,,r=i'FrWp|(b+7J;>G(Cׅ*u-hp|m]n]95@Mj,Uv`fDۋ:Sy%g[^$׭eouXӍ@ZF+`ovTB$yY3~ɤdSP@Nhj*՗zQ `R`nGVB,ƖFǀ+ji$|m/fټ2Ӿ[Τ,.*"]"*=]S kpwp(DߜQ#A-6I.=v_mxdq8d6)]t)8oWܩAeuFxk2-bJv,BLփq.ZU~ _Hf,$}n5#x-4mX9N)Νa1̚|:FwFƵXİ̩DMCwoe=㧃Aq_0m0 l8'{X4??oX69>ǝ .W agI5\G6,svwf716y_3wdQ;--1C% ed0Hϐ+d={IC 4YK R|D2TSm~st6@o,~$ÏN^'6>r{` 4r^Tb%ע0="33T6 #x{?DAǣps C~`=Q\T¦1ezꆒ5?SG̱bwL4 %/hzy.Y~\\v}1AfxY3䆵m"nVzp UUjKUi`ߴ"+j@8h#F Zac%qPp}^`ܮ>R UMF%5<S705LSZP4y!fFLR]GR5KDʴ^Y'ƛ55;%AԬ g ).lKSm~Fʷ۔C :(rQZ39&#H2?vK|n.Po r* Dߊvx[ COw%ņ o(<L03Մ?@)hߎA}˽}FϖQ~|ձ2DήNs.fJz<`=ImfɜHΙ?XǸ:Kzq\Ȁf2$h4ےf^(?!0ڤu**@x>kJt_Yy08;KE?N!V~{ #oțȻZ=69CSLGcRHOKk>EG][.D芘O2?R׏#nxjsJh*;=8%{pN~.#B2IG;"ZYfx jhdTBP~J ) VibV7l@ ā.ݐ/w!q}"1'[EN6`ih` ]S B^cثyk)5"YD'Q>0Iy*z_ݡNGEةR4j3/s8QӞz1%_'Dƚzq-HFgԕpat?i2 (r= @:nI;B0X}b3jU 7h]8o]XG(U:" >ݻ^hXEh2&mTJu$Miu!a- %BȂ@,xѬ~rR]_fexr:6,ẋ@sb;K&eBecDá*d^<\qR&AHcv|dtqƶ8)+RiwNIԮM׺gי{>)_!3՞(D{)qFW$ـK,یHV4|#8^smoeh-0oFas4]r}E?*/PePe57;YТ<(;eJd-tA .oieuiiKAbo%2匨f}FM I?@1l3L TI AǺ-'gF&-" (X.0k( S&t\T:Q}?.j.pWGiJb?ٴ# 3qξ q]fG f(4~F >êH R]{0BPRE2wrHغ 0)\8#~"bUWT~MI8F8Й):`۰=ڞ2tX ^6*gYWi읲p9m>*>xm`~*I/ =}Qq~^^{E* 碶=>RaLb5ޝGsOg[Do:xme4D+I_>_,px|mc\a-9QgӵT#L#\䰯p~.H&p=X7.ֹVVqHn;>lJ$f&#i|Y۴.UNG "UuRR|!uXQem 10c7@9,Ȭ dyטB\%,\߫X?[8sѻmW#"-u2 Mu}} =,X%ۣt>+B0生zz}JpJI9١:W];rc;WF~5 Ie"̀=s7ѿc.kDn˧]ݒ+\ M( "V?˄VZ#@"+P My~?˓Mi83 <8:'WZ\|R2|Aȕ}rtܡZ@.`Q1AC>fߛA14E!dᗍ,*5ۂD\>>Eq  Ǔܧd=ꗏUph6ݓ~irN9FlEW=ݍ`fGXC$ƅA|¾|"VNzDt7 du$$`4~o\kzɔ܌W_R2 3ړncybY͏zEb~Hu/zF}h[n#x[b*,-eXw(Ph[\WeMY%  l1Iԥ -nFa<YAo~H(=5Fg&Gt 6#@XUZuJit H7{"/:ޚ?K=|DEꨱ3 '!ӷ(gan,;UmU۩;o6*>8CF ?]Ъ-ǜ#B}_,j`[`vhQ7+O#d0^ɏ֫2P2{ܩ8/҄>Ch-iH@`9#Rq-C-۰W^J)mi4DLa/%pzOR=)EV\R*H)`>dvG y:A`DDssnL6@hGfΞ=DoX+T)\f>La pQfKLZwe%]sy>NW;N8-[**V@UFpx/9 ޠf8)aSKq1w2IyЕ%ztBmFRfZB/Nl 0..! /7K 7J Oc??$ۚpCr)hBgcIf.i⢎v#7Ů3dGxc=|c ;i`XM|)V@rN9󒖒~r``(.e:>`\vr$: P'FKc9H P8-EU9+_*V;[jv8gA0~lo?l0OUilUx˧jN1G2j g˵*o`'cn/ -{}SrMd!4S])O=󟠀Kz6k.uoE3szfw;>t8uX2:$(\LdiUyn\S'IWBx˲vBڻ ZkyzOY/׿ ؼ1H}țyhژWνrstUP>P7Em"{ŵ C i_ZݪRR=6=UͻW5<)464C.>IV㴹_6j34DKfGs](did65FwrKY2-i,Z^F3*>DD2bikEΚ؅GSOKПhJ4x-D &TMa.LS ̈́||}` (/_:68Q/"B!/ꗑ>ƤOfk3mv,"dx-jD"K&̿)Eaą %]̝e]d|fyrF G%YIpa˷yYgh,4E|[aKye y- ߔI".[Θ☖N:js:x~C((juT+Z5_j[Qەs u[Xv=mY¶(M(檉is&wLp?fX#Fotn\hYʹG@it4ȁfk@edqC7%ܓmy]~s 2;2頊~݁p:gn?ݝҿyĬlrF joL "=okR[mâY;_Σ";xJӕg޶5 nK]<^)`.i䀫$G&?1L=~Xv"f@zrjxxmsZ M u".XUКb@XO0Pi{zG /n*ղFt@ܰ(գ `w fX`W{786CIgR&2^xfunVZ V)X2N¹ϏvU9us{n3l$F>Mo%ƹPh_ܲ#uCr0-QՊ P} (|?Vtf܁g{$ǔ .(g&hD;lpvSW%hJ`JdK0==%}O!ws (Ƚi1sd&CMn9Lxo~JչGߥ->O֬LcW 7'ABij["UsYOӞ)zygͅ{W;\]NKB (2Ӂ~JaTdPtٍ bDh&ҝJYYLuA,$${XAi!zJGr#Gկ8]bHҿp^%Fˎ6[/3Ui˶̵"|G1/,>EdG'z)Y,q`?ɂޔhQCW"Ah]{J1S`|@7. E?8&pbsFJ5U6B۾/ֱ ]F1 't;)xtIv :C:HS;%tPuhj4s0aSVs0f:J}וrFֿ̝`p şH.Q0oAd 2~si4;ʔ2(Lҗ{&D6!lo!/{G{݌X,CDGGъ@nA9q:~]8'6`NXRfpa9bsE8g{)6O3<Օ+n] r㯧b<;u"賘?Fs2f\;NR{?:> } ULz5IHܪ1K5DEJhJPDp(AP)ݚ ,x.M`ap8g:>wWJg΢YY/v]DB60?T+mzdÒT #AÊ?+ DENǍ27bud a~]n\U?"#Da\Ԟ >Oje$*:31i dfnh˳4rqkQt܎T^ ݡRW.