samba-winbind-4.17.9+git.367.dae41ffdd1f-150500.3.5.1 >  A dWp9|"X^<c8mgp>cˋi j@i8Kj/Q+F.bVGW[u|A/)jtMˏ:5%yﮧZeTQ4q8F6FPtI v}ֈ۾z$LV-h4Es4](JC:gfT"IƤڱп1RR""]k@TMg4:) J\s1*54ead756e453f720ee38638859c115279716444dd8f87e9ad8be974f33049d661d3f555c8cd9a52dd0ea784c913d302ee3644b50bedWp9|O]ȷZ zh;лɚ4)j>R@:.#e|J10q„Puu&u#( N mA MbCTE1) -ɭChixFҷIЎf R.g+.J7!%wgS.jmJGv8LW;3]X[=U\j^Cj 9\&Bх>u f'ËUin>pL$?d+ 8 P *08   : X   C6(7879<:NR=>?@BFGHIPX`YxZ[\]P^" bcd,e1f4l6uLv wxy$zXhlCsamba-winbind4.17.9+git.367.dae41ffdd1f150500.3.5.1Winbind Daemon and ToolThis is the winbind-daemon and the wbinfo-tool.dTibs-arm-4eSUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/Productivity/Networking/Sambahttps://www.samba.org/linuxaarch64 if [ -x /usr/bin/systemctl ]; then test -n "$FIRST_ARG" || FIRST_ARG="$1" [ -d /var/lib/systemd/migrated ] || mkdir -p /var/lib/systemd/migrated || : for service in winbind.service ; do sysv_service=${service%.*} if [ ! -e /usr/lib/systemd/system/$service ] && [ ! -e /etc/init.d/$sysv_service ]; then mkdir -p /run/systemd/rpm/needs-preset touch /run/systemd/rpm/needs-preset/$service elif [ -e /etc/init.d/$sysv_service ] && [ ! -e /var/lib/systemd/migrated/$sysv_service ]; then /usr/sbin/systemd-sysv-convert --save $sysv_service || : mkdir -p /run/systemd/rpm/needs-sysv-convert touch /run/systemd/rpm/needs-sysv-convert/$service fi done fi /usr/sbin/sysusers2shadow samba-winbind.conf <<"EOF" || [ -f /.buildenv ] g winbind - - EOF /sbin/ldconfig if [ -x /usr/bin/systemctl ]; then test -n "$FIRST_ARG" || FIRST_ARG="$1" [ -d /var/lib/systemd/migrated ] || mkdir -p /var/lib/systemd/migrated || : if [ "$YAST_IS_RUNNING" != "instsys" ]; then /usr/bin/systemctl daemon-reload || : fi for service in winbind.service ; do sysv_service=${service%.*} if [ -e /run/systemd/rpm/needs-preset/$service ]; then /usr/bin/systemctl preset $service || : rm "/run/systemd/rpm/needs-preset/$service" || : elif [ -e /run/systemd/rpm/needs-sysv-convert/$service ]; then /usr/sbin/systemd-sysv-convert --apply $sysv_service || : rm "/run/systemd/rpm/needs-sysv-convert/$service" || : touch /var/lib/systemd/migrated/$sysv_service || : fi done fi [ -z "${TRANSACTIONAL_UPDATE}" -a -x /usr/bin/systemd-tmpfiles ] && /usr/bin/systemd-tmpfiles --create samba.conf || : PNAME=samba SUBPNAME=-winbind SYSC_TEMPLATE=/usr/share/fillup-templates/sysconfig.$PNAME$SUBPNAME # If template not in new /usr/share/fillup-templates, fallback to old TEMPLATE_DIR if [ ! -f $SYSC_TEMPLATE ] ; then TEMPLATE_DIR=/var/adm/fillup-templates SYSC_TEMPLATE=$TEMPLATE_DIR/sysconfig.$PNAME$SUBPNAME fi SD_NAME="" if [ -x /bin/fillup ] ; then if [ -f $SYSC_TEMPLATE ] ; then echo "Updating /etc/sysconfig/$SD_NAME$PNAME ..." mkdir -p /etc/sysconfig/$SD_NAME touch /etc/sysconfig/$SD_NAME$PNAME /bin/fillup -q /etc/sysconfig/$SD_NAME$PNAME $SYSC_TEMPLATE fi else echo "ERROR: fillup not found. This should not happen. Please compare" echo "/etc/sysconfig/$PNAME and $TEMPLATE_DIR/sysconfig.$PNAME and" echo "update by hand." fi test -n "$FIRST_ARG" || FIRST_ARG="$1" if [ "$FIRST_ARG" -eq 0 -a -x /usr/bin/systemctl ]; then # Package removal, not upgrade /usr/bin/systemctl --no-reload disable winbind.service || : ( test "$YAST_IS_RUNNING" = instsys && exit 0 test -f /etc/sysconfig/services -a \ -z "$DISABLE_STOP_ON_REMOVAL" && . /etc/sysconfig/services test "$DISABLE_STOP_ON_REMOVAL" = yes -o \ "$DISABLE_STOP_ON_REMOVAL" = 1 && exit 0 /usr/bin/systemctl stop winbind.service ) || : fi/sbin/ldconfig if [ $1 -eq 0 ]; then /usr/sbin/pam-config --delete --winbind if [ -x /usr/sbin/nscd ]; then /usr/sbin/nscd -i passwd /usr/sbin/nscd -i group fi fi test -n "$FIRST_ARG" || FIRST_ARG="$1" if [ $1 -eq 0 ]; then # Package removal for service in winbind.service ; do sysv_service="${service%.*}" rm -f "/var/lib/systemd/migrated/$sysv_service" || : done fi if [ -x /usr/bin/systemctl ]; then /usr/bin/systemctl daemon-reload || : fi if [ "$FIRST_ARG" -ge 1 ]; then # Package upgrade, not uninstall if [ -x /usr/bin/systemctl ]; then ( test "$YAST_IS_RUNNING" = instsys && exit 0 test -f /etc/sysconfig/services -a \ -z "$DISABLE_RESTART_ON_UPDATE" && . /etc/sysconfig/services test "$DISABLE_RESTART_ON_UPDATE" = yes -o \ "$DISABLE_RESTART_ON_UPDATE" = 1 && exit 0 /usr/bin/systemctl try-restart winbind.service ) || : fi fi<X% E^큤큤AAdSdSdSdSdPddSdSdSdRedRjdRjdSdRdRdbd95eb7e0d1e8c973d39fb53be9be46276b21bcacd8b0ae1adeeb63651f6fbea676af835bac5e037fd6f6d9950ea49ff3f39bc693d479069190927c1c5308395e6048a3dbce3e88999810b512ce75134c7103b37d4a1bc90b79f0222ad73889b0f746c3041f0d2f4722609f37737f6ab8b5166dbb0afa9a1ca3ffe28514484048c787a47c3127f9c5fdde2848eeac71a06e22cbf997c132d74ada549c086e0d7ad837116f8de04fd9522088967fd90d1c40b9c1d8ff9bcb53a11dc27e7e4697a9aa6176b1be3cead28bcd01f4cfca24c2e2c8b6261f889e918c7b10be2d73109a16eb3e6b8e2bf0b1ee56f8a98e8ed307633badc5f3c02d8a82a4293ea47439030a541d01df1d0c4dc780487ab84dfee1c6c724c0bd79001ae5e29f2045005f7b527c1e3e15f1d2bf6a6e64baef330c253787c428d64473838c5717cefca74719b1fe75a376c797bdff3a8dcc4a3aefa3df5b589fa625cb97cfcc14f137d48cc6b4b0325dd3211474ac785379683cc4e7f17e211327fb9d536c1ff9138de03eservicerootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootwinbindsamba-4.17.9+git.367.dae41ffdd1f-150500.3.5.1.src.rpmconfig(samba-winbind)group(winbind)group(winbind)samba-client:/usr/sbin/winbinddsamba-winbindsamba-winbind(aarch-64) @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    /bin/sh/bin/sh/bin/sh/bin/sh/sbin/ldconfig/sbin/ldconfigconfig(samba-winbind)coreutilsld-linux-aarch64.so.1()(64bit)ld-linux-aarch64.so.1(GLIBC_2.17)(64bit)libMESSAGING-samba4.so()(64bit)libMESSAGING-samba4.so(SAMBA_4.17.9_GIT.367.DAE41FFDD1F150500.3.5.1_SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libRPC-SERVER-LOOP-samba4.so()(64bit)libRPC-SERVER-LOOP-samba4.so(SAMBA_4.17.9_GIT.367.DAE41FFDD1F150500.3.5.1_SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libads-samba4.so()(64bit)libads-samba4.so(SAMBA_4.17.9_GIT.367.DAE41FFDD1F150500.3.5.1_SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libauth-samba4.so()(64bit)libauth-samba4.so(SAMBA_4.17.9_GIT.367.DAE41FFDD1F150500.3.5.1_SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libauthkrb5-samba4.so()(64bit)libauthkrb5-samba4.so(SAMBA_4.17.9_GIT.367.DAE41FFDD1F150500.3.5.1_SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libcli-ldap-common-samba4.so()(64bit)libcli-ldap-common-samba4.so(SAMBA_4.17.9_GIT.367.DAE41FFDD1F150500.3.5.1_SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libcli-smb-common-samba4.so()(64bit)libcli-smb-common-samba4.so(SAMBA_4.17.9_GIT.367.DAE41FFDD1F150500.3.5.1_SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libcliauth-samba4.so()(64bit)libcliauth-samba4.so(SAMBA_4.17.9_GIT.367.DAE41FFDD1F150500.3.5.1_SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libcmdline-samba4.so()(64bit)libcmdline-samba4.so(SAMBA_4.17.9_GIT.367.DAE41FFDD1F150500.3.5.1_SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libcom_err.so.2()(64bit)libcommon-auth-samba4.so()(64bit)libcommon-auth-samba4.so(SAMBA_4.17.9_GIT.367.DAE41FFDD1F150500.3.5.1_SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libdbwrap-samba4.so()(64bit)libdbwrap-samba4.so(SAMBA_4.17.9_GIT.367.DAE41FFDD1F150500.3.5.1_SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libdcerpc-binding.so.0()(64bit)libdcerpc-binding.so.0(DCERPC_BINDING_0.0.1)(64bit)libdcerpc-samba-samba4.so()(64bit)libdcerpc-samba-samba4.so(SAMBA_4.17.9_GIT.367.DAE41FFDD1F150500.3.5.1_SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libdcerpc-samba4.so()(64bit)libdcerpc-samba4.so(SAMBA_4.17.9_GIT.367.DAE41FFDD1F150500.3.5.1_SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libdcerpc-server-core.so.0()(64bit)libdcerpc-server-core.so.0(DCERPC_SERVER_CORE_0.0.1)(64bit)libflag-mapping-samba4.so()(64bit)libflag-mapping-samba4.so(SAMBA_4.17.9_GIT.367.DAE41FFDD1F150500.3.5.1_SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libgenrand-samba4.so()(64bit)libgenrand-samba4.so(SAMBA_4.17.9_GIT.367.DAE41FFDD1F150500.3.5.1_SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libgensec-samba4.so()(64bit)libgensec-samba4.so(SAMBA_4.17.9_GIT.367.DAE41FFDD1F150500.3.5.1_SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libgnutls.so.30()(64bit)libgnutls.so.30(GNUTLS_3_4)(64bit)libgnutls.so.30(GNUTLS_3_6_13)(64bit)libgse-samba4.so()(64bit)libgse-samba4.so(SAMBA_4.17.9_GIT.367.DAE41FFDD1F150500.3.5.1_SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libidmap-samba4.so()(64bit)libidmap-samba4.so(SAMBA_4.17.9_GIT.367.DAE41FFDD1F150500.3.5.1_SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libkrb5.so.3()(64bit)libkrb5.so.3(krb5_3_MIT)(64bit)libkrb5samba-samba4.so()(64bit)libkrb5samba-samba4.so(SAMBA_4.17.9_GIT.367.DAE41FFDD1F150500.3.5.1_SUSE_OS15.0_AARCH64_SAMBA4)(64bit)liblibcli-lsa3-samba4.so()(64bit)liblibcli-lsa3-samba4.so(SAMBA_4.17.9_GIT.367.DAE41FFDD1F150500.3.5.1_SUSE_OS15.0_AARCH64_SAMBA4)(64bit)liblibcli-netlogon3-samba4.so()(64bit)liblibcli-netlogon3-samba4.so(SAMBA_4.17.9_GIT.367.DAE41FFDD1F150500.3.5.1_SUSE_OS15.0_AARCH64_SAMBA4)(64bit)liblibsmb-samba4.so()(64bit)liblibsmb-samba4.so(SAMBA_4.17.9_GIT.367.DAE41FFDD1F150500.3.5.1_SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libmsrpc3-samba4.so()(64bit)libmsrpc3-samba4.so(SAMBA_4.17.9_GIT.367.DAE41FFDD1F150500.3.5.1_SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libndr-samba-samba4.so()(64bit)libndr-samba-samba4.so(SAMBA_4.17.9_GIT.367.DAE41FFDD1F150500.3.5.1_SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libndr-samba4.so()(64bit)libndr-samba4.so(SAMBA_4.17.9_GIT.367.DAE41FFDD1F150500.3.5.1_SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libndr-standard.so.0()(64bit)libndr-standard.so.0(NDR_STANDARD_0.0.1)(64bit)libndr.so.3()(64bit)libndr.so.3(NDR_0.0.1)(64bit)libndr.so.3(NDR_0.0.4)(64bit)libndr.so.3(NDR_0.2.0)(64bit)libnss-info-samba4.so()(64bit)libnss-info-samba4.so(SAMBA_4.17.9_GIT.367.DAE41FFDD1F150500.3.5.1_SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libpopt.so.0()(64bit)libpopt.so.0(LIBPOPT_0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.17)(64bit)libreplace-samba4.so()(64bit)libreplace-samba4.so(SAMBA_4.17.9_GIT.367.DAE41FFDD1F150500.3.5.1_SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libsamba-credentials.so.1()(64bit)libsamba-credentials.so.1(SAMBA_CREDENTIALS_1.0.0)(64bit)libsamba-debug-samba4.so()(64bit)libsamba-debug-samba4.so(SAMBA_4.17.9_GIT.367.DAE41FFDD1F150500.3.5.1_SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libsamba-errors.so.1()(64bit)libsamba-errors.so.1(SAMBA_ERRORS_1.0.0)(64bit)libsamba-hostconfig.so.0()(64bit)libsamba-hostconfig.so.0(SAMBA_HOSTCONFIG_0.0.1)(64bit)libsamba-passdb.so.0()(64bit)libsamba-passdb.so.0(SAMBA_PASSDB_0.2.0)(64bit)libsamba-security-samba4.so()(64bit)libsamba-security-samba4.so(SAMBA_4.17.9_GIT.367.DAE41FFDD1F150500.3.5.1_SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libsamba-sockets-samba4.so()(64bit)libsamba-sockets-samba4.so(SAMBA_4.17.9_GIT.367.DAE41FFDD1F150500.3.5.1_SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libsamba-util.so.0()(64bit)libsamba-util.so.0(SAMBA_UTIL_0.0.1)(64bit)libsamba3-util-samba4.so()(64bit)libsamba3-util-samba4.so(SAMBA_4.17.9_GIT.367.DAE41FFDD1F150500.3.5.1_SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libsamdb-common-samba4.so()(64bit)libsamdb-common-samba4.so(SAMBA_4.17.9_GIT.367.DAE41FFDD1F150500.3.5.1_SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libsecrets3-samba4.so()(64bit)libsecrets3-samba4.so(SAMBA_4.17.9_GIT.367.DAE41FFDD1F150500.3.5.1_SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libsmbconf.so.0()(64bit)libsmbconf.so.0(SMBCONF_0.0.1)(64bit)libsmbd-shim-samba4.so()(64bit)libsmbd-shim-samba4.so(SAMBA_4.17.9_GIT.367.DAE41FFDD1F150500.3.5.1_SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libsocket-blocking-samba4.so()(64bit)libsocket-blocking-samba4.so(SAMBA_4.17.9_GIT.367.DAE41FFDD1F150500.3.5.1_SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libsys-rw-samba4.so()(64bit)libsys-rw-samba4.so(SAMBA_4.17.9_GIT.367.DAE41FFDD1F150500.3.5.1_SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtdb.so.1()(64bit)libtdb.so.1(TDB_1.2.1)(64bit)libtevent-util.so.0()(64bit)libtevent-util.so.0(TEVENT_UTIL_0.0.1)(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.11.0)(64bit)libtevent.so.0(TEVENT_0.12.0)(64bit)libtevent.so.0(TEVENT_0.9.12)(64bit)libtevent.so.0(TEVENT_0.9.14)(64bit)libtevent.so.0(TEVENT_0.9.16)(64bit)libtevent.so.0(TEVENT_0.9.20)(64bit)libtevent.so.0(TEVENT_0.9.21)(64bit)libtevent.so.0(TEVENT_0.9.31)(64bit)libtevent.so.0(TEVENT_0.9.36)(64bit)libtevent.so.0(TEVENT_0.9.37)(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)libtrusts-util-samba4.so()(64bit)libtrusts-util-samba4.so(SAMBA_4.17.9_GIT.367.DAE41FFDD1F150500.3.5.1_SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libutil-tdb-samba4.so()(64bit)libutil-tdb-samba4.so(SAMBA_4.17.9_GIT.367.DAE41FFDD1F150500.3.5.1_SUSE_OS15.0_AARCH64_SAMBA4)(64bit)libwbclient.so.0()(64bit)libwbclient.so.0(WBCLIENT_0.10)(64bit)libwbclient.so.0(WBCLIENT_0.13)(64bit)libwbclient.so.0(WBCLIENT_0.9)(64bit)pam-configrpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)samba-clientsamba-winbind-libssysuser-shadow4.17.9+git.367.dae41ffdd1f-150500.3.5.13.0.4-14.6.0-14.0-15.2-14.17.9+git.367.dae41ffdd1f4.17.9+git.367.dae41ffdd1f4.14.3d-@d@dd@d6@d@d @cvcvc@c@c @c@cctc5cM@b@b@b@ba@banopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedimstar@opensuse.orgscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- secure channel faulty since Windows 10/11 update 07/2023; (bso#15418); (bsc#1213384).- CVE-2022-2127: lm_resp_len not checked properly in winbindd_pam_auth_crap_send; (bso#15072); (bsc#1213174). - CVE-2023-34966: Samba Spotlight mdssvc RPC Request Infinite Loop Denial-of-Service Vulnerability; (bso#15340); (bsc#1213173). - CVE-2023-34967: Samba Spotlight mdssvc RPC Request Type Confusion Denial-of-Service Vulnerability; (bso#15341); (bsc#1213172). - CVE-2023-34968: Spotlight server-side Share Path Disclosure; (bso#15388); (bsc#1213171). - CVE-2023-3347: Samba doesn't require SMB2+ signing if `server signing = mandatory` is set; (bso#15397); (bsc#1213170).- Update to 4.17.9 * Backport --pidl-developer fixes; (bso#15404). * smbd_scavenger crashes when service smbd is stopped; (bso#15275). * vfs_fruit might cause a failing open for delete; (bso#15378). * named crashes on DLZ zone update; (bso#14030). * winbind recurses into itself via rpcd_lsad; (bso#15361). * cli_list loops 100% CPU against pre-lanman2 servers; (bso#15382). * smbclient leaks fds with showacls; (bso#15391). * aes256 smb3 encryption algorithms are not allowed in smb3_sid_parse(); (bso#15374). * winbindd gets stuck on NT_STATUS_RPC_SEC_PKG_ERROR; (bso#15413). * smbget memory leak if failed to download files recursively; (bso#15403).- Update to 4.17.8 * log flood: smbd_calculate_access_mask_fsp: Access denied: message level should be lower; (bso#15302). * Floating point exception (FPE) via cli_pull_send at source3/libsmb/clireadwrite.c; (bso#15306). * test_tstream_more_tcp_user_timeout_spin fails intermittently on Rackspace GitLab runners; (bso#15328). * Reduce flapping of ridalloc test; (bso#15329). * large_ldap test is unreliable; (bso#15351). * New filename parser doesn't check veto files smb.conf parameter; (bso#15143). * mdssvc may crash when initializing; (bso#15354). * Large directory optimization broken for non-lcomp path elements; (bso#15313). * streams_depot fails to create streams; (bso#15357). * shadow_copy2 and streams_depot don't play well together; (bso#15358). * wbinfo -u fails on ad dc with >1000 users; (bso#15366). * winbindd idmap child contacts the domain controller without a need; (bso#15317). * idmap_autorid may fail to map sids of trusted domains for the first time; (bso#15318). * idmap_hash doesn't use ID_TYPE_BOTH for reverse mappings; (bso#15319). * net ads search -P doesn't work against servers in other domains; (bso#15323). * DS ACEs might be inherited to unrelated object classes; (bso#15338). * Temporary smbXsrv_tcon_global.tdb can't be parsed; (bso#15353). * Setting veto files = /.*/ break listing directories; (bso#15360); (bsc#1212375). * CVE-2020-25720 [SECURITY] Create Child permission should not allow full write to all attributes (additional changes); (bso#14810). * dsgetdcname: assumes local system uses IPv4; (bso#15325).