|Yf)n>xr]?eU1Ñ\`~30fţ;&%lKğrbxNW!k>Gh% ֭nmQ i=jφrHus p S,5)(YVMjQ OsaXo?lXg$A)0bWLC/W¥]E`Qb& S1Z1{0B 4(0uI4F &&ω\=q^qUY]eE!|]#Ѫq<ĝ"w95[d*]qIDs2B4Zƭ/l:>~[! #bބ#=ޙS $C){8FRNˠ=yKfciH=B?i +5_< Vg/{梓ȣ>7-l `2\ڭ#љ|[µ .nL~doHhiirN ͩzaT.6+c}MP'P]Gِ *31pNL:Mgxy% tko>:S.MOrUL 巖mF⮶MnF 3jCd+YlV\S`/~F$jA/+AN].xf9a`Dqid3F:o ?s0o ~=9~xw/B e'nPæ<->4̜!jau*H KRg9ǿ(P6zt5V=C,l$y@v}Il, ڶJ`R' Mlܝ j?F+ݸS%(&˵0ȑf%==<<jUz;% <]ͽk{Gm{4oDڙN6G"/nӸAc&J>ϺdvJz%k4LU +c"vY lt8"l$H^c;˴DdjIC%{"~ =ݒ6PBE`0?x_F*o:H7Ÿ}NMO EMH;K{6fR.& ٷ _r(z2_$|\,o!8+sgzY?yxPsb[J Vʮf2¡ndURi+0盆^(jTEIFygKp:4f;hkD+ p ^ݐ&$c^.B4eBykOI|(U`HG~w^\Co uIQ HGIsf &p(~{o$dly6Z+!8 g.e6C-g1=v0oh@ paX\0r$Cc nEʉQhRzCxC=6~ݡ\=:2Rxղ.Ij$#L~]|;g .Kˢ kؚhޜlLאN"@v>!siRG*#۹o(ٻAcقaAjD]@1ժ_ػzNU* (21;Q2h8)##a}0 E@N]QZܦl4x:L*S=vFB)8O&q85("A}!˺_fEm{TٺwKySW ?F~5<˃jK0fM4MUϟȊoN Zrb6w@P͂Z<_G;h T|U̴T>I |&hC$>14AQ@\~AL&oker~D2'7I|K+T>F@`iPj{1&dEBV94] bw:ϕl0ٹ -_KG4sJڪ/ {Fnek.G3T<ץ>zr?t9Ĕ"3QKW◞,G2 QKb51u\͜sdp!Ϩ't]}s/p3sbL+&jXд *+ nw_CQ?Hϱ)G)dX 8XS.eق;gO `2eeX9!wCʈTĐ餃50 yعJ$a G+܃$<1p趽yhMPNcf/N,Zn(5cib,h9Dmj6)VTCH{I3 no~y_HrHKp4'b\pj_%+Ai0&V$ uk_='Z"?7$SmaxZ7='_;WLrЭ&oL s-9TKB3R{&fFa`'<K'eڽPK7Q 駁 _wvןK< (/l [Lv4`g$t3 fz_VˣbQڇ`&qB1AOR G AdRC4{0Hп+ I~+@A" Ir]o.ak*u`Nвߣ"yʍݭIW6^+^`kBcL+BUii1ie P[\zfٳgl R3#o->;gIrɑټ1N5C7wζKQ`l ys E 5r*C{LC vr= ڠ{Ks5)s]ܓ6,鄼/j]nG&0,8S (jq!a5E⺆j%5+8 *.㈑/KVNB~e!(F,fgƧVďJ`X]ZLGpA! lHmzu5N/u9B^fgí7x}zNs2&m9.`LҔ-ΨGD_5J6T&ZE64EJ/F65͵V(ˣ5)Ilz2eպVvnh0WA]ΞjG*t *^h( WF0VfA":նJ"sYzsBK?"CeE!)6#ݎHPuk]5_dj 4^VBYz#& DHaG~*L3 +rސyf?!r$&b@e=k^Ym &͂\.u9--sXMT%U%B=SjTG|fƘ&F15䀭(1ԃ(7E䯨LHww /a_]cptaonL5'~&,xRqR yKEDkIȃoPN3B߲Oa:;%x2E(WR`\L=0x@cYd˗VV"ԜNMYPhI}cDZ= $w3U3}7 XZ n] uF"Q;F5?/ٱ+]2Q"p q*#]wS |U$zuÖ1'mD6 S;+& sg㋅Txg [΄ H呬Ve GG@[d_oe;ӒYƄ+kJ[pTzVF7Yw~G#aPpf BnU7^W* ]!> eQ܇?K,.' ӥey%)2(7+}K;P)*`p?`tԒV~^ ZX,XN}cnS"?{b@mH`^ٱ.o?mpEf.v\ eP|OѾK.+ Y b瘫‰;x0k-GU#ǥcYKU%Wv껱 { Q%z^K) jʒ(Ķ3\299'Ȓ\ "J@pb-u_Qp,d.gK!r&On{wcf(f )hZEV47n1\g ^CJC1BO̜ZfMDbD;tbkC);P3qN7?3#iyyʺpݙ lF5HtOž\kX]zhNs_N* iy=L5S=Yq^#I5z<amByggǺU2djYQrQYe Ef l*YAupgkt=!ͲS >PёW2N,[ $޻R_ Vh* ]TN~QEIb[yxTyşȵ6N.m_U|8'#,5r ^`6R y5me¦Y*[hB#Y6#ю- GomU-WEou*fE. -/גGz*eAc򕭅ErJ)W[<AEj@4?>~~Lkpw$t|+ˊʷ >EBץ!i:sg9rw #ԈM#Xka&Yڗ?Lbҏ6Hݒݛsox(b_ԓs`64ZT{ [D_y=) ճ/jؗ"K͏oi=X`'??;z*^RM\#ݕ ĪCaR#Ns)LJ2ڿ{+`6$UV$*7m??,T>3ۘO}|šg)1]_i V  s%}ELlՖE9(d exf_z\ o?ձF![U&|GC];1)(bO;-آcZYpRӍݔ7ɏr~JkwYLA}T( R61HtY>eƻ`:ң8a\ EQ*@', f:t?ݦkit-uM::]&鷇VIϩ"UoE5XߍHDV?!X;82d|:m1HOQI5B^٭@Km͹S2[`kG2 }{ EO]J 9/ ̒(eD،O < ŵӢ0I78BnYʀƧ= b*6M";*_q +n@lBŗTIXqqt@Wvp`{rsP`@lȴåT8 a7h6Pqw+ t:S-PCuF킺c&|wn<aC)!^k1 n D Il.Y? Xك]%|Ȱa K,]S'19dsSsN?QKԯ!}J ߍlܖALMͶ{~"3I q7-K":Kcop62N^y}}tz^3P.)H~Hzw't% ._۠[m8tC^iӍ,Օނ/VKny?~F7vYw8@nrU|`]zT>k.M̪*tYqZB0D:Y/6K卺+yr<uQ5iƳ-NC7C5mW]{VM 72"ClW տxPP;vsD] +q\a-0[LpUWUKR$f͆O^lr*N.?@ĚQ<\kO {-7Ya'`V@Lli4 E>@c4O)q.Y!|r#<Z%9Hm `r[@(" h^h0d6sz}72۾MVY <%D3ˏv~)=_ʖrQ$.LBa,#CJK[j+fĵHˍjk _M2qwٗkf`&Fr:{A20 GxpXg$"")uiI&o-Z*ROX`uBgKҥ+ky BX8M4%xel#TF()Dž6bjDBMӕu"v:r 9ή!i$f3+VB=Զ!/1|'oQGŸ{gG䪕>H,2 -" Ƀ_p*t^p*,Vx x! Zqӛ.nVاМ^'ɺpȊ\&v~om )PlY;^U}^\/>_CDfqMgޜTE%FZ f۱I!}9H""Z `"9eT} go RUAa&iٖ~(l#%b=X;iX^s>e. s,~ 6M_jaqz^QR.qs$so7b ^yv^Lnnϝ /5:^I6fǴR?˟)w#\]4%TL<1R9o8d`H[ZLBU*p*Ɍ[S4&z:&׬]6CjkEˣx6+Q39(!o׬b`SdϣX ЁvD"--QΑSrd@[5T ѡSWt`K=LRD0#iP%vJ$ASZ` Z))2W0ҒG Ym>"J7VE% 4QHXV[a*5 wrB!RI̍?¤Q0Mw}/yӜ=(x=cQB!X4W2R}1{rfu/skZ59Zpk^W[ (Rk6\kV\^0;_wc./WkH!D%hw]w8z0l4z9C(`K.KS|'2S-ر䏣40jI| ~{lyxwtgM̨*2 = L#!% QPzch (to^foJZcMZ y;c]֛yUP*.UUv <kLH;$(핲-t0Y,~Q8/*z.BdS#3*SH7wsǺyÒ;k kgZeVq#$L f 5p208aW u ϻ-nZ 4:V,qO1[!>5Լc; JM7ٵWZ%Kt`we XYV=]=X y|4auc)l5q5fAeh-%v<ڰz,pkM{hւ_zKqg*%{2zJ)u-zĈ[! 4P1yӪ ߞΑXp5kT{_$L Fd~{X9w+wk q#($[~G2''ŏσ7;CyXVc.KrR"˻L.T5w61&Lk^40$F̫rV1R fwRN}͜dMц,xarQOZ5KȭmO?=;6&#ו -рLӐSYY<#!t%Y945nE(`?16{Ԇ.--b1V7 6ݐh@0|ˆ^/JBpĢ\-X} WM\i%oy%H^Jpt\ZK_SSe k M #dѯ˿eKp^ ' LyW@EDjWy@C\/P %ʧ҄nhm#'][ۗyI˻H0_qr .O൏8wG [>@T\\ҔFp0A6"R5ߟd s֝m9YOO.?0PoX /W~s~%XQ1lsIHoSz9vHQUtY$R Kzq;umKhS`#o] 3E# >%- bė$'Рiy0l]Ϥ΅݉Mdy>B=TJ/ QmMe<(kmQ}PU?GLmuZ![17bvp(kB/(|#[[ٟMF"X"/b\$ʁus0%#B)ǜ8|v$im ?s "ט F6[0^3Hv}ѝ;d5&r(%A-¶U8P}N;]O+ wFT;JWBz =#֯|@_Fk> ;"bˬ0Bn)>Te 6sa(~B?i;pJ]xiV(%Q+=cG3kc1;6q{aA ! ZE^\͓f?LXsʄ v"1FE*`9+ј+_:bImhze/1W4EPHA[z˽gd/C"+ քRI~@"|ɸy{jR_%}XQZ~2f,x;s~-"u˙5T,NgO-U:7ݡbis"w}6aF=Ĵ۪zT|$^o~A!\LibEky KX*8j,l٢@59Wp@Y|L2mlDĤ#,<#+׺tCBy:aG2R[n_v9uĔ[gKDehefD5mI?Y6 N)I&?&©Z/Wx}l^g7y^$4ۧAt,]iH/r;f'!l56?UK1,L| YF+=ܴY BU֦.LQ}@b%SwLr*A4wao?]khsBdE$fO2 )HI^{ :* zS}}ٗ;Dum@eD#ذBV;P:B=ڤA>su ȟi Ƶzdy^|rt<3iuh*<#׫M:>.@W# 5fwr%O1 DLFh6o8 Ԝ!@,s ᡑْ)\{>G>m&4).i|%LIQ"rm"ljc%f)ME# m =j߇=?J[: %2+6b 9+ Oa_;a %S{LN|0<KWZzx]te%Hi8Spo9 BLݺL i +Kh*:hdzO3RLM0:%3eI8eZk oQPDE BQP*?1^ e$ݸ3WߦMS,W-K:"Y-.J9E9* |}$&^'TZ2(Gvnu6xnJע=$X& IJA`l)Vo Wxgdgc Z o@w7!1aOx;(efT߁TGRaBEҮpDw)܌%bC4.kŀ~}M"{ b%t\y.s?/[9b.Ĥ+5IkךaR1ZF{P>i Y=2ԠKEW{6ВzqOubeݓF'B0U,M'énM:h~vb?ـ,Q 9o8nr EjAXhfki_(k:f6nɵOtHVpStԼf~6 ɴȘrj caنͤMQN)(PMA=#]>s5ϥGf#,/:6i@\t \čAFP'}r^l=;H>Cex~nZ ,%o]}6hRo﹥;s&$L6RrG ߊ+rj'؉OEݞAR,h&gbAt BUԓS,w%n3- 31;W=|A*"s\{J:4.2T#RJ_F(ArƫGtC p3158J?bZ9n}Ω_5菙Jc%)B}PGhlkgB۽4ʗve(3Lq(Kv*ڑQkh(^9A6GQg "Ld4[_X2lT֐?x'n\7x*ئ?䟋7zFHݖd6މd1$SoUJ'۵^sn>FW 4]EwhBUi]Vy/PaSE2@j(N NUh(@'NtzFk-5BM< Q4v$ύbZLczD@Շi9K+zs'U*ZhCܳh1hàĨpUL5A8Iv>9lPsMZ28/0D.nFcVzf7O_UnX?ۚ@6ӧYTS'(M|oڝ]j&76\厸ZPY0(c2zcHʄwMvŘQ&tUj`~PtVj<hdi0' o.gAUb*^DFq<1b0զԣ(̺}20qg xaRyE "!m~c,\Я𻌸([ǃRSaav+2_BXdAtƒs+w @Kɤ }Ε/d4 ~lYKV>p^ WEjUΎz50!ky6s7'%*mحb~Qi.|]-_Vx0iv|1;Պ6$o Sa%sS# Nmg鴃0̋'ȺH{T~ia-79W=ߦML@!Ӛ+K@j6w /lϷLpb(An#m^ /_; ^.<E}iq]0Dm#⮃!/uOغ}ŭ6 A߭v}!͞rGLvWrW%`V5.UWӌ>}y{REݼwXK}:yz,kp[-<NzSw!]~1&04{\@IĨpa(($_^*30WAbmz'L%F4s6߀Rχ/͇ǎUxA-d*1y+,-#k5iI[_l-|0|p"CMw/H>@ypvUH['W !3pi]g} ^e>V yjB)\tƹyND -J[R #mFYV-DT*8jolø{KR\,iְ> Hxke|K(0J6e(sGu'#طՠ2!A7-ȼEF(O=ߟC)C74,l#B1|mH8ǺL x|E.$'Anwb g'0vx\ 6:rlJ_JB\wt`ޗȓẤ^+QYT[H VH0qʅ. jX=k% ?k~&A{Bbk&6X JxVbmC ZJ>n:X`5"9Ho9N| G@O=F Wkо`>`+2ޏn;rT^۪_L/KG, ro&h}m pR\=+Jw ` SB,5XJzBFuI gC_YXHTQҼ4Od! R8 /t6^! @[N8-ZF 05 5l\1MR< D^W/[X셱 ^"X]hG]rBՂ$]M,X!lUxD>P)odoMI'om5ܓ$;Ki6/V`YD{dg~$b1ecrQ;uFwM>\Ho⋀}WHrijo( ^e9(GGD5Ƒ1+|8z?