- Update to 4.17.7 * CVE-2023-0922: Samba AD DC admin tool samba-tool sends passwords in cleartext; (bso#15315); (bsc#1209481). * CVE-2023-0225: Samba AD DC "dnsHostname" attribute can be deleted by unprivileged authenticated users; (bso#15276); (bsc#1209483). * CVE-2023-0614: samba: Access controlled AD LDAP attributes can be discovered; (bso#15270); (bsc#1209485). * large_ldap test is inefficient; (bso#15332). * CVE-2020-25720 [SECURITY] Create Child permission should not allow full write to all attributes (additional changes); (bso#14810). - Update to 4.17.6 * streams_xattr is creating unexpected locks on folders; (bso#15314). * Use of the Azure AD Connect cloud sync tool is now supported for password hash synchronisation, allowing Samba AD Domains to synchronise passwords with this popular cloud environment; (bso#10635). * Spotlight doesn't work with latest macOS Ventura; (bso#15299). * New samba-dcerpc architecture does not scale gracefully; (bso#15310). * vfs_ceph incorrectly uses fsp_get_io_fd() instead of fsp_get_pathref_fd() in close and fstat; (bso#15307). * With clustering enabled samba-bgqd can core dump due to use after free; (bso#15293). * fd_load() function implicitly closes the fd where it should not; (bso#15311). - Update to 4.17.5 * smbc_getxattr() return value is incorrect; (bso#14808). * Compound SMB2 FLUSH+CLOSE requests from MacOSX are not handled correctly; (bso#15172). * synthetic_pathref AFP_AfpInfo failed errors; (bso#15210). * samba-tool gpo listall fails IPv6 only - finddcs() fails to find DC when there is only an AAAA record for the DC in DNS; (bso#15226). * smbd crashes if an FSCTL request is done on a stream handle; (bso#15236). * DFS links don't work anymore on Mac clients since 4.17; (bso#15277). * vfs_virusfilter segfault on access, directory edgecase (accessing NULL value); (bso#15283). * CVE-2022-38023 [SECURITY] Samba should refuse RC4 (aka md5) based SChannel on NETLOGON (additional changes); (bso#15240). * %U for include directive doesn't work for share listing (netshareenum); (bso#15243). * Shares missing from netshareenum response in samba 4.17.4; (bso#15266). * ctdb: use-after-free in run_proc; (bso#15269). * irpc_destructor may crash during shutdown; (bso#15280). * auth3_generate_session_info_pac leaks wbcAuthUserInfo; (bso#15286). * smbclient segfaults with use after free on an optimized build; (bso#15268). * smbstatus leaking files in msg.sock and msg.lock; (bso#15282). * Leak in wbcCtxPingDc2; (bso#15164). * Access based share enum does not work in Samba 4.16+; (bso#15265). * Crash during share enumeration; (bso#15267). * rep_listxattr on FreeBSD does not properly check for reads off end of returned buffer; (bso#15271). * Avoid relying on C89 features in a few places; (bso#15281).- Make (32bit) samba-libs conflict with old samba-ad-dc-libs package to satisfy installcheck.- Make samba-libs conflict with old samba-ad-dc-libs package to satisfy installcheck.- Remove non functioning ifup/ifdown samba-winbindd scripts; (bsc#1207414).- libdsdb-module-samba4 should be packaged as part of samba-libs and not samba-ad-dc-libs. Additionally no need for it to be removed conditionally.- Clean up logic for PAM migration settings in spec file.- Change with_dc default to 0 (for non TW builds), ADDC feature is deprecated and will no longer be included in >= SLE15-SP5; (jsc#PED-1122).- Update to 4.17.4 * CVE-2022-44640 Upstream Heimdal free of user-controlled pointer in FAST; (bsc#14929); * CVE-2021-20251 Bad password count not incremented atomically; (bsc#14611); * CVE-2022-42898 krb5_pac_parse() buffer parsing vulnerability; (bsc#15203); * CVE-2022-37966 rc4-hmac Kerberos session keys issued to modern servers; (bso#15237); * CVE-2022-37967 Kerberos constrained delegation ticket forgery possible against Samba AD DC; (bso#15231); * CVE-2022-38023 RC4/HMAC-MD5 NetLogon Secure Channel is weak and should be avoided; (bso#15240); * pam_winbind uses time_t and pointers assuming they are of the same size; (bso#15224); * Heimdal session key selection in AS-REQ examines wrong entry; (bso#15219); * filter-subunit is inefficient with large numbers of knownfails; (bso#15258); * smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories; (bso#15252); * The KDC logic arround msDs-supportedEncryptionTypes differs from Windows; (bso#13135); * libnet: change_password() doesn't work with dcerpc_samr_ChangePasswordUser4(); (bso#15206); * Heimdal session key selection in AS-REQ examines wrong entry; (bso#15219); * Memory leak in snprintf replacement functions; (bso#15230); * RODC doesn't reset badPwdCount reliable via an RWDC (CVE-2021-20251 regression); (bso#15253); * Prevent EBADF errors with vfs_glusterfs; (bso#15198); * %U for include directive doesn't work for share listing (netshareenum); (bso#15243); * Stack smashing in net offlinejoin requestodj; (bso#15257); * Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue; (bso#15197); * Heimdal session key selection in AS-REQ examines wrong entry; (bso#15219); - Remove deprecated if-{down,up} scripts; (bsc#1206444); - Adjust the systemd drop-in file for named service; (bsc#1201689); * Paths are additive so do not repeat paths from named.service * Prefix the samba DLZ directory with "-" to ignore this path if it does not exists- Introduce without-smb1-server spec flag; (bsc#1205104); - Update to 4.17.3 * CVE-2022-42898: Samba buffer overflow vulnerabilities on 32-bit systems; (bsc#1205126); (bso#15203); - Replace obsolete python-gpgme with python-gpg * Upstream replaced it in v4.9.5 -- bso#13728 - Update to 4.17.2 * CVE-2022-3592 [SECURITY] samba: Wide links protection broken; (bso#15207); (bsc#1204499). * CVE-2022-3437 [SECURITY] samba: Buffer overflow in Heimdal unwrap_des3();(bso#15134); (bsc#1204254). - Update to 4.17.1 * CVE-2021-20251 [SECURITY] Bad password count not incremented atomically; (bso#14611). * smbXsrv_connection_shutdown_send result leaked; (bso#15174). * Flush on a named stream never completes; (bso#15182). * Permission denied calling SMBC_getatr when file not exists; (bso#15195). * Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC; (bso#15189). * pytest: add file removal helpers for TestCaseInTempDir; (bso#15191). * CVE-2021-20251 [SECURITY] Bad password count not incremented atomically; (bso#14611). * Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC; (bso#15189). * Flush on a named stream never completes; (bso#15182). * vfs_gpfs silently garbles timestamps > year 2106; (bso#15151). * CVE-2021-20251 [SECURITY] Bad password count not incremented atomically; (bso#14611). * multi-channel socket passing may hit a race if one of the involved processes already existed; (bso#15200). * memory leak on temporary of struct imessaging_post_state and struct tevent_immediate on struct imessaging_context (in rpcd_spoolss and maybe others); (bso#15201). * Since popt1.19 various use after free errors using result of poptGetArg are now exposed; (bso#15205); (boo#1204279). * Remove special case for O_CREAT in SMB_VFS_OPENAT from vfs_glusterfs; (bso#15192). * GETPWSID in memory cache grows indefinetly with each NTLM auth; (bso#15169). * CVE-2021-20251 [SECURITY] Bad password count not incremented atomically; (bso#14611). - Install a systemd drop-in file for named service to allow read/write access to the DLZ directory; (bsc#1201689); - Fix use after free errors resulting from using return of poptGetArg exposed since popt-1.19; (boo#1204279); (bso#15205). - s3: smbd: Fix memory leak in smbd_server_connection_terminate_done(); (bso#15174). - Disable SMB1 for tumbleweed builds. - Update to 4.17.0 * acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr; (bso#15126). * Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1; (bso#15153). * assert failed: !is_named_stream(smb_fname)") at ../../lib/util/fault.c:197; (bso#15161). * acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr; (bso#15126). * assert failed: !is_named_stream(smb_fname)") at ../../lib/util/fault.c:197; (bso#15161). * Cross-node multi-channel reconnects result in SMB2 Negotiate returning NT_STATUS_NOT_SUPPORTED; (bso#15159). * winbind at info level debug can coredump when processing wb_lookupusergroups; (bso#15160). * Make use of glfs_*at() API calls in vfs_glusterfs; (bso#15157). * Possible use after free of connection_struct when iterating smbd_server_connection->connections; (bso#15128). * `net usershare add` fails with flag works with --long but fails with -l; (bso#15145). * acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr; (bso#15126). * Performance regression on contended path based operations; (bso#15125). * Missing READ_LEASE