ѐ41iяi7"L0z"O5drbzF_]852>[| NL@],]i2Ϙ'd74^+dW /ĥ`Cp!E&dSM+|XZ/`o.![ⱌl^Dw+O!ĉ?,S9m>q4kDRfl¸W0 <}츱;ېUfzA sƃk${s@?RJW0AkjN;)Ԃ Zy)T̅B&:ƌ{;-VGؾߦ84ɞ3ߏ)N9nr-w7~N~}f09^1e|F)h/֓[/$!ɉ$]onv]ߺ FjؕR3qK4J)JWȅOad< Lf0eY͠1:NUB. 7CJ<&.}8Xܼ5K,z>%hlwyTF@eΖl7͞r0_X>#UV . 8+⌤ɸB: (7ԄN_fՎuR? qahy:6|dħ!77<h67Z"MEW) =>{U#W$~QcEjBE7AT ɄY-!T72k>NE. *ZscoX\Ss jݜ_:/P^#]LE5lD#.vh&)^\F Kn 7Z27 {0r4oSߘ!e)RfՄ`lIAXA!ztfk1 m@"-a-͍,md܆.aDU옚lQcpX_U(~IhKuqU@sM,)HU?ƢZ$퀑ԭ 1D`|q2'Rt/_%@QDN,Fߍh$6(2է $J0ZZ3!wuchz:E 0 .9& ̖eT)wA5VU"\xyJ(JAe!voetEfm,\ (_)&uO]JwqEY.`Q4R!+~; !H.̦ "؏ y0+-S0C'iYk4]y( b4(>7xuoBi L'Sqk]V`t#p#P騼{P}eyc <šsRYW?)yX-JFoBp `ABٜ۠9l} /^IT[Ȫ8Hu/ո iNs.x<p0)Q#5`.Z0^¾1c|DNh8Oæq2N+櫈8ʅ S  nmBMA9'd! l 5*YPc% {r .8Vziv+Qkլ M5~17e4_q)%z] ?a8odwEd& ݄o򸢏XT0cܒ̣[8e /kw‹ !N]4N_-5:!nY{-V+M]V 5#X; z*'UA o/әm`f)1Uֹ, _sK" ~qB\t`:qp98wNOɫGw͠b4irSGh[b7WykzBBGeḡ7Z<.&J\0BSAj qg4D ?P#YD䥷Uل5'f*'r-Qv@BhEGR2:fҶ)dLPEG,C\S؄6UpY]epF  x РI>BoPvԊj|'-Kfn6dqġHG]?Wȶ=ޙN@LA!Ө!-o>GW!sa{`aIR# hj6$kB~i@^)Zir% S+#5[6DB g!} 7)>lT()'>|u􃶮)j \l*{:>0Z7`B$Ru`y(FfHtZR.8]$8 UYpVT" y_!cI)yxߣ-1p3li@h4ǽ.gb _U *$؞wBD#ŕ6P?Q8To,N ]T.C"$8:lfWJ;N%N bFwū欄G5c-}B >F!׺χvn>$..m׈ ]=nXi0iW 7Sr9ي;L3;۴ٲ7׶;[M*"|@vzzCqC44Znm4Vy3yz s|f/uİZЦXFǒdLozF  }9i^r{P["~Ʌ̰*&C%g?6Lڿ?bэ N_SjV4W% 񆈺s魂Iiovl=fzP\KfzjX&શpXtM0jsʺ_Ҏj葱wW 72|M:jBFZ7(z-NDqWqs'L6l 3$ŞA:uJUxcGf1k.Y#i1M$ S;9RvLAЪ2X(Jlln`pB'3v ]%@g;}]Z+)L1O^Uq)`K Ȑ?$bPi "=FmuG񅎬T⩯9 R W7Xb_Kd|BOfP11o@Pq-R܇ܫi#5(K}}Yl#ҞMQ>fn(oGkNKl\T ܽ­lªꪯB>/C禾7اzJ06{KJ}/N7֫FA?X~e&V^%`0oy#ч3ҌQn; , l.#"zGnLaN3l ,$$ ZI!Px@ xK&&%_ 7 a֙0[{cX9d_kFI @iz,udͭn w.kVXA>4H| ld #_9M{g'+}U QC3 fIzϣޑMȗޣ 5`@M:[6.#-2Sw>֧fcx%o}ӡ4=Fr՜_=J5ɥ=t`z3ebybYtfCߣ_ROfH ]rB-gvBŎ@T/Yn^Zt?9a^W3k_lt-aiK_N"p>-&Ȇ\ vn}H [g* ϷTce{[7mW'=+ D3OV`uxCֶZ7\ZKM3ȘnyHDo#..˫@h#40wur 2Kc0ip\ooHedO|8< j?b{` 9*퍨:?i Z m{FTq,m7BB88-j"abU8\JHR,'<`Y;7ZԂ8u£`t)Ćs9ӽaz Z^`9SVlr&T`X"PٓES4xƄA iLܡ# םVQ _kPhfwH'r23n){p2tP?Z ➲QC3pC Uو'pLC6j1Ξɻ>-ɴ:GJa2ѫz*8P5+G>{gE סq8? t H\r#+@D'5:sOCe,mXZoE_`_CCP[Ɗ/Z5J?-Q9 A!7X @%7)OPQ+X:J|N`ٛ_bU*Ϗ ## ;ubDh< _Y5!(L;yalQ=tAғ?GdmiˁH6{~ [ҡeƟ@{g;=8>RtUXKGF2 V V _u7dqneiK1u1Me6V;Q fuI}h]UwU +VUYJf-l c(#uj|vlsI <[_ژaHƲCJy;ѝX1%-PN©gl&rPN)geb<`̽"xQ4E.Վiz3(b_LA ](ike``"7g9\p? ֟{F`9>}~"xc Fŭ-yo%7@zmN Q~C}ZaGJNj%e7/7bR8'@WVfmm>~jF !XEu]|dc ݣY![qQ4\eYu%BdUΓa5&y೏JJ4]*ǟVg7%ʤMy8VAQeR8>NrGG[eT_xlc}h%iػ-Ut:Sa;yųԶ_CA-Ihk2/Z17UP_C8gB\Ny×(>e˂~HP;rz9VϽU8䤦 "ZˊpTԆ<-:Y9Rz}fn) ɯ񦅎P{'am4iYpenPvӤua;ԋʝk9\eo}\Δ(잏;/oS1O"3MT -s:"ӁB(s?6²#dU@( Sa܊A~ⵈ-g42UY` KOԐ2^e,+٥#.zVDɺOo*/@ xEts WC58Lx;1\p{[PZ PֳlJ )d~wT_ NMpSP UkSvF]C+-[Ia({lTLӽ,S*'Lz5ko6zmPu(-wȬR>~%];OSEQR1b(r9^c]v_;$x>taiqE G_Z_ h,a]+N״^+j|JyPabRg$3B|KҘ0<al%aݟPfI Qo wN? UL#HNdKFP2v!][f)XeB{gZקh?+}D6dX6PhLJf 2<$ zKPb$dw{jTY- -߈w=gdbu;0Џ7^؁pn [i%kӂyf}Y$GjԊd[;*U-8سu&ϽGmQ~sjʗs|CBr]i҈#.rC6Ѽ0pWuMz΍/sV;Gx%ۻ}X̟IoAmϠʻf%iHix587Yx{ڃ3h΂|HQ:M8ahҊXSdg >@CV QmGE ;z6ۻ=ϖyIb\ [.) 6[ֵAUmД=,Hxp7jJ H I p$+~( H;_L28{. ,NOmaw'4H6c}oa0 U.q8& 3B0S lGkhqQӖF]ڷVI.z?tQ0|v)LÓvw 3r Q-`hO-X>+]H(k$;N|ґ#|y©7u/2)=VnU:+/:.uZr+kĂ`;|TT(X`u *=- ]~U} N h@,*= #^Z:)G 'b>%kITw2}Wqn,]1 o+LR㷯[ΤϤ.UΥ O^R}?K9GYLѲ_c1TQ~ȹu{ahQ4+J"1"QqV;5hZ}*xd7\MuMbMH}aWYX!_cɍEzB)mJ'sCҲ:H>y0KƮ !l,,cG3så2 t5`eWH+d=긵ܠQ0 s6 cZӻwS*Db}pyA+/LqȄ@Ğ*HmX 07oί]@zF)`$&\a+)Y)C7]s5bse-dz2Xxq9w #QE$:n!bY k.g;7,! qK YA $'e%O<]j)2U hpqbH;Hd{gU21(u |EEͥ VJJr`CxQUKbMWtڠ8}%~Ve1}k vkkFtA 9\PM7~6@0?m:13R\g`Ӧ Aӛĥ;l$uSrӟa8r#rTFDhb\;^[QHxjT9/kk"RvYP+W59/mĝ\YO"TF#;y\MƇ` KcwC|yraHj$+;Җ%J(z*n!AkXʕ i,0TI"*\CZCk~~Ke~VkR.NؔXT _/Xֻj2ɬS:;GP@ox vOo&`,{ΒJ7B3eqivE{ Kb-ձG'&}nL,LV!nlKlp =o'3TD/o$O37Q^9#H~O2;,\"kr'_Љ/Q/&wUSHgkK*#MC] d4ア3Mr=)Eկ WgI9yۨrʿlkc~g Pi8hkƎGӂ$8 d_9^" ٳAm:=7aH~eu>T?\ Vi7D.X4;d_=i%xCU%yބH'\uҤ4%*_h ͉ ,\˗ъ>sOnm?`@*Hچ Z҈^۱eeqeNkc07a9-8GY ɯ 99PQ\mAX{#6TDIdfG7=:0io/YȄs5Bqp^E=ɇpjiMI]D?ޞ6·W-u>{}agtVq ߨz)}YUګԧiXm@s'ue#xr KT߯a8{ 2X.de;3-M<.^fXCy ,h{vk!B+Jv-h?{vH-^RJR y׫ HȺMTA\z.e 4'k&3FFDeQ8P|4<6Q[vort`u]Ư(6l0 Ebf8PYbV\ĵ4E3gk h]"zҩ^#8(f&eHEdv_EH՜m؉j)7u~7e6) 6PЅW)QnRM9^A5y/o0;Ֆx0W𯂽(m5wV8᫻QkV>qkrҩ/ݫlZ.k2kszvh}6(zpA' ^]p>e uv&9h8*N;V_8!MgYp3Oϣ[S>}:HW40hܯ'W }Ƀ<곔"κŇ07<- /ն7{ \#UAy Jr0cYԯoc|3Nɿ4fN+rժPnК)FHgCK"$FA$55Ɨ zZOzc<I6] 3%sDsH@ _LY:NcA,AnQ (_fHk!0BF(;ix;^y6'Rh+zmz0M!_r^P*Z dQ4_fV#ʿK*HX?)_KE%kR'Eы'z9꾥E{-\E`a5I"oC8×Gz7]Bc61 F#2+l-}Yl9#=g& 6rz2U߷&Y26lsDIy,Y6eV8)6}F, |PZ.Ajt$OoC.RTkكunvgB wP6[S Q-#~F,ikL((KȸN>aV6^ 0DQ&ߕ@?H Uѳ>o>y>f1e27'ϣF:<Y%TėY+X8?_&6Pfws!&,F,!mhe4:S!!e-eӖH2'S>s"JJU%g]:%U=wbBCxUWjY0k&\{wdlT-T&fH6C/N鹔Ӯi+MD'pI[}hBvr)xњ*gCFM؋k#z @6?ɷҵ tԯ:m_mQJ_ԢC enE:{`c- p-OP ơ$hur˻`{t!;,J!̅ [FA"j"~ 0 Ouf@uQ3i&@+.k #*jxB7ngagdKvĥaHv5T~K/J~10~~m Vm!4F z{. -`C qLsuac@[zSiCq60LYzN=6E*1dfYcuĀta]xij#n#p9rɁz2Emar*Q\oONLE8$OYY ?w0 v? BaEQ|>22ZQo^;[ހ!4Yd/t9."48 q߰"(jH8 j^16 jhg /ZDuj<цl(\9O I诏 #Pg B*1b∐$x:.DQS !uM<=}nW ~~'O2Cv-=jISn|)ulq|Vo|3+o1<>TUԍYU%Sj~A,UB@;hKؿ1iB)q^'UbB)v2g֜Sn&$dt1sJwJrzy4]hk0:bx⥾|EC, IWQ(I^*m0* ٭,ٺ$&p}Y!R2Ta Ruw0jfB*Boo bSXÔ8prpT̳lmzFSd/~oX&n{qcP+>yD#4錑~@lt֖Q*z̺מ˕aQqH"h 5[ek>L}YI~wx|lCa!ݖ?'q -NQu8焨(&g*UEvp!:", !!kOY 'f׿7n?g8gOVƍ^љϭ 0/^iF 20 t܀F';jܡDAN,w=\GGF}+A LwFF3Z(K\]C8Eқ9ZU_Mv4 v]eħ-AԱ_*?=Mu2CMv|QLnBDMJfS߅t5Uz@yJ,cMCN[79}+^ylsw%F!>$Ǭ:#=_ ^Y p)+zJJ2Hxm-.𝨠_+9NI~|;83`I))£|3%oA۩kc oR(ȸL V8ԏwWb[e!A~0wmm jGA & =&TÒ zrl@p'BL=/SX%`(M"Zޝ䦗67ZH%飌7}>"`Ą 44o%+ kﰝT4/@b9yhKJ^~}S8r[GKˋQ0ѣ_C* !=9>$aOxv1sP d:W0 e&dF7ۅA D@gr[R܁7atI~N ̼:]ZFEm3 wDt{8j0RF"ָǖ LsF"{].O.2]c֪^LhysX.H`[ڮ RBYm!Rr[Y&OVpsx_ rTv5+c>ؼsJia4*ܩ4~Y )Ѵ"4`L&0K`uq-$ $١g4S&".d pșˌ^Cuk"#eF 6DUoXh8}0QYHLe8Soé Ƅ- KǖC< ͷ1ɰm;p\16ME__yјy9"N1zL'S]S} 'uO kb  WY4_yRL} 1g|S5Ϩ ҞAF $J3>l3ZT[G( 2&f X #G9P>݅g!;v2"M N(@m0?#2ԍ *$L̗cGf#D N0!ͮbqV]8>2deB*Y ;Z:8MMفׂ)hg񑝁-}S]qM_Ҿ@虳AGbI&][Ӓ%(@.ҾuOkrcjQi^CW+Ϸ)SV|/˩|ƌhQGIoۄQO6?%vHOI?ȩpy Ri1J\([̤uX:`X`'bH*+yCNH }+kF-'7W9ܱ.>8F v@SI?Ps!0OBw'\/[TQ=f2G. g30q"ˉ[ qv.q6YElnk8\>9l;ou$wHzN̾3X~EIe [)bC_럼&/Ľio)E(h6\ĀQ5"x{0 ?