break could cause data corruption; (bso#15148). * libsamba-errors uses a wrong version number; (bso#15141). * SMB1 negotiation can fail to handle connection errors; (bso#15152). * New filename parser doesn't check veto files smb.conf parameter; (bso#15143). * 4.17.rc1 still uses symlink-race prone unix_convert(); (bso#15144). * Backport fileserver related changed to 4.17.0rc2; (bso#15146). * Manpage for smbstatus json is missing; (bso#15147). * Backport fileserver related changed to 4.17.0rc2; (bso#15146). * Performance regression on contended path based operations; (bso#15125). * Backport fileserver related changed to 4.17.0rc2; (bso#15146). * Fix issues found by coverity in smbstatus json code; (bso#15140). * Backport fileserver related changed to 4.17.0rc2; (bso#15146). - Migration to /usr/etc: Saving user changed configuration files in /etc and restoring them while an RPM update. - Update to 4.16.4 * CVE-2022-2031: Samba AD users can bypass certain restrictions associated with changing passwords; (bsc#1201495); (bso#15047); * CVE-2022-32744: Samba AD users can forge password change requests for any user; (bsc#1201493); (bso#15074); * CVE-2022-32745: Samba AD users can crash the server process with an LDAP add or modify request; (bsc#1201492); (bso#15008); * CVE-2022-32746: Samba AD users can induce a use-after-free in the server process with an LDAP add or modify request; (bsc#1201490); (bso#15009); * CVE-2022-32742: Server memory information leak via SMB1; (bsc#1201496); (bso#15085); - Update to 4.16.3 * Using vfs_streams_xattr and deleting a file causes a panic; (bso#15099); * Add support for bind 9.18; (bso#14986); * logging dsdb audit to specific files does not work; (bso#15076); * Problem when winbind renews Kerberos; (bso#14979); (bsc#1196224); * Samba with new lorikeet-heimdal fails to build on gcc 12.1 in developer mode; (bso#15095); * Crash in streams_xattr because fsp->base_fsp->fsp_name is NULL; (bso#15105); * Crash in rpcd_classic - NULL pointer deference in mangle_is_mangled(); (bso#15118); * smbclient commands del & deltree fail with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556); * Fix check for chown when processing NFSv4 ACL; (bso#15120); * The pcap background queue process should not be stopped; (bso#15082); * testparm: Fix typo in idmap rangesize check; (bso#15097); * net ads info returns LDAP server and LDAP server name as null; (bso#15106); * ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link; (bso#15108); * CTDB child process logging does not work as expected; (bso#15090); - Update spec file to fix the optional Heimdal DC build - Fix external trusts with MIT Kerberos 1.20 - Add missing samba-client requirement to samba-winbind package; (bsc#1198255); - Move pdb backends from package samba-libs to package samba-client-libs and remove samba-libs requirement from samba-winbind; (bsc#1200964); (bsc#1198255); - Add sysuser-shadow requirement for packages using systemd-sysusers - Use the canonical realm name to refresh the Kerberos tickets; (bsc#1196224); (bso#14979); - Moved logrotate files from user specific directory /etc/logrotate.d to vendor specific directory /usr/etc/logrotate.d. - Update to 4.16.2 * Use pathref fd instead of io fd in vfs_default_durable_cookie; (bso#15042); * vfs_gpfs with vfs_shadowcopy2 fail to restore file if original file had been deleted; (bso#15069); * Reintroduce netgroups support; (bso#15087); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); * Update from 4.15 to 4.16 breaks discovery of [homes] on standalone server from Win and IOS; (bso#15062); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * smbclient -E doesn't work as advertised; (bso#15075); * The samba background daemon doesn't refresh the printcap cache on startup; (bso#15081); * Out-by-4 error in smbd read reply max_send clamp; (bso#14443); - Fix samba4.blackbox.net_ads_dns_async test with bind9 >= 9.17.7 - Support building with MIT Kerberos 1.20 - Bronze bit and S4U support with MIT Kerberos 1.20 for Samba AD DC; (CVE-2020-17049); - Resource Based Constrained Delegation (RBCD) for Samba AD DC - Support building with gcc 12.1 - Use requires_eq macro to require the libldb2 version available at samba-dsdb-modules build time; (bsc#1199362); - Update to 4.16.1 * Share and server swapped in smbget password prompt; (bso#14831); * Durable handles won't reconnect if the leased file is written to; (bso#15022); * rmdir silently fails if directory contains unreadable files and hide unreadable is yes; (bso#15023); * SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on renamed file handle; (bso#15038); * Need to describe --builtin-libraries= better (compare with - -bundled-libraries); (bso#8731); * vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback; (bso#14957); * shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes; (bso#15035); * PAM Kerberos authentication incorrectly fails with a clock skew error; (bso#15046); * Username map - samba erroneously applies unix group memberships to user account entries; (bso#15041); * KVNO off by 100000; (bso#14951); * Uninitialized litemask in variable in vfs_gpfs module; (bso#15027); * vfs_gpfs recalls=no option prevents listing files; (bso#15055); * smbd doesn't handle UPNs for looking up names; (bso#15054); - Update update-apparmor-samba-profile script, replace non-printable delimiter with more human readable separator as sed can accept separators that can appear in the input data. - Fix update-apparmor-samba-profile script, sed doesn't like multibyte separators; (bsc#1198309). - Update to 4.16.0 * New samba-dcerpcd binary to provide DCERPC in the member server setup * Certificate Auto Enrollment * Ability to add ports to dns forwarder addresses in internal DNS backend * No longer using Linux mandatory locks for sharemodes * SMB1 protocol has been deprecated, particularly older dialects * SMB1 protocol SMBCopy command removed * SMB1 server-side wildcard expansion removed - Add python3-dnspython to samba-ad-dc recommens; (bsc#1187101); - Use systemd-sysusers to create system users; (bsc#1182847);- Install a systemd drop-in file for named service to allow read/write access to the DLZ directory; (bsc#1201689);- Update to 4.15.12 * CVE-2022-42898: samba: heimdal: Samba buffer overflow vulnerabilities on 32-bit systems; (bso#15203); (bsc#1205126). - Update to 4.15.11 * Allow rebuild of Centos 8 images after move to vault for Samba 4.15; (bso#15193). * CVE-2022-3437: samba: Buffer overflow in Heimdal unwrap_des3(); (bso#15134); (bsc#1204254)- Update to 4.15.10 * Possible use after free of connection_struct when iterating smbd_server_connection->connections; (bso#15128); (bsc#1200102). * smbXsrv_connection_shutdown_send result leaked; (bso#15174). * Spotlight RPC service returns wrong response when Spotlight is disabled on a share; (bso#15086). * acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr; (bso#15126). * Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1; (bso#15153). * assert failed: !is_named_stream(smb_fname)") at ../../lib/util/fault.c:197; (bso#15161). * Missing READ_LEASE break could cause data corruption; (bso#15148). * rpcclient can crash using setuserinfo(2); (bso#15124). * Samba fails to build with glibc 2.36 caused by including in libreplace; (bso#15132). * SMB1 negotiation can fail to handle connection errors; (bso#15152). * samba-tool domain join segfault when joining a samba ad domain; (bso#15078). - Update to 4.15.9 * CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). * CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). * CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); * CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). * CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); * CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- CVE-2022-1615: Do not ignore errors in random number generation; (bso#15103); (bsc#1202976); - CVE-2022-32743: Implement validated dnsHostName write rights; (bso#14833); (bsc#1202803);- Fix Use after free when iterating smbd_server_connection->connections after tree disconnect failure; (bso#15128); (bsc#1200102).- CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). - CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). - CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); - CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). - CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- Update to 4.15.8 * Use pathref fd instead of io fd in vfs_default_durable_cookie; (bso#15042); * Setting fruit:resource = stream in vfs_fruit causes a panic; (bso#15099); * Add support for bind 9.18; (bso#14986); * logging dsdb audit to specific files does not work; (bso#15076); * vfs_gpfs with vfs_shadowcopy2 fail to restore file if original file had been deleted; (bso#15069); * netgroups support removed; (bso#15087); (bsc#1199247); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); (bsc#1199734); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * smbclient commands del & deltree fail with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556); * vfs_gpfs recalls=no option prevents listing files; (bso#15055); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * Compile error in source3/utils/regedit_hexedit.c; (bso#15091); * ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link; (bso#15108); * smbd doesn't handle UPNs for looking up names; (bso#15054); * Out-by-4 error in smbd read reply max_send clamp; (bso#14443); - Move pdb backends from package samba-libs to package samba-client-libs and remove samba-libs requirement from samba-winbind; (bsc#1200964); (bsc#1198255); - Use the canonical realm name to refresh the Kerberos tickets; (bsc#1196224); (bso#14979);- Fix smbclient commands del & deltree failing with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556).- Revert NIS support removal; (bsc#1199247);- Use requires_eq macro to require the libldb2 version available at samba-dsdb-modules build time; (bsc#1199362);- Add missing samba-client requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.7 * Share and server swapped in smbget password prompt; (bso#14831); * Durable handles won't reconnect if the leased file is written to; (bso#15022); * rmdir silently fails if directory contains unreadable files and hide unreadable is yes; (bso#15023); * SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on renamed file handle; (bso#15038); * vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback; (bso#14957); * shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes; (bso#15035); * PAM Kerberos authentication incorrectly fails with a clock skew error; (bso#15046); * username map - samba erroneously applies unix group memberships to user account entries; (bso#15041); * NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES in SMBC_server_internal; (bso#14983); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Crash of winbind on RODC; (bso#14641); * uncached logon on RODC always fails once; (bso#14865); * KVNO off by 100000; (bso#14951); * LDAP simple binds should honour "old password allowed period"; (bso#15001); * wbinfo -a doesn't work reliable with upn names; (bso#15003); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Uninitialized litemask in variable in vfs_gpfs module; (bso#15027); * Regression: create krb5 conf = yes doesn't work with a single KDC; (bso#15016);- Add provides to samba-client-libs package to fix upgrades from previous versions; (bsc#1197995);- Add missing samba-libs requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.6 * Renaming file on DFS root fails with NT_STATUS_OBJECT_PATH_NOT_FOUND; (bso#14169); * Samba does not response STATUS_INVALID_PARAMETER when opening 2 objects with same lease key; (bso#14737); * NT error code is not set when overwriting a file during rename in libsmbclient; (bso#14938); * Fix ldap simple bind with TLS auditing; (bso#14996); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); * Problem when winbind renews Kerberos; (bso#14979); (bsc#1196224); * pam_winbind will not allow gdm login if password about to expire; (bso#8691); * virusfilter_vfs_openat: Not scanned: Directory or special file; (bso#14971); * DFS fix for AIX broken; (bso#13631); * Solaris and AIX acl modules: wrong function arguments; (bso#14974); * Function aixacl_sys_acl_get_file not declared / coredump; (bso#7239); * Regression: Samba 4.15.2 on macOS segfaults intermittently during strcpy in tdbsam_getsampwnam; (bso#14900); * Fix a use-after-free in SMB1 server; (bso#14989); * smb2_signing_decrypt_pdu() may not decrypt with gnutls_aead_cipher_decrypt() from gnutls before 3.5.2; (bso#14968); * Changing the machine password against an RODC likely destroys the domain join; (bso#14984); * authsam_make_user_info_dc() steals memory from its struct ldb_message *msg argument; (bso#14993); * Use Heimdal 8.0 (pre) rather than an earlier snapshot; (bso#14995); * Samba autorid fails to map AD users if id rangesize fits in the id range only once; (bso#14967);- Fix mismatched version of libldb2; (bsc#1196788). - Drop obsolete SuSEfirewall2 service files.- Drop obsolete Samba fsrvp v0->v1 state upgrade functionality; (bsc#1080338).- Fix ntlm authentications with "winbind use default domain = yes"; (bso#13126); (bsc#1173429); (bsc#1196308).- Fix samba-ad-dc status warning notification message by disabling systemd notifications in bgqd; (bsc#1195896); (bso#14947).- libldb version mismatch in Samba dsdb component; (bsc#1118508);- Update to 4.15.5 * CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target of a symlink exists; (bso#14911); (bsc#1193690). * CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module; (bso#14914); (bsc#1194859). * CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks; bso#14950); (bsc#1195048).- CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share; (bso#14911); (bsc#1193690); - CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution; (bso#14914); (bsc#1194859); - CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services; (bso#14950); (bsc#1195048);- Update to 4.15.4 * Duplicate SMB file_ids leading to Windows client cache poisoning; (bso#14928); * Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error - NT_STATUS_BUFFER_TOO_SMALL; (bso#14932); * kill_tcp_connections does not work; (bso#14934); * Can't connect to Windows shares not requiring authentication using KDE/Gnome; (bso#14935); * smbclient -L doesn't set "client max protocol" to NT1 before calling the "Reconnecting with SMB1 for workgroup listing" path; (bso#14939); * Cross device copy of the crossrename module always fails; (bso#14940); * symlinkat function from VFS cap module always fails with an error; (bso#14941); * Fix possible fsp pointer deference; (bso#14942); * Missing pop_sec_ctx() in error path inside close_directory(); (bso#14944); * "smbd --build-options" no longer works without an smb.conf file; (bso#14945);- Use pkgconfig(krb5) as dependency for the -devel package: allow OBS to pick the right flavor of krb5-devel (full vs mini). - Do not require the 'krb5' symbol by samba-client-libs: this package has an automatic dependency due to linkage on libgssapi_krb5.so.2. Automatic deps are always better. - Do not require the 'krb5' symbol from samba-libs: samba-libs requires samba-client-libs, which in turn requires krb5 libraries. Samba-libs itself has no need for krb5 (but get it indirectly anyway).- Reorganize libs packages. Split samba-libs into samba-client-libs, samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba public libraries depending on internal samba libraries into these packages as there were dependency problems everytime one of these public libraries changed its version (bsc#1192684). The devel packages are merged into samba-devel. - Rename package samba-core-devel to samba-devel - Add python-rpm-macros to build requirements - Update the symlink create by samba-dsdb-modules to private samba ldb modules following libldb2 changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba- Update to 4.15.3 * Recursive directory delete with veto files is broken in 4.15.0; (bso#14878); * A directory containing dangling symlinks cannot be deleted by SMB2 alone when they are the only entry in the directory; (bso#14879); * SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used uninitialized in rmdir_internals(); (bso#14892); * MaxQueryDuration not honoured in Samba AD DC LDAP; (bso#14694); * The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token; (bso#14901); (bsc#1192849); * User with multiple spaces (eg FredNurk) become un-deletable; (bso#14902); * Avoid storing NTTIME_THAW (-2) as value on disk; (bso#14127); * smbXsrv_client_global