(MA"AX(KXMH 1|tdN9,U~΍~7"xmQX CHc![Δ;Yn%`_"%R{yP.DrIR .h yه$4!p*r8#0aج)d`J` L.;G[W,IJgĢB?_{kyO}tIp'l$WyvhiwDz#DN(`Po)5_,;>Ί+zھKVX6wq"2wn[g FD̊2K2 WZb(&Po~ pUsG?6ٲ 88ʓ㾆=Z{f3hWF࿎4+FP'EȮBCJ-WL-[.Q/f-Pm٭,v0+?aAҮ4d q-ˀ|p-󻎡RbddEߧ( DmOŅ845ZWqؽYYT]C]/_" DCN]jX@5_LiU\d3" if-Y_$uXx̠`|,/;ww6' ?yQ5d6eT {:l hT Yٵg.uY/,Lb@6VaҖ!Lqջ =л1SW$4[ׇĔTW~7渭w5Tx6f%WB$Dڝ %?1Os"pL?'!Cu:g]MxPO`WzhT;~XFc?c :#o*lg lGB8HǗ*y?ΦiK%-ol_<숑A2`JBҖ&p}ȨҬ* ߣev}'-̴61*kWxNʁUXP5A/WT_y;N<ՖQ?M7T=`ftyMk|^/&*$IOaW},PcJ6x.b]0aAOeq奂|vab/%b"e|dI-\bܵ ϿS S n=F6{eџ' 0}ǰ6[ϓ@ZjfH%J"+Y~%HG\0b5ܦt>6ݰbt;i)EOa&&zZ1KRڪhf͵JKxzTZҧ^ ɵs]NHb+,Qry~.!%JI3 S971(FkxM/4@M\j¾熥|HA~5XTkt{Go"ƬpmnT{bhib՝{jR\Fx/-7^p}|. C7;0wwxU6jkBƇ^Hof5S`3UtO3FWT~OXս*w..1yA`Hr2jAo9 ֡$*VJJ; \.CKRϚdx9z Zn ~l=lKȷng_C:.G~"h|-?L޲!H#۰`jHu1M$3>R9XJjL^wcZMEA\v܊CR =ײPz3px=U:c ^JBD$_ʓ Pc{,usGB,[!c#P@q1U Ҫswgs}@^/W\ (坪 s)"YQToԅŝz ӓJhdzxBʑI|;}&s <jlr€<FIMv6O XːjAB&(@!~B lEE(.w+-ª^A;"ϯ/M'a1˻!2;/>!=kcHE=?zG|R FR>K--0?\|^,[ZLh4-Xxz%݇(UYn9pIYu|{(l/,p`DUƠ4m#FUKVDTރ|kmY;0goiIJ"!p 9Ǯa}y"cpTGyJupOd;_lOT[Pb/Ӧv8_/_קZK0PRjϮV \qJ |5>ۇnF|Iz.'ԧ3mslC-xva<[G@؋mA\D<,\kxz3%]A4nwWM城07W#2Blz)[}P`N&Wr9^sP;<!,>u]H<6+ ~pe񦰃$xG}YުߧM'*䫈p'7:t(缽 iCAFWrh'`DƆr̽ujTGo_Mv7SO"tFLMVcsjUMm#墥+:*XC?nQ@oV&BIG \L2n:&Di;R#t7e_Z[Y ö́=c+'3qРU4!~? F@mu`8ny`+@9ȸ!ygW62PԥuLH2^'=Dh /فf([ypjB̢]m+{ C9+! Tm<ZiLS{nA:{@u5/l<9 ?~5[xko,IȜμmU@Z1g' FX]T|^SM,AҾDiKY|8S@]Y:lDޖ{FsG|@BECR\ i!$ /ߏ>G^x\3S@T6 IٹPԼQfɤWGV$|_tE:ۇVΜ46aKX3mfWܞvf/Z[VOz"5q o]8lOje|/Ι$˦}=mJۼs} }@) S GP`; 2hOG$y1FמqBrUpXKv+Zow03d]6={dרi^-[|VɾjOg6Phھ}B4K]+YykɟMr-:~dZVJA/8f#RmNL+T^@eZz$r0) q#`_֚,'zgbsg@,ʎzq<|8R3P<_\ fo\s,N&v"f$5RUďx/Evd)yZVIIA/z<v__obyψtYxlB9z]WdVQ)5\{0f1LϿ^twR<ٮI$ ޣ'rTz,Eۓ knUM=+-N+ H2BG0:mXKs- CN?%@c-).Ĝd$/Wb [ɋjҗ7Qj#Zt&HdȋРO#2sօAZb~ztHKEqZ PC h*S ^ȕI{{l;ŕ2 ҺYNk!?Pt;L.ˁ9yVl o9 X⏣vJFp&$ʑaAʿz GxaI(M ׉ѽu'#y7G{ow{BLǍ@>ܞo%IqAZm9!GqRLk} mHAO{<ۉ"O Mfla\e5TeDRL{$QZkSuTY#Y٢ll!A҈FX"98ѯ'm@|Dc)Ё D(冐>U 鉕(rSb]QcgcJXլ01zn DXS#&+W;g#/p-ޔONOݶ<ٳ"aS^|Ҙ¸ѿU&zb?A w)_*Ϊ*bvP$e@͉6ǔj׾eQʉL'>g8C*I8P7@Xn9C^*Ȟib>y5OȰ<%jci}Qx]A{`ܟ= rk[X D~f"Osxb#b[wR͍km0  y6Fym6wQD?n&\EF'jߏl9*z_}0V+Zx@ 2TK[!jWrQӰ*`36xg6\Eknhtْh-Z#0һ )n!E^Gz#zG'/9zo̓G/g h2"~@̌:+3Z\W#jMR">8w>ޒe_@i).tOT+]8<%fřRh71oM0}@%'m \>^Ѩ&s|yMeי;jjW7GKl^ۜМ=&@M !Z|K;/P]8UIts4h(qQ>ĆklQ7=k(@)[lS7ʹŔ|N-! ֩n=];'1ƎlSrR9̸mY=+`T8K?h!hlOخGiQg]ŢZuܙ&i&̙,BN>g' 21#>) uڒO>z>KX~}6߄p7ZO0箆q7#Q72y1#Y dߝXwLT{~AMmL9sRAE ֖>i{ӎJDM4 ͆cn_>cv| %&s/"oGl "{}OKC3fE0cj]:i^n>MG'I:;Xb="^x&l T l Uo:6A}ܔ49#3yIS!=e=dwB'I,ǁ9uSQL7Ӫ,*:5U'N%~0ð̘T^/{y;+|扉0MH!cw^n>HXS?:]TAz"ێʞ!v6i!A8_rG<(l {6pk#@ 'x䬄+`q@q\pS >C}2.Hn)p L<;vz Z>H^B3M/@ke—*GEPXOn(RRtE-䓝jnyzݣo(TqTd&8J2]H3)W\8<+e7 ?C~Y@{)N:4 S\TrN6=Eo<뱣7mb3s IT,AA<:c"- 4KTun2#rd'46[㪛F1i.>tuK)a|8^/ SuNB#,+mζ*^o-5#~h,I6=i,6˭+j)9=-VEB|.ppeA0Jj#{]"B@V# K ؚ̎Z2:bu6˟(hwLӂ(_KsNLa3_yZ֢N߲zܷ?"5f*5: 9ҳGMhmvJa$fH.TΊzuޥWvi',1W~?^j2Cu2BU9^I\{R05~!87BO>X$={"_*1aRk7?=G! U&5c\4m O˃I{1eP㟯fU+U[Jp<([ⰟKʼWDˆHEl-5}n_V-sOL+2og]YK+1ki;ϟ4GUa2pUkiͦ>(hX%i#0˻Mҕ7jkW_]AFg%}_BM ?ڏ"R=` #1>m# p=0hߒqkIY1 /{gL+~\S%Lm5_L18 =ۜ_pp ۙ.вS~eTHI@ww) `__!Cz'G"D3(y-C:gѩUFB p,ԈM rDȬԩуC#̅0y ?ƚCΚ;F ĺW*@' pQ_@W9pvPc:F<6pPM ϊS%o-HW7$Yzѽqyn4~+bsFCzKL81;#uB܍Wun (PbqٗhB=IJ 0,56"\r)hTE!Gτc aNJO XW_ l,)(c.UPʛ)p^OϝU:Hn @m%=XXUapěJëUMRiFfiVG e>B^hށzqDa [pf$AΆ38cX.2+\ynt;+dsxKbbO莜|hc=2̋)D= ,%쳉'4)m`$$o#hȫH,PYBl(V`5u5Ae&Lٶ(P+^j_bM.<>]j _5lE0*V*+[Ttv#/#'e\M'\- Fڽd8NO .:9T7[atK^`Z(Gg$cMgDeX~ ?4)<?{)Ö i%sDfU䱖E[qJtD0{&#aFQz Z:"1ZvbO?r=G;g?ZtLF Upaeze@V0`r$ ^Cb-o-m<)pO!{qP}6;ٻ :c0Tz}ETX@_h 5M զ+.΁3LL[hO \Isg'6 D'U iDVtrU+1ttsTOK'3燽SrW)bf=Fh:)KRȏdWI dWg|?DD~KD@0˂B%Rw*ń ıCvV|K30-tRWS+RY>uTT`+u~˺%f5cd٧L(O&it7ә^ G'd<ùK-Ǚ#!fg6y3Y,I4(Fh)up#) ԧB t׮ scEUwJNʔNEUYTS|,u1=(RqHq0+ grHX4 @Mڔ XȄٳPg?z @: WSx|K*š5J=]w"-yrB{*~Lx2ZF&!o`æ6HALHHOosSC*4C. 5zkM_=2ԇw]ƼUtށI/Ig@Kro(mz'rfE|{dz17 /UƂ| JH UPRsWacC||ݓnedgV/{<@@5SU&a\Nj3*WBb8_<"9CN ꃶrsDUa45d :Ъ:QHV^V#># 3M\NV򸢔dTw>.R'k>{aӅԮ;  L {ݞ?u-ҙ_qRB=cuDWr9tQlG85WLg7cg"y<, Q|rݽ}-6:s >_=y N)2e˿;l:?\XڸhtgOB*]x!Dh>YԢÈ?)o'EGߚ:tn pӂş. [>B dp@w.f'u!}}Kc;~pi=mmJ+|lF燯 *f܉i`0x 28ԋ᝟'Np7|]f/n+nP_=3Zg'tW#,;!6׎bj."|";ΆSyo?·:7ƓG:w(~mKf-?@!&&H6:;U;FJDoz{< a$ ኲL+jyCDJ4Ҟ|"K :N ޙG9[pDª&v{Ƅa}50Ed2w?-RL,^Erfإ,{a%38q+& FN)de5zQ?<=1*7:ڽj}.%<lTJ8G$[)ߤbv|NkԟIYOXәw5wjRp`اS"ZYO'CdqTvts7^U N6,\7~+BCeĽ H9tkk(?j+% S2=;ww4mNφY,"sKë4e˰_3D`G8q$_-|x ԯϤ=Ӗhv9bTU@zTI?0A c<c\\|K4EWu* bfmG|ݥ F,vnsуS^NwGjjtإ~G޸U?Z1hx><`z=N%^&,p3ϪR~{T)OVxpQ3 |~'!CҪ̀[˄҃OMwys7 "{  -[r{~.ܢ` zEԹ|R7_Z ApN#Ж~[x VƎ qa5U <_XrhqӑQf->è"֮߮e,Slua tO_z 6Kt#جƨLGg7eȃ1,W蓝3IyG/QWz[?h(Og]6,SqhK:K$RYwWJ~5986RSr^ټ+f֬BXSt3j:G;z[.囀LMmaCZ]T .r*,W=^"ʑ[l*@)p\<$:{̨*Gs+X&>o?:lhGFeAoQe-]ڭE4"?9 b]"6/U.LcӉxpƸO! ٕTL.owUKkHNc1>Wj}l,. F<XBL4zH9Ř#X7/=ator1=צC"[py{N[KsQVFVs]TtyZoLZyQٵD6D"A?kU'@Ǵp5u-ZWh}H M1Og.}ia<$DZeE$4g_ad#>EG ¥|T.ca)O mwze0ɢ'{vNϼ.Aq~ZL NG-#'OC$+ 솙?ORW\]M{]jЌףbQE!5:! 0])"ςAuxm4Zuxz<6:!B!ϛTFzY]YJ-R9c8C|D D{!4YpD w#ZvCԯ)L$+ u.!pJ$})pFhfN8HgтPWxنȯ"E=p_&w>cmX㼱[eLAqqp5:!W?)\Lʸ$\u_g [H4ߒ%'1t][ڋ]ĉ M[9xݳh3eӎhT؍#Iee}*#7}9ua !<V`:K9vYJlIjYcbz Cj=ۄ|cC@K )Gnĥ 0bė@\b>|e,7{1-sI`mU-y4Bସ̊;2jEAh$&O H[*LN@yUDZP7s-CHBrLE ҧ_ s4ӂOR.@gA` !@M;{ C8Pԯ tdkdau&ncS2"\>b\ e~G;-p ZRy5#r!N4VA1{p[&Z>@/hu ! siB,~TuPQ훤 Ȭ+E3m'z} vO6/8{ԩ&)`8/9|L> Te>iD޺E~!r'z۬r.-; $fy'AG6\^uyʏc`G /. 5n5ةp{Bm \$6}] zKYƫua!P@&V$<b-!}Uoq#Hu#TUQ~z*(JUK69n4BO-`[lk/(L+*Cdi\;l}KeV N {ӮǤ&2*A3(\~䶩a y"'1W+ &/AyMT0(h}{_XCg@+CCughp ҃Q$xZ7^Jed#UZR:Xk{^T-}ѷV8{Q}%q=\ i.OPr/#t@0]1/THfX!glh%ve`P'VSat 9R/J] nUVɀHQ !~2H_ĹF Oahy_qUMy"B @I_ 3L@xҟ37 4Ii&oY5FSLAGVĬΩxiM/= ekRd.cU S1ɲ BuPr,]r9$Eew$2pLf4Û"W1?}n!c6a Kc=!_OfEZK10h0fۍ鄩0b>Gi8Ì: q2/.qbP IMf.9ϧ):g8kfd&lځ!hIyam8)8na,j:I`qpUc16{ϙnz(rɪ29 u{vRDTp( u 46,<WZ?#Co+G9 A`FOrk5up,cWѻ3PLUU^aTan[X퀈X⭓#u.D꩘x`TUe Bϻ |L{\JM&UMmY1Áu"FLnQߕK?KRO􉣗6 BPO>T3 AƕWC?ל9ɋdŭ'S"N TaY=358a[65B,zB+Zf+Rh0ç4['XhZS!>_ 0ٺ u7cjܔ Z!zg#%nW8څ OQ*7lOI| QSݹk:f #+K(yxF $~Y!n! |RaB2C~7;jy1M%Yի$ :-Jt7 뇥_ʺ #}QV4W_%]JTeL\ȁ:;uAد.ےTK rMh9P;ONpoYJ'5ToњX(BhIO ]լԥ/8 j0p Q0ntY-5 6s:׃wL΂t}띇d"SYg4x r+ 55:WӸ"nlA>:_%#ru;rp l8<dKaL .