record validation leads to crash if existing record points at non-existing process; (bso#14882); * Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call; (bso#14890); * Samba process doesn't log to logfile; (bso#14897); * set_ea_dos_attribute() fallback calling get_file_handle_for_metadata() triggers locking.tdb assert; (bso#14907); * Kerberos authentication on standalone server in MIT realm broken; (bso#14922); * Segmentation fault when joining the domain; (bso#14923); * Support for ROLE_IPA_DC is incomplete; (bso#14903); * rpcclient cannot connect to ncacn_ip_tcp services anymore; (bso#14767); * winexe crashes since 4.15.0 after popt parsing; (bso#14893); * net ads status -P broken in a clustered environment; (bso#14908); * Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before smbd_smb2_ioctl_send; (bso#14788); * winbindd doesn't start when "allow trusted domains" is off; (bso#14899); * smbclient login without password using '-N' fails with NT_STATUS_INVALID_PARAMETER on Samba AD DC; (bso#14883); * A schannel client incorrectly detects a downgrade connecting to an AES only server; (bso#14912); * Possible null pointer dereference in winbind; (bso#14921); * Fix -k legacy option for client tools like smbclient, rpcclient, net, etc.; (bso#14846); * Add Debian 11 CI bootstrap support; (bso#14872); * Crash in recycle_unlink_internal(); (bso#14888);- Fix dependency problem upgrading from libndr0 to libndr2 and from libsamba-credentials0 to libsamba-credentials1; (bsc#1192684);- Fix regression introduced by CVE-2020-25717 patches, winbindd does not start when 'allow trusted domains' is off; (bso#14899); - Update to 4.15.2 * CVE-2016-2124: SMB1 client connections can be downgraded to plaintext authentication; (bso#12444); (bsc#1014440); * CVE-2020-25717: A user on the domain can become root on domain members; (bso#14556); (bsc#1192284); * CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued by an RODC; (bso#14558); (bsc#1192246); * CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets; (bso#14561); (bsc#1192247); * CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers (eg objectSid); (bso#14557); (bsc#1192505); * CVE-2020-25722: Samba AD DC did not do suffienct access and conformance checking of data stored; (bso#14564); (bsc#1192283); * CVE-2021-3738: Use after free in Samba AD DC RPC server; (bso#14468); (bsc#1192215); * CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability; (bso#14875); (bsc#1192214); - Update to 4.15.1 * vfs_shadow_copy2: core dump in make_relative_path; (bso#14682); * Log clutter from filename_convert_internal; (bso#14685); * MacOSX compilation fixes; (bso#14862); * rodc_rwdc test flaps; (bso#14868); * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal; (bso#14642); * Python ldb.msg_diff() memory handling failure; (bso#14836); * "in" operator on ldb.Message is case sensitive; (bso#14845); * Release LDB 2.4.1 for Samba 4.15.1; (bso#14848); * samldb_krbtgtnumber_available() looks for incorrect string; (bso#14854); * Fix Samba support for UF_NO_AUTH_DATA_REQUIRED; (bso#14871); * Allow special chars like "@" in samAccountName when generating the salt; (bso#14874); * Correctly ignore comments in CTDB public addresses file; (bso#14826); * Fix transit path validation; (bso#12998); * Fix that child winbindd logs to log.winbindd instead of log.wb-; (bso#14852); * SMB3 cancel requests should only include the MID together with AsyncID when AES-128-GMAC is used; (bso#14855); * Prepare to operate with MIT krb5 >= 1.20; (bso#14870); * Heimdal prefers RC4 over AES for machine accounts; (bso#14864);- Enable samba-tool without ad dc.- Adjust spec to use pam macros; (bsc#1191046).- Adjust spec for size * allow some Recommends instead Requires to be configured for cifs-utils, samba-libs-python3 & samba-gpupdate; (bsc#1182847). * remove fam, undocumented and unneeded.- Add missing build dependency on bison when building with the embedded Heimdal Kerberos- Update to 4.15.0 * Removed SMB development dialects SMB2_22, SMB2_24 and SMB3_10 * VFS layer modernized. * Add the ability to set allow/deny lists for zone transfer clients in Bind DLZ plugin * Server multi-channel support no longer experimental * Improved command line user experience, unifying the options in different commands * Winbindd no longer scans trusted domains on startup and will use enterprise principals by default. * The net utility is now able to support the offline domain join feature * New options for 'samba-tool dns zoneoptions' for aging control and to mark old records as static or dynamic * DNS tombstones are now deleted as appropriate and use a consistent timestamp format * The 'samba-tool dns update' command validates and rejects now malformed IPv4 and IPv6 addresses * The 'samba-tool domain backup' command correctly takes out locks against concurrent modification during backup when using the LMDB backend * TruACL support has been removed * NIS support has been removed- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2./bin/sh/bin/sh/bin/sh/bin/shsamba-gplv3-winbindibs-arm-4 1689670680 4.17.9+git.367.dae41ffdd1f-150500.3.5.14.17.9+git.367.dae41ffdd1f-150500.3.5.14.17.9+git.367.dae41ffdd1f-150500.3.5.14.17.9+git.367.dae41ffdd1f samba-winbindpam_winbind.confntlm_authwbinfowinbind.servicesamba-winbind.confrcwinbindwinbinddsysconfig.samba-winbindntlm_auth.1.gzwbinfo.1.gzwinbindd.8.gzwinbind.xmlkrb5rcachewinbindd_privileged/etc/logrotate.d//etc/security//usr/bin//usr/lib/systemd/system//usr/lib/sysusers.d//usr/sbin//usr/share/fillup-templates//usr/share/man/man1//usr/share/man/man8//usr/share/omc/svcinfo.d//var/cache//var/lib/samba/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:29825/SUSE_SLE-15-SP5_Update/a460918791409aa6fef6977df5e3d195-samba.SUSE_SLE-15-SP5_Updatecpioxz5aarch64-suse-linuxASCII textELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=e47c95b87c62e621c6b61a0581f8fb6d0e90057c, for GNU/Linux 3.7.0, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=83fe211c23139db5ce310ababf79f0bd269c35ea, for GNU/Linux 3.7.0, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=d1e2f7c20548eaf81680e92646e461ff69901256, for GNU/Linux 3.7.0, strippedUTF-8 Unicode texttroff or preprocessor input, ASCII text, with very long lines (gzip compressed data, max compression, from Unix)XML 1.0 document, ASCII textdirectory0JK0R RR5RgR2RkRQRaR[RURRRyRYRmR]RWRRuR.RRR0ReR4RjRRR/RTRfR`RZRlRxRdRRVR\RRXR-RtR1RzRPRRR RQRRSRURReRuRYRRRRR.RRRdRRTR-RXRtRPRRRRPRsR R RER R RQRORcRR,R=R"R[RgR0RiRRqRURkRWR_R3R2R5RIRoR7R;RRYRRwRR]RyR*R&RRuRRCR$R.RRR~RRR}R|RRRRR{R9RRR?RMRLRKRaRAR(RmRGRSReRJR R#R R^RNRTRDRRjRRZR:RpRBR'R)R6RxR%RdRFRbRRRfR+RVRRlRHR`RR\R!RrRR@RRRhRnRvRtRRR8RRzRPR1RR.IHKF<nC/usr/sbin/nscdcronlogrotatesamba-gpupdate4.17.9+git.367.dae41ffdd1futf-8eb8a71dacf07f00895f78360cce1ed76b329a3b615b782532d084b04f9d1bb33?@7zXZ !t/] crv(vX0zhFvSo**m9zl|Z7X(z+43.PM0.$7*S*ڟRMsÒ*XdE}sI/1՝{e2ubm _3(q*oU@5ʱ}Ɏ+[sH~u5 )܎%vKڪab7wda)ֿOwG(b^TpZFs*|]aCh+I܁!@uf8-(nTB,%@!mhb2ZB+<\ye~~O*IxC`u!_t]12FZIIL*bl )d7:۱xp hjj\`y\.,:EFW>0!ɼ9?gxNQ[5ò2Jį-D:z鄳d w25 O^6<|)PH2^%RH|LNOsօb{. &Si<€rǦ-$ /u!GpG>kE4S@:mB' M4ܠgVN#ېX8w)#Ր %ϋZk?0P܁GMm2EK u<-WfF8QeJ ϽE8^ o`$PXk^FA l` ]Ɠ+uf]h L'$`bƞ/ZX(ݔbbES(gfӱ]`r12skNTNP_J)L#p4j=PT/r}t ,{, _qvn>AЋڦ5~qA["}Uyӿ YGȭcՏԡ}!9Kq %12R{aV~5Mu!jO?Vb}{nxHb|Nۉ;k;O='51s">f}'8&GçcnlTRJ{9mI3MGDJ5bXр8KHX_7I^L'V15y-ݮjAZIz8uQ4.zs qz{^er? &$|nxi ɱ^!2%Z@:nn'b͓ܣQU#gGp5Ъ1p`Co,_c`|J6UQ4kCBPrPV%{I޶98J3 Cv3)+qJq"KárV rIiJtyTsnϭڀ(vt@#\|Ԑ֐5\9_.[쐄0N^O˰ @LEnj+#p\ x#;ZhAI$ӕlb.O/Oa Osd:D)5d-uyjPDFmu4qSn/]na`w=?g`#r{Ga/nUG2 h0w| b->A-UZ{1#NN4$x@|+0d*u/7t$5igL+KEmd:3_<,H1t\JoLF2d mi$ 5L{gUËS>pEL9p'ɞ%6W+{Ha(~coY <,FgON@bC) j@wj/ks}W*5B3Maʾf*EPh98))IނyM%HdX&ފWu$qdѿt8RHTeJQu:Y4N0*qTWlgL-xYM0?.#i-%p0ٱ }#ynMXR 5b+X`"N *V\T|2*-UGQ$hQ3(R/~,cŞRqU\GW${4㲞ؒ; M Y^d} Y =APFuQx MKnd g-xN'*m y ? X,/7@CU\!E6~cut^e?mvܒ[XXPEULq\*7VŃU5U},IW_[t㢻T/ʡA%!9c"(|#Ƌr0b@"s CZȓzt(m:oxLq4qGY3^h\|mi '=-Nac!aOǕWtmfQdo^$Ehfԍ&v\8hf=tw$<@tZޅ'To2Fć᧹^TtƤ2^כrO &1|H}=ֻi C 3"aU|0r{t=n2Fnl ~j+|7ra2SΈ[er+]4娿=M<.-:N"T :sᕓa1Ibߙ z F674R͇<=4.p0ĵfi]M\;yVOiIhGqkJNzz?z8h\>?Yj>'Y<ZIyli+!;-q/Z0) ![<0ml\!)/'.|%Th|fF?4:Lł;Q66r.eKec,[.kaTͅ%yPH \C1.F@Н&3@ .q$UcA׽nJ-QS\D>P6 8pF+}%ILk5"<˓ J>2K[Q_fh>n3bRˎPu?">@jvaQ " 2Mλ?L籽1󰏖Clu hgԛ#:r@'XnTB=9ON Ib I+#Fiy}lEjߣ#\,6gz6Ucl.D3QmnF$%MMטޔqԃX=!MD]6(BzwRLTɛZ#^Äc ^LLz4goUyȿKk wKF-rr* Y |~_ߒPo\_ܝgO>0<9SV󶧬eyr7R}m;|[+7rRܒ(/'DD/!#}K9S`ּIyӁ{BcUs9$6WfcA8@ 0Fb_\{fvas{<7fwڄ$S@%|H˴{h's:r<,R.̫zA~5tښ=%IZCZ9jA57' 1ۿ  "El ÐJ{(=mqOg*v%.NT| CdЪ'?Q!c.)vi,4v'zDg3gng't4׀! 3GX1;i BrfG6 1:msHX#Rl-{ qj6?n,6ޏLR%"{^MM-IY Z`䆩o*B1*z4f2S_,=pmVN&[6Av#zLxt%}*:डmk2$ۥ k/aP=ۊ5F~͡P.+rBYWET6XLdv;]0ijo4Ayajh%V#rt!*Z?a!||b~c'/X/S:5j(f[c"/ft$q=,#"n"ӲN7~w?> 2^(<{r2?{%M;i_6XQK#@;**RUVl:wBax' X?,܏KkL]XOa >u(T80*߸j͇V!Σ`nlj4ȔQ! <_,o /TZsߌ B׳QhM=а3l"!N;y8過[:}濄$V%*kNSy—_G Ri`T=߱Di{S,)lm/XKS'q2;% 53MMUnv\ `\M{:Ub"q 慛=y^X`;064;/+[j٭5bƋ{6$Xs\Glق^'ʽk3AS0zʷpf='&h~B!E^U˚՟z3mPMlʆI:9yU#]kQFQ? ytCUd>Xv n_٨[ >jd(~05IRmH1 ʨC܅Qß\.[53eG?MpLN] Jn;舖E J"pEVV-c8i][3_{ŀ3Tɉ쏷keֻZ=2G/+* C"a{=zq@?R>X`*J%W~& Gkb)pWAOJ+: 41*SmFY=,Ozsnm5ovYc\@I|H{-&@CS=JoZURң8~Bd#\1Ŵ8HBJ>+$y)dQCv ,֭R&vec$x4mm sT/XJ eYUR@A k1W昜BsD\90'hNltA@ JKYfxɜ[F?lvx[td?c|dIhM"˗<Ω) dȡw,' GoW<T{!ǽeg3D7kLz;nad?ZژQGަ-5]6aY }w HĜ0DG92?zTlyPj3mb: у`>wu8G=ø+T jtGhZI \X;-Kj?O71 5:~Ӳp.(ݳ”gHwv2PjWt"lJ"lW&HL{{wG(KE 0Tg`SSu&OΤ*h Lp6H$ZAtQ܄b,|?J`RuZڕ@˰ei>rxEm2"GXЉtm(L"z(8JxxiLfRåAߢØɷElQpGV{pI9TH7Dqsf~c~G%;ik9-au8n"âUx[WV1g)x/]QE KGBHGB #2 Ї&KjٷO28e棹PTޏ\H[: X!3-fd"WS`C&ŴK5|c'=0Kb+QCng""hnT?k!kaS?Jt tX mT 'F׮w '4 ܐ~iR8e,R\hnZߨxC[CiRepS8mi\9~!Lj.^5 wz'R$(cd>)||Q:pCV n&lXmu:ִ}gь/A࿴0,aj<$Pr^('Og-Z` I$wg&A m>(HDFSj=oEXݲ9&D7"l<޺ye12pOpq |~0Ko•CaChVU`8 Rs㯏?VTmrᡢWiAc՛'N:ÿ^}R65y h x7kR ޶A=.LrBA7Ksnsk'kX)H%.Zp/Qi.^R[dNDl968,߭Cs:F lh8SR 7ij.\:8!9n4P.@yCLjFS0y>VWLL8v|.戛RJ4]@>6IۭV{u.;1R$M)ێ xVF`GZ xsdz+BIR<]M\8/QES3sM f;JyZ/;]!E: |ôFD("`c(/ 1kp;Wr}s'Os-`CapX5Ih-[w]cΎ#[l{el}Q-x$'Ʀ1Q XObt OTU;B[x:nxxDZïI1i =u/S p)02OφfmSTbjF6 Z,G 'ip0K;""Aѻ`tI 6zsKhW"r D$!˯W0zL&6H=9l@fbMWFt0l(vPU}A}n>% CLeBB@豵7*xXez ̡*3wc(Ru&=R#qX /åI-Q$ ϩT:f098Dn~*x}I,k.McNW ԇ'JE}FÉdI1Αؓ ՐVZE%OBF~ | u@+nV4B,-º"YGsqG3I73-[u8a"R60‚ AL;n\+QZ8*8 1pdC"S+ e~k%pn'xqLcitʿ炴lcCr>4d H$8V%Y<~^ߖc#d?xC[ƂyM]Pxi!Ä]RF?MAe~Vi T"̒{]?TckԺtұkV81cWz^LW2!=+q?~ RgT\nqp#&uk:T ٻ$ K_ҏNG-b&EJ!8y%],Yw8ć.PLzB:]:&9ݺHE楝;7E Lvrc^=M8$$u:msS֔L7oSkۍDzf@Aasj8IګΟC5XCk}jb(EKv:@˟ibئ R~_riCZW׎AغL.vca%nYN7(8kyu.)Ǥ41E`du)QRXw}eXظ="j,WGlO-SBkSzQTS18#Q%#U8~fiY:kb FjBh<2OcBdyk(6MTyxvkt1 li^SqI_=gKlzk<>ٚ7 Rg`A%vNCͿ7ʯFg׼y3}/!O5ZT; _F!W G;8Lsk `FB7uX\9ۭ:ͦ'tX!o[v,dAńԌ\/rT 6E4󆋈ޛǵxO:aafnFH8ylr6эsI[`دJ߾.N?dZ0x,)YV1yթEp&p͖ɓKc@m#wMʼn$ѹs/䋿@2.ŗI{b ЊzF/ n+e'QJ[:l%Yw/?S,mmT#4IY5]W)_hrLzY= ss$H?$m~$&~T9i#tIŭʶsh2Py~Rp{ &[M{8+^R{J>u 34/u.jMW`4lt`-I9x#KQCA"81cSwW.ER:EMdIc=Fn~tƉr) Lslv/[[<̕VBJ:zB0Am#五)oMp' JzKݜcE&p-TgA7dz(+)g2?>qd@G-"2oN9[=#શu&=Z*//uξy}S8x1!U(&3[4~xHro^!Qʷ;?}rzȇӊY'?[n?< ߕIz֚k蟙g[ژ.*gĕר1sϐ@׳ax\/ݱ \4c 1 5hmsLQt:LsN'.yYsD]S+JUt6'.'*[?RP&i>_n#N2:@edh2 ӿ<ʥDiɝN){>"*hkְ)))Vqlݻm[l"+Ȣ# 6X`1uFAx$O)^+~rF, r5aAscaM)r 0Ut }I>j7=SQ@3Hhum lJ#1hra'j>7o2vEDiSb "t`gD઒{H rYЩ-~(4{)WDo=\&+lƈӜXs/%$5`/ @ |Bgl|~e}9ĦKEY&ݜQh6\Xt}VA8JHᲇ€ҽ`kmFu捄+ K%@[Bg|)"FXr[Y~z[Ye0x}~ ϣ--X? 3? tཎs7BRF$a~?Zc%*a_[oX]dBxb튵 mbtyamܘF ~\AN+Ԍ0IJ1=<ɳ"WtQ\Tg5rT,H1͸o̦NYؿӑIfWBE:׿_ qvФ%TY:ި;dq`:S@:j}7C8 kV'(qteK,x&B7([49B~Q[>`:Of`Bݚ/V+KS8+;O#w\E{PvVH8!9V+ a&FU~ۍq_E ׹̔7iRʜJl6 f&A5YI`*iuM;F ͎Oo2<aLT<+5*z&uL 6 8nkF7Kܻڐ/*:\K_% Jgv ȧ+5'O,ˉh5߅k[=:̤X Or>OҗI+ޕ;> BKfvfG!T< A[h1~ dԋQ?0&Y5RERM_aʥٔ1|*fQܿNPl{*Ͻ&6a N|vo+/TdM?I8dFMoZu;wLHGލ۫$>Rzgu<{HʷŴ-2FJeo5kjr׳ry$j|*MG9OUֹ/)\-GZ2 TK/ksW.`TcwF w_&01τtX | U/U988)&O8̆{+x5By7!.kIwq+ doYtTC\J@#uý^v%:m6EJ⟲:׹n6rjx7tnM'Uyicq|/ht!,1.rhb"t!,YyTo^_*SҐt \%&~'~ l(ct#O;iHDBR 6}X)3gΧC%R+c6HC\[/M?ύdebc ? .~oEM_k=YWqV5$mkԨeϮ:ds؂?82a&F2ʆVaJPvf@QhWͱhY^E6c7LȞ"VE~)@[-j49%w.B _b]dIvMϣ 6cT.sV{q9lQHSK1Znj"n'L8B :iV0\(K VV$tPoک#hF|ZP%d5fQ0A4Ԩf7,Q/+HYHy{\sT0u"ص1XJF$rM_|u&5؊ x%8txٲlmS [Ldl$VT*J/)嘾 h ~sU1֟k/2S+Ɉ}!fCS!vQg^HP狯Am)P/_dNMXU(!^/VU)`Tu0%TGi?}OqQt3 MrZA8 :k!zH.?͌b5kQgL;U_&Z W%! !3TXd>!88ux jx C|etڂZ\l4b ]CD:7?#ED5!l3'q2<*1qq԰3tm{MϜ]4 ˡjo0+;i=]uYq7 "0bfb 3f/aJάwo.|xw@/ݐ,bg^EX?pYU0VC$UG oYpgCuѝ!l86ՎT;U?DuqӜ*=wN,y>&APC7)s3׽Kf!+ĶKqcavV@3A'UIh Ʃȁ/f$t(ھCi J+!gY"R;YCMZX>O %Zp+@:{Xb6{Ѻ>Pk(D=g_\oObs:/F۳3cVjS\?O0MCd~ 9`? cr3 !{FrEțEHd"p9IJ:ˊZuaCЫHo !5.ԝcv̠vߛ'|U)8jϲF4&Bi8Fw߄O!YZo?P 4w/pvZ j&3'}dot6SV_Mް&Ƣ益:yUdN$l J]=rAOTzy 1w11N79Ftp7%'ʒݗfR(Sr8i ?-f [tA+b3ﺟuI~Œv\40k4~ 0j*ڣ̊]r`<[N]}ӊ#6CEϩtJ,TRf6VDY(9,u Z,V\̲K ,o؝d G'CuRZNB,T0 NU CO/p~aK6N`$(ŐAgO+ey! ܒaw+f%/ˆwB& W@K5w<>O2MUŝ+8ԙϥՂjHDy.ImoÔEN iIGg%޻>rddJ[3M)dU:QR\IFh_:ůyRm w""M-<&^N30&_+ ؤOڔ <?yZOp<-o Hr@yNc4a@& S4@8&tY^Y|!T(z+Xa~&e=<J*YUAfv L e/nLs V^j1/=In&!^rKY/4J5]uቁqW_Xbbݓ볌ֿW;G&|s.r`6po~~FZNImQ 7බGՔJ94IŪާd'*\VhAh?3:\iDUs H;1\LJE;<0v0 E"jgU:CXvQIyAΠ$q/Mu58P'&(GIMFMf}3*vWtiweS>m%'-$ ܧWS [6y?"ޒd[mh @vFrhGt gWdhsx PCcgI^tloi3k|zsudpdk J4rڑ6 tӌ+4WB~r 0٨A!z:7ч-&9Ƒ[ЦNjbX0!S/7Lf0~--|2ذ`/vS|v0@ #M܌PK NCƙ#\arSXUA};$E$2kOx@*]@nrd^a ,;[%4 "N@ Yp O JֻtEGcHjeŌH@g摗yw y tQj)*zZ\j/r"F[9~$z&r}09 %k3m1ߊg= l*Tl@;: ?N\YT,rnQ#rrXa7_=CrBKG7Dᙆk̤;zK,+O.x U*g*Zk%@0a)Z*HHLϗwϊu ޶tOR-  :r{ڳu氃0lQz}b8˥౗ig :Q#lciZݿ>F/,H΀^e2KǁS8ΔiO&7@=b^[^֙ M>GVm >8/0jôa[ '<qrf{77^o$\>TQQpg3rm[mo5vP  -RSLTr˶*utdϊvLr&b-- }8c)/FUF,i#RxVp#rU E3*%h ٸq/b6 GYm@BVӉ'Rpud<) 7@gSl)n|zh"B^kY<" A!;,GowڕHVRcL0ƣ ^zl;v| =MZm;rwsvdZAR!y;9zh iM3N1n>3$+)zĨSw[ܷ7"s&&k9v\蒼4.ym#[hAoI!New%Rcչ!`PH*؝CuW?AI1$MW';*HĽU%v`9;^sZ X*Om[;m`S6QW{1޻jMo#UUD{' \FrĶQkh?m¾_vL"9D30?OpLlWx8u_mg}O1r1,:pK9ෆ*gw)SkFGrE-b$=5;8P84tM0ؘ 5}#@1ɤ~ih=x~U|L'՟R/'(h!!iO|m-ϓwvد};˄>̈́~"R\z>ƃ+,C1=4?V;\l }<+o ^n)mO&QPd9Lb=$eGhR8Ɛv-IG3)EX]#Heٺ@8]tڶ֤r=JMi,bu9$.CCzR~w}v ,Wx+n6~ӻf=B=09ý+ru@,gΖ#.#ִ^Qڮ@&8#6lWEQq `"Is&IL)8: D <$4f Mb? ./ GGaFƖu{$$+d Ks|`4 ^ YЁe1ɫzIUab5KUdCܚ)zk;R_̦d}fƒ9 k#_7I("8]f= Ԓ(^G;4Z˕¤n>:܄-Ku,"H5cld.Avpqjyœ#)'og!bLyAZTf1K0!qwV`5_5<)< XƜmFw{֮0 yp>9Yu6wnԓT J<ݪ6UmC@x|jh:ю7WHK S&A,a[p˄%q%kD+D @a㿘؂zًuzp2dJ Ggh_l6Gt !W KMVzJ?|SLJz698(a^Ի/d*:/{h54>^xշsQIYG3!7EÙe1mb]"f0$IsI-ib ~R؊ 8/tӰ{'0턮 l ʧt%Dw$܋\jV=&Jq?4"I﷯?nO񒋲:&YC`E e$\{Ej1"`jDM&o9׸c:N=h#Fۜ(< FAEqIC yaEf-`D%MN,,OnbF ہ6Sp,xR@r '#k DQ`&IS[.3 H_R֕`h3jakmG ,mbda$'K.nm` #UdI;1kPu(YUԇdƷ:A*: TQgD쨏B禜9*?@N9J!!)hXyMGOggآv:v6)5,q4baٽ$a(cj1&& Tm } p>$y(lg2ﴣY)Fa^'&0 / qjW8^ڧ(ơV@t(/CL+?,B7=IWsiW؊mgof#z1 D) ѶxyA4?{վ.8eoGb!VL-qé3Kykf9= dtc&h14ྕ[lz6}ܧI-Enhr3ËF ڐNt a VCJіQһ`(WM*]"{ټ)}L]' A *WH.З(@GFK\%\#_ЇTB56iE[o`^X}ldEtUzڡyvy^29]Xp K1Ϗ hP+$Fe $-Bs$yq/qJA"٥u44`wmrB!g6nA6+]Q}G5 AzԹb_!u~ NbKƂ Y5σbVY8,ʿG(O3p م מ"ouh`Pu^@ؤGN9-q~Ng {9Y0?Mo3ua;yF +kdS{Xa#$678"#~lレ7*.dg|D>H C#.'8QYh!0&$`*jF6C6ʎ'z8%ǚ+zbZ"<KG$Vx"#Yvs,k?]5!rEw)IkI~E]2tt&`z$? 3"9720l BjE\ \?I XX==*eR |zrh&lT-U r٦hcuD&cj9dPslȥ}e%㏟u0tVI@x bM;Sq<U5ͫ]wVq:tI=R]'lE8#Z>WB[SNxT)@u@ ?TY-$AL>)o)JG}qN&o`  UR_W& ^t1sqZR<*+!]q#WV ȿtV  %+$LHЖ [IY$DIjY) @S78z%@vB[g:-}"T %+:m,zˢr=uVcf6ۏv6;^x3uˣzgů(6<7Y_ifVI^t_QU"I3 #Zs^S!`wۏKW*,T6bѪCuv/En1+ܫKƖ-~S52fl3krJs@!Dtt͒fL.g7s v(iNjW-<>:e؈&u !kQԿ-Ά̈Ev,srN<9$s%Ie"C HH$5$D} F4Z.qx1Tsc:9/3\&͈C}] !t[NfxK)qA^س6zEo/-H|LeQ'2NpBp4[x]H-8@s=9edi&xxsOZVۭR𓷗Pr5IGzGiE4%P35>/3P(/RxtCqtY.=rB=@>KJ!ؓ ]_-/]%aqzfQ/ r._=|I0L94lSwmΫ'$&5m_ 7"XA@z~H@Ǥi ߏr1|5͋3*H! 6P [ͩ5x,+rՅiNYHɕ`E?[h i;ЁrGal@;zw u`= 7,0B߱%29چKăHj}rD@SN<,ۡI=>j ta#&T}6g<ǁnȖ*WهGp4y˷ |@399=ZQ2:-@Rxq} uuttSrށ Gٱ3k9 8Uv#ao;Ru'H͓gTDnnDvs樊AnGxܵ*X-z@qD>~ј'10Ě5]d@ӑV<%PP[7e>*".'"}AIg]JAq ԋٺBhcFo/x}br[۫$:~u-yNP(dznsm {hknIIa@~z]9~4-o3DLDET(8F7a(Sʾ Z"AM/MBEq᜗A'X \ ~~J|tًyv-oXrʤfJE^ ޕ\F Q(1;J&^1Ľ px}TWUn:mBxs?E"6Q?3%hSؖUƳ n HJN 1kQgNޗ>LS'J3H9h Ʉ~A৵\ŀgDH[ ձ5Ƕy/Ъs;Z #HV=c z#mB)MG5:!yTqK%¨Z2.Ae{gv`ېp'K+]/?\WXELq7Mz놰8#e>=J|Nn&sTapƁ| 7ycyQn}kf({:7 ȣ:҅.YDz?~"Gن`,*s3nXkOB~x) (|tq.,ᑲ\9RUUUwy[ x "|w_Rk#'ϗbP+X y& FjwP=-RCQ{+jH]'%@Hж.b[sq?I ϗUvKR lIJٵ2R\ h\=;_Mz.ݘ~nvik|ٰËgɺ[%C9J%#;/>0<18!˙ByKj`ć~P!o:ho(R7NY+);(DΥ8;*Hgz Z LK }:BD0Z| Ir) 308x6/PMG>-hdJ)GDGe#mj!~B xP_bN &}~iF'$͌*?judhsK%`V(63z;:%ɦq7$ *v`kFz>v.(ϩrMu'}C,tpH(r \|WT/2ߍ z+/2~#]I7X<;(k\=/! 9fEdkiT(% *˹d~[i(w.z)֣CIWn(V[ےtQ^$Gs]Ӱfʵ[௿}.\5tHcDm|piHV5YA}fA3W>-fzھDrU-bд5Q)=#iV{}?&|x&䶍=o;l-5}CQԪg8HŪ)TjmTM@ sӡf_~ʅweW"$`~7q "?g3uM/`G |XHVō *n1.`6y$2jkk/7{ai)K:'^U)6v~OQ5Q?N¹-!zf2z]j1fhU-[mg-Z3SH Le\n ӣ&va)'S3+&ߥ*sc.;c_j~!n}HrXȄ( u`o |},@x"V[f`tsΝ}Dl/izСVsո -q%y5XOQȰq p-L 7z!O%; -w^u0:`{8<2W D`&H ; #ߞ~ C;ŲvXOO&Ұ̠`RLt;ȑ kb2 8UZI d`Rzۊ)U[Fs<5(\X[Lz}bz?` ӒVS/mQpw ʤEHZ\q߻s$ g"Ɵ%;8r?~l&q:էV( 5 *~72C֥%#չDd' L4ÂBjc ~3Ό 0BDxkP_p 3dWs6h]˻%[f+%O~H#i 1\.|j.cQjVGݶ|CxuOpR};̊M@6ȕRfF)YY:XQj3pG|.$]+<,Є|#1L%~8gP,cp}5 iDUHX/8Cl >AI2$P`ELx7ɓe6_|AB;?2ÕKvf4?,Wm(]X;VGax?`KuvWSiyw(ϐɣۛ}ߊG/=!Q8&mMzsidd&5#֌TyUIaB]% -g_wk?|)Ĭa,'`pmBA!$f#Wh*r Kߙb]HQVt%X#^3\(o/717Nd=qzK]v*(ӆv)x7r?m "/ S"BM`FDƛv]~Kc qB?Y(ioE'Ltǹ 9lpcer5#.vrq:MQE(͕$v؛o7@ȫ]2Jۗ/Z*VcȭxJCt7m@k5YHvQ=P<ͿsQd u55Vo c2G:euMq<.iuv3Up&17ȷͫL ]b? nEKT\k YD.'W8>|qb[Cհθn2), ={8p-½@˜Y*U8Ne'MLtUg8mP4;oeac6'oVw*`b$)53A&S<}ͻY>MvP R${#xFre*XJH)1%dUBG1~4kH+toܨ`S8SsCa g΅^!)JdP(< _UR/x {󔳗eFWTTaYٍ|19h^gK:C[q\IY4-Ԑ%$'ݝ1.>v覷xXGL͡N+^an "&s4n59K^22%_VLD=)[OflrE5R%q=?il0xȜd,kxh zsR֡N FHۈGJ`@Tf(2\[!ڥ7~aF]}w AGGLMHYmXEXԫGȻhMRڰ# 3=<͔lH(O:-ڜQsSI؎UzUFk>-1TKmJ§91x Up-xn[% j$g Nv [J{3?JҪ=U2X_JnM{/8HZ䡍ѱ}$Ɠ@־ FR?T"!i&gI uh[DU9] 5$j$jIhܾ)ϥ% p0flm݃qG6`,t$?&4Oۺ1N=LyKo,Yw1\|  U7̾ Pi%,4|J aS?8tJ}L.݀0pUc ` @B*|62E_;.+{K F ϖ#B̷/)}{ysbj{q(F#4zS}~>=/LcX'Q !>ί-Q8s z`=EraLXǡsܱ00$?,r ] :UYXZée8RX#a?|lKSTn@cȜk3YJߧC# ǃ -<cWq5f -ڈ)esFv$u )7LG=(w.[fƲp0nme4~̨e1Zڪoalv7쬢^6P %Vv?ĂTk8󛐗gȞR Z/pLi#79!f?.:k?l1b Tմ)aQ&hʢ=%2sU$?똨RZģ _MU5o-ׄY_N5d18pr[݉[G!;=ArЁyޒd'e'ę&,=4[ĸqoD.f҉ A[2~Im`=cD/?eP2TaFwM&IHޞ+ K{ dr;+&Jij#%NJaj[(]2x\.vbFyf?Pny^aƩ*5o"D]d\8\M7$f$ʽٵ%x .r*BjtqCi!GE^FТCUl#0O Cܸbhw o7$ipLaM@r'r+~D㞹6E\F*}$SY[G,6^K1+adK#p& B]-ipG3ALG ` :8*'-+dRI- 8IkH+0;oxճc!0\rr|\ӥ=1rq4R;CHVp[}a=)յpBӚ$$ $4nz ͛ZR8(=MoVϑs`gd,E&ܭMa&eK7Lvo)k%{%Rv<-T+HFQ_dybCU$- zR]ugL)0fUw:۝~O܌86gNV/$_}OO.a1_Qq2L^[$ƥ` &ػUi*$Xx@A C(<DDGTMEoYXrM㝛>"v6M6Vn1bf*eW=2ai"["o(҆$1/Q;IbQl@MotJ_%O=Dޢv!K'ǘj+RjDOenR<2)K4XޔGX%ZaZk&!{9J?~㶱HÍXoRd6ɥ,> S?OJmS P2L(i*)CxpLy $ISQoZbI.z]ÿ"[<}-1S*zQ<Y%oH@?ȸlQHQW|S6##DeWS#]6j3H+G$`-{wtF9DӽSKOg=Aˈ #` dΖ2?dƹ)_LAR0'߀a[Ju#PLDܲ[* XNhCPdQ^ͭd9 !Ghi{-U.6h)AeGLwV"󏀣qbh/ 8-Q5LP0hSK jI|?6acd!.Y S*˅tur ˮ/ƒ'=$2(X f)D#f 9p 5Hf͘hZU_I;+H[2x,%}OA&: gtyGrꮿ]0k|usz0?g{ 4o)'V\/hY S q$7~y~ %V~5 \i]b+w/6.dL*4v g;Ifk==`R '9X|@+iv_pE(eQ{(Ez٣٘'l@^ E(_[rl-ڱ$PHnh3ZCP>@`%mbhڧ2w;f ̉l6ocdOSҾ|4' 7gR\KfFbPod ?#zF*}+r=hq)E+Ld,eU`nZn)鬡 q@L@\PC7 WHN<1]J;UW0ICk ~0'zm,1NTKŏ~?{[n_WCʂ4*V5Zu)6;=\YcWdon҂2Q'!I$xVɃҋS\ FRZ:0/d y0IXcz |k')4^ ҁ泮zOGo7Za ڜa^v6e0 #1RRҵ݃Uߗy\ج/{Kq׷y_nLx*ξxa7Rئ}Sٸf=;N~Dޒ+L:AC\FO erL8awAHDtuaxYߕB' -ݲvW3S&^_Ǽ 1*A e o3SWT0łEܯP:ٗ}Z5%6$ E!XΪ>$TZ:%R[yh;$%2tw ާ&5 VChT~JMK+|J#\pm+u+.g5_e}=X7ד3rO1UWT"Y!iꢺ1BCivrӒ'~=~h[*|,ʲTc蔗dWR?mba tu@G2+ckQ6vFhGm#ÎB6-%S$IrL p_BJxI ʆo>fc/mhMNo <<Q[\iۼn;E,DP-%DV =a 땼<-d9zXm)6vb 0uvkFӫ4ҝp֠5 V*9ftXn6iaVR* K Βpd/-~'z.geF H{DQ7cԵIvt<c 6܌C)lS6r:SlU'H9WTMbj&85!D1fUo\Ɓ湚O> &j,+|Ƹ? O'OP?r#DlFtN o^JC]c u|ψkurJ"RޕuȈZt\[ ^VVE 1܈ 0A3ȉ0 BT'qfyg/5&uѯVN6,ExLac>tv3F_1He%Im5QZkh [a+ 3îц+:ngA,ӴBX p 1ѻ.(}$ωa1Aڶ{L=$">.ӺyT!s~3͠L_DCZ Y&{cҚx<^yk`Dw"P%Y/X5>6]x$?&=bWu=]he`!_Y8i0}.!(sP Zuq23;BK}@7-od.G.6;t%wLx.^t57~|s];}zX2IAqʮë}C:FxRLvu9ܝ޾&6(,fʺO兺9(ijA\Nay1p!;T%%{ޘoŢ:r?r|2Se>w;ɺNi[f49S:\(y xzJ`[`v 0Vo֣{^pzՃn-V3WFYb@dݱ:#)غR^N<|(y=_].UH߁pC)89-;VV$˦z$m$44@"_qKkh-zf+4\ &0Jtm" } Ԙ&}!9 eAZF\ՍKYme ]`f2dX{ b:Ur %wnbZ%ZO%Ef? 0/-&~40W( /y]>6#Wҧ@?U60.ߙHg&=c=5a^p>ib-'nG%sYû9u5d#?g.F <}x[I\/m23w 1(!@6**szYMJf ,Dy2 ^GGB+hb 9j0=MHOw` C׺N$B&ЕE}ۖ=_W՝FaPZ&[v@{yԻctn[,P2+@.ϯIj%vbj<6Nz8?u%.l&+Bh^ca) s[l\:"V ,B.4%"(AăIC,T^9z֬ݖ@h?Nd@1_Uŗ3!E~"t&άWnsUȍ $ǩ}N Uķԏ]BK#q^vW>՚\mԍ9Bly4?N:3)GG$A # #Ƥטi/k3yUԶ.1UgZO8l_j:b^%+1|SK}Vi?b?c\91B Qid,`(cvE@GT0=ӰtX {k5K 7Nt:8黊͚%08nZ6&GJ9op^@WDY`eM@w!Ɔk (c撈hDH "y0ԙ%IF yoSh&'gN^4aZvɱ5cu*=&}Cx 送էBQlNi"1D?%A!݂372}g aфJG$m@0 Cr7YOJ$1^yqDGUD?i&߻ӤEd1$L!lx#ǻV&J'~*V o3I|1qh - @ۯZj%<qIQD䉦aj,}6Esb (Pq (kjoS8WrwC @υ4<@d6l덼'8hMCzqu~ q,Y*4QI50s=ɇDܟґ_Ǣh;4 gq'w#dvLdHy95Փ^=kdf[;oKPA8PS4o]flOV.6_JQ]V("v &`TYu0Ɯ1=f#5e o",ŭx0|*:XkD ?,%}ZSԞК Df?bցp&>tWp${x[˅K NI-+'܆IIӱ>.F\iB/tp8qhV8-+BtH($e!!W8Ovj Pnfq@6K힉|ؓFAT؊}8ag`O'( 6Ё(|@tGl_r [.&~qQwѻ[&}Jp>?Mzt5e- ǥ(!e0>Y6mTyB8gNmۊ–* hʫZZGNQH˜7!SOsslzρuet1rG'A\D?9D %JlNΐe)8y #lMGI9 %MeV=Szd%ДʦW3L 6U ä) v>#YzQjf5s-֟;&aT0pd>B\t֔͘%`MG55ߑxvuS"'tzٶr"+ N:--)l)>EF_o}"#P|_i49VlOIDQ&!;Up0bg37U0y,δ0ǣrLvC-h(Y -L.K2_Q vzK2QבAwr|0R'{]LWK)‚2H6SNsӹƠek*uEu*/g7B_SƬʠ@>whY p!fݡGH^ >Ʀ A!uaL^ӻQz6Xm96.c rά[&]a܉lؘM+j\gPJ=i5ı\cȸ,`Ȯi]nsֺMzz<1KGK[/)а.I@u ;EBNw"|-SrrUsã&kؾ)CiOUqD/C^/aPU$dHkkKI d4cFy]ቝ]Uor@] 4̈́_RkWg2$tG5uϼ=!U/ZAZBNd*W% U>l^U6͔CCWh{ٗEۿ1 /N& _@C)Gz I, KwI_ENwa3V^82>5rfF#pfH^XTZٮ^`n |hA5 Y窇ݿ )9f ssEqH 6@6rlV=ni@3IFB$ zװ&SaA&tϗؕ joM s"jk1ޒ\'_Sd_~zc!w@n%22(cVnFj:|]<:VO˹s &krP)}eN$h)Gpi%`9Q$q/3@@D Swȯ)Q9m5fv WG7YN4<}ptۤ E< =ޏRôI梳j7iJD|)kK.Fo'y~j~  $jP"6!{_yILJ_Oax6͋9Ou'#@RWEiI >Fuܴ {k]M+L|#d<^U >/FӒ.ԫ$@7TBAUMUQ=ϐ&-P!A@Lx l://+-gaw[* vW2G6"C|\>#"/RDj"O(XXG4.f`[C#Pqv7&qwG g'^;x !i4"ziDrt#WSNZS Ӭ\xdۥᖕ`*ɛNEo#<-gF^j< |Oj*\]QQַ<]]%k|"xZ3FҝaF1M} /6$\C­z>.A#Nh!{k&@bUioR5Cӵ6j#WbVe!.whgaC|9Cm|I k9=kFUnYSa,Ur8\*.J?0\= |U\:P7ruew|)V٧ϘzblǐDB f6Sn( @)/tآRR*vlh۝T-H#p* ^"*ZUWyhDVX vJX%\ R#UbEsx\ @V뺼t,:ojvqX2{#bQ}7m)֢ 8W%sg("(=:% &9Y)r)$+X|{A<V}lZ)_h VZ7ϪV ڑ oET x:}T×7O{΢DA4}tӈ$,Uʺ?XMEQ9f$MFPA<,/ ~2fD$|3BB rn4@6`YS`/32>M3H-ڔNNKIhsc0 +FL1p}a>N  UuTNךU&>WڀU\=.HFWCfB"h[Lr"E 8a7΄bdk$6[MR=Z"[r/u8lӌNJEh62Ŵ$3l4&B>g f> #]<% wZޔxjRbld &Զh(N6b㘏!4eM=97B-_jD~晙7IX0r6lfZ5+ʜс]%0={%џ@x߼L+C¶i89;bNF5sN7$_9[B˜ GdѪ+y"b[aCgBS(':ħzK.`ePE]֬ g|ӂ%i22ʘwՐ*H|\h]X.Ę1Ϩd֯y.sx2]Oz#3v⥥Fc|ta}/M{΢9Z/-u7@pchQV)πEL!W^SjTi5`f0 puJço~IJ\HP9sdbX+|/+a[|z wxHDѪi 4`v flXo,Mc~MaDsͪzC(‡P|"<oG1 g "ҍj~t;򵣅#ۃ*5 Q',/,wz_C4;4$bj!mNay2#(m/fKƭѡE=Vgj=zѝuH」JmzEUneJԨm&vh֒ikҜEJI~mn;gEXTTU~!|M3&+\/e?r6/Zqq`ﱰh]6W6Wb4!{D0nȼ9O<KKLB3'm`VHL>!K`؈1$ #IRG5{EQQ"j//+y[ è"(/"!墣1(9b˱×]]5 "C4-q6 g|$OIDf,0 ˠZ++rbqH f|biGALʚې&DIYTj'u12bA#UITB%r֙<d$= dR+2=@zM(%0o"DA6#J$i/&NXH=RT%VDPOM;afl8k(8*^dN[$ZZ,ЌQ?o?<gYɊFT "yd23n?GlkHpF3֏'3z@p xKr! a-{4"䃀PtAq 䒔ׁ;Pb򳛅S&a]$b1IjgImv8ohSƛF;D^X^\^@"S2HP >X'erdu,! \!s&zF}gF29ቿ.,t&Y|=s 珅_Ϝkȑzͥu&[R$> gmP)1$Rna/%ro`ޢS69~`GÝUm<[} ]3ϮKmG̽^'qH/-'!0tD!dљTsq b9 (H,WcAKccg~98>ON|Hmu0Q]z;d$>wƄg%3`r&8, ,A#"=biUz$ڟJևplg~AzVfõ#!"Ku&mݤz!j~ARp'ܢcȬ7sVW@t |ZDv L[vi'6?9^;2mPMy5NI8};]S77U3#D}z!j3zmL M4iJTĨ-[E'~Xd GUM%MMGx"8(sׯp8DLi?MM2z`F쁌В34ۨ@~ 9-|Mj ʒ%SW<<ŶMȰ'M,Ցh%N[?4qay0CXŨj8jyD5}Yjp]_,ģۀaL鶷`֋M.H!lڽx)stI̜њ.,tW5]_Kx5pY*xuRn؜4#H4y.i% ; w @J\%{)dfLQ.#π5%PD~orgp%GzWK'7ҟ P f(h9״=Ph alz'0O-^'mRhn¥A0DFAUcAwV冿<rF5{DƝ2tT=z0*| r2*uRE E=nOLuYvK%  l2(Vtħ0#YIhlPnz-i8y.%ETX햧tkuc'A%愁#A]" |@yDR%s4cPfr$_,:n4'C3oD\9icXI)u-arTrŗ`!bJ${GJwV4<&L}P_C;$)u\?#'dAN+FtK(v[gf+W*Z@& 2nJ6rzJ-wez1fuhǐQ_L78\؍֦:{MOV191ox=J9pY宫r($n9+=OM;<-S&/x_I-,}L}Z_ørk$>mcsh5'Yo? M$ZE 턉K:ZP$l0wnSz)|bn x#e Yʃ{6@nx4)ke{"`l%Ì-! w0c*~އtonz|btЗDFҨx4+yrB h=D$FNWD}oA)>¹9 >Hj|a3yjb#F6&6u3 U--CbxV{_$ÏZBNQ6|8z\ 0a"/8"HJ^I ./@!W T" qdU0XL4?#<)`]!%Z/#+hK;?D:CgMhN U9D> >F5N12Lc.lX<r7Y/Թ U"@_w,t~[IQΗ b#aBx=ۙl~ cҎ)1ߨml깰65 jKNg ncY=/}1doJoQ;.0o(¢ƿ4-BHtju>W|hF@.*R $IR%`ɬ3Npkʩ5mcϪL빁H;>T-Z@0PfA90t7DBX,aw.nCdFfo>CI_0ş9ta >xg hFPJOH๾څLD_71!)~ٮFOm+@[x`cu~ 4OqmWfzɢA1a fYF@SIEvGm>@ w0ƼASI6΅K ZתdWW[JrX y1;]fIY 9N}zѴ">:#g%H|^yRW&Ӻ7,C t- [|769fv:M bv TM'fA< `>$)~0}iA[_}@5%XI 2/l'P"݌yQwm p3hj4q]i-G:B-?8[71T2҆,xm N-wс=b86<}S&Bţ'`2/Sky(Q ^G8'yAaDćͿKn)E'`i7+5 X2QDqoAwH kXtA]*00M Fiʸ6FITUDɚu!ܟœ H*'X\y@Cׂ!&v}zed09_-j!(hr^+rE:&wdϻ9˽l,[H8loVo+Dztki!_NaSzf ϧdAh 201cX| a]64iU%wSJŦONv0ₘ`,aEZ-rH 'cf\XJQ'ȅY1Ց`Y笟 .Sint,܊}"+"/r-mv&t XgTBR <]xd DžuG6Gf;sF7i/F6[NtWHtE*Dr@La=ŘkMnAݺ/2  nQX*b|Ύy5!FiC0S͢w~~K?1x?4ozHdY\@cծڝ $eWG=4BW2`#)HUMa#d NUHV `5+*7o)li$i_@Y?qnXjɖ0|,}LyyUX EEKPFu5W^qQ^؝ůCQ~Cj)uq׫iaN洭xgՅ_ &i]'Ĥ 1p!A *7V{pFQXyci!q]CMZ^,m+ xÌ?667an-Şz Qp>[ .Q`u gg|/K>Ϡ]QP`M-c4-%ԄWg>?u$r wɿm˔Q :ˀ8@B*= C[YphgWaJ$nh0_Dƽƌ54uT+{-/"byN6jqʦ9-{V&Lqk3 y,[n!yhFmV>"ldn PaiW vFnFn'xf,?r 2{7.I,n"~6)P Îu6å#U @zj{̢}ӽ(X#R, G>(4O{>!Hւ7k~]ucd3]&.;bg"RP+r/|nID F}P I h41h, 6c{b2CUԦϷU|6:e k)Omp'P,JMC=XgH1(hj%\*u̓S{9 AV3&6o(h?(L̄gmTLK~~`7{O̅ˆ:KI/2SrRxDKːsźF=sw_2@8Jvχaezъ9ցYi \nвrt%4\%RkZ9SSLa^@` qctjz%|mM)Aϓ(2X!;"bp~Cr.I#-¡EWLt6x)'5!ߵHE܃X5Myѕy J4fMƲpjn=z'y7fk<@ { W]2 7BAWK!/&*ϳ$08yL\G0a^*u;cfrqJ2\`cYo$ 2ueR6&ةgڱ%L7G|uwMJW}c@|O]t*rlֵl&Ux 2D3e\ː6#]]SV::mrctt49ړh+&&<9<+ Lꦒ7iV4Q8+ʢR6"ʳa?9Tm4#kEf=[H7<(% '߸0]f[V1 gQE?$cqz< SNɍjymõ N<*.C(.\JdqўT&ljWWA,o"9Bg9G5&R'tbTPvqd>׃|h-$y"4R0/[{DlMUfi9?@ywTǂQ/rq;)B):sK~_7Kښhd{1(cz*Aי,cUS5֖ٲ+5CNgԢPB~zcX<[atH/oX7!x{QF`^>ZQb"hq3*ѺB.IW[h,>.t*Ty((OUyu5,Ua# tqlx-8pG18OЙodn&9=B*i/ $kIJQ[\mJZLj 9XvzpFE0ͷ{쵉_I{-zk?Qf)| bxXcM+Ђ s{t#"Lȵt\dXvkW=>aK RO,:.׃ZG@Q‡jV-J.@99p=Q3m|jzL) FQjB+$`0wp676gPvB[6ĵ]s"^zTr\Q]7}YE-ZvaQMc7,c&[2VGFTN} 44U\YG|$ܯ(BUϭHZvǵV!Ye):G֠ .uEe+S=Ϸve H6V׻1Y_05c`oz{KPɫW6F+5zz;O@~5O v Hg^XDΙWkMص#C1\ 4v?B1 j\JQb+pWb3®V 7䡌I[3I"rw>wJ|lд.iԨXhb64y?. )`N \D8C-ڸ3쳁ƪlcIFJѷ$`O-]1>u3qG\jaēUȏ9[6l#M+- -MV^ez&a5 q5_>nfNxz)&dt3-w%r}?]b-^p]\%pn& n:"Ԋcab=Z$4yROCinYBYjA(&]O0p JԜi^N~bgΐ$DĽppӪ<&cc{-+{A#[HˇXY>Hr-B1`q 0f] [M0ե\7/B-Sxx-vN93ʽ9ae0*DgُS0KW’e[7pJA8|eu j8JCVωkN߽O{ƐJUr;x!^INmu<“KE9]N y >< ' ۠qxus  n&iXi qNH?rT~/tW@6s`rpPIyOQ:NL$]υ8mf@k[! l`xN#oFCk e?hϣDH3]!M@Ea B}hgGs_\nxv!@YO7Y6U6L!`4ZAR)cVGA)BbqFKDuVwoIFLb#}[x(۳qٸh$M Bܾ&lwHAtphRЙ<ъuې 4hW^2'ҫLl^L#qD΀4:lfZȓǀc/D4d0\3ql:^?M$ﰮF/?TݽMeP2ߠf'mQ5;5 s ua<[' ֨@ӥlm}B" 'dMh}o“dh+ȩ>?+fw{mKU,}B$ A  ~J yCtշ}/",irk :ŹRa(ɞo\a{1mv?:Uh)/W"㹌de4<E/eK ?Y* &X8 ?ױLSd*#suSp_v5Ի aQ1 ͥwTz&?R O$<_t耠nխڈ eQ fO ax]pYw ΐ?){yЈiDn ̽"Dc]Bh]Pv㳦AYrnUuTK_*ť=:(F\;wFds7x\kPeyf'myui.@wq2ybQwWMxdV8UlNI`^meIwR ?:*pF@vE6c%JS8]1&)C왜И?}gU ߤz-qgf<am%L臣Z_ ݻ[ \|!Є*{i[Џ=Ksy@B~ůV^Zn8/0\ޯۃ;!F'ߓ3Ί#Ap㺧qO8xCƴT@~:vߔ#2Cc5^/zd "H̶<^ۖj;FsEM%Оa qu\gmʹ_0fw !Lrփ:Wc6(q,fZubyJONtHYFw'iOQV6g~v1gB;Xk F  _i GYԴu ܗJZͨ,a(_,C١"jsxbb/\I[L_ƉÀHas8vOGb^|as $eVh-*lE Hsý[=8;h9¨aV.Uڤ+׉1- 8;`_"m\zto$W z"LPEgppd2b3enћ6o SVpn!g3nC1|SpTӠQE5^2BaLwWY]\+t yvn=0I $Sb x텖]fV +=k9zdeEr9ٳ\z] C9wg/JpUbeKXBU=pa$Y iqcL_m}*Ud욨c #m&+S9Mꇎ%Y' CWo,yM6s