\&1"u8Oߔ Hr% gGͽfս#~MZԦ]# .gM™xkߌz0ad͒ÌQ=FJ(1 "8W!QZ c77MV:V7[0L̈|&5&c+#B5}I˗w8> ,Uxh5nT7NZ&pl )<\.fLW].\Sh n<}fnPwSdiq i|\- AXy|(g0ƪ hi?d&d0B®&gW4%J8J3cK16I*,V"D4:\< #)1oneVǠ<-OےRcV8*ަA}ĺi #wU%_Pry0(;lٸBwS'҉ mOm2vc{a+j ם Bgw\ ̣&ouUQ}uσT(Pj >&좘j~2\;'8? ᘲ^&$NXAqVMaehʺE6%`{X.?2cyC !($[bpm볙#?_ MV̈́Y=V r!Xlt~1Fcsl[*:93XM&|/9YfޑYȈeF9q2n)-$ƃS1-%;b sdjW Zs FِtI?Y_F= >Y}8.1oaθIV!W*>|1\&uI͢jKA CV2l6Z~|D$[{t)Lyh3ݭiǠ6 e %3ʒTfG;>xYb}rȁ *N4>`OW ~(ERnr@gƫ ~}C؂_yWg躍~wb "xKth*&? bG7Bï6w^3F՚w2;y"c!Vi(]1FFz+\/<$%#6&хDF ̵Vd=^)HD˪)HȥF_n!ȸ̺}L-^ :(wΡG^,jLk_pc>?{^M<|n Hw%S?vl $6D /1nQl@"qƜbSѷ:k! #I3\|vՇ[-`ع7X"6E$PxmҢAӢ~lIdst[]Bߨ͹%[CZr(?f`h X6:yS-uqLj`F}w[VGX?^)P̨"f ^GdeA^y8uŌ!ua .[Sf)RGq$U%݄ܰrj1?-uO)8́߰R PpS(a^RmD,vTg<~VuĄAu[[*̏WCSXt想@Ǝ38 [;O;(gFCFzo {栞twNIM G*engxݟ X]Q $tJJƸZ:P1*ih9?xN9N ƺܥ C_C*5GzLރh-oQdE÷), W}>tT$s7͛zis[<&|{Iey*\.Ynz-)q;tş$}{fP\d) ; 1\XJ"݇йܝGen/@nhD\h2rQ%#U'ə+jL۩yb\WOm{j>f;$턄iLFrE#xl#j< 59V|5]C_yq8{RwW9d/Ou&H olT~VltL w iax k݂} 8A򢟤Jw4-Psү>l:pAr!qi;㷡i5ɴbb΁ Zap1GKט,oe^s|W+U"8~בq: /P=~l|7oOJH  |GC0eN_nޞPė zzq@E_P(H, wqTL":TH٫<,=>E]%  =@v Oco-Cqvq]>)Dk#+6:h)ay/Gպn!( Ä3O CK{d>JWpcq ԅHޥ!iIpm:]O_A: (" `R@6kS23٦|vI4Dz\4 d^%ljK;γz֌OYvWZiYC0@7&w~$Q0kGK>;F+N ̢ bg@R7'%g1yHL9Ջ5hgB>N~`u_ӎ0ȯ30B 3ЕC ?Q}k byaNLS DxMK;Gs 1jYب4 I.%ō/QkE3TkΡPW~;>pDoO&czb́g9` vRwـvjA0BA}v VWGV*)hV6 v^Z2cxOq0KR"yxn|+3Xco 4-k 686ܔ̉9o ŸC6g*$ZŽhs+ӥ)\$sPKgsBTۧvI|g1,yypOP ^DŽA3ɕXxrN* EG*#9$$ R{Զ>Xu5&d+G/F5ɴIaE;S~ַĩ(@:B}1]^M;1`A_qec& E@GxZz.mœ%@i쒕sQ6Ebt/!#=w{_/ȯ”p9u qW=m f?)Ec  Ĥ.Qp#8R:!ӎ<<ϘܖްՈnb]p(,Ŵ;exUtޒd2^OVMV;fwg]_r#/b6AYl6ܸhȩِ͑jq=hɵ=B֔W.B+ػ:˶.JvR/FA!ɐ^΅Kg[Kt8_ &ZO4B]eSex}/G<{P*?!9r\Fe(Lۢ7iy5g'A㵶`<.UwS0JFXMZzaRDl' n&gެxU GP7|@bmavƿr sI!uI80$rMuF٤%o`pOF1Y@w$y&َP1q;/(_|sܒŢ F;wQGLaj2`o_$d/?Dӻ[?fnpr62 5f , {}&Qoդ$UI0 :Tduݚ tG&toW "Nڱ@Q'!bH8"fbp0_mRn'+l^e.>0s_$۩<{WW_GIĸ&JJ?+ؤ;z\pFF 0Ԭ1mW BIp| ,ũͽ:L%cVx]`O3q0`#D0Y9r\^1^ApyyQ<δq͝NNǛ+S!8;Єab'KW]^d(Yo'n~](_N)ژ f8[g9ո Vz!KdM`:)-+ʙ)U;i$C~xT!~Zґ̏Sof}x #%ex%a(][ aygklҾ7'k)Ruq-K e+V%,O'QeЋp08kbo|ՐW7#cҪ m2mwg,]B&y6f2SO*_+7qֈkBR*`-,ne/BaDTȞ,1K9+u#G=8=+\ ( @7cYR#ɽ\R,òj 8zZ\Z1Ua4T؁$TXT X4 w;}ÂW^@͒:loB{{oܼ/, vo!_2&@=0;B`!1a&UJlckq?YUW.?o+GU9F<ИTͱ/-dvϓRm/[hF@mUOL=44Y g@1|(v_,2i0F@v6Zc]e[Y@^E-6%YrmXG"&̣4L0r˞tf8r\>ed> 5zQ)VG~.`W$_. 4/PVk18\jU-^SyW$^ۮҁC+WU,$uw O+r`/?RnXLFnS(G9΁)M"Ds^YE~7S/ F @gO˻65nϧ pA Ѓdij`6_[%'!(-#s=3#bEykS%rQ>!jG:1;_s)$9F},~k$Kb{}<5qLW2p:,Jl*GC*۬ӍlOd4-UEe6.,sF+^IC]ii6A6tU~Qgo8-15#ѓSΑv?*YpP! troa22Dl-eq/W'eGeĚty D0ȖgTǎ<^N݅aA>L$zl최 q5`qU"U/O4 ;Z0-q85Z[%֬(j(+h{(8c ¥5i=/ jsy:{v~Cٷ:Ȃjwa$Xj^gW z*zz_(j["ko@1wO,5R%- ^n?)xBza{l  YG͠VN(lݒF0-J|?v h!r-K&Ӽ,ƀG$<#Oq ϔ56btJkM0L]ALȲG+YTn]?ˏO6UwV(|n_6]YMl@hЧ*}#ގg`Yn$ (*N,2ꄋf$ShG%%?1C͗wf GSNy#ɭ7( EP @~ ,WDŖZMK@04{OOG2pBNSBi&J֧̜hO%u܃fȦפqov`m#ц+W5q9x$ L0uPo4Mg߈;t ul|αV^?]  v"l1mc*gR> ~cJ4VB| ]V)A{HQ|gn[ڢ!xIdACwH8mr/=P*8d1Zt*_ oq(&!Wl!"3KdES{ot}^#磽Wawk6pMZqVfS<zfh ({.s\-Z IOկP3ߡxϼO*Yܸzc j 8y'Ro7}aPAAn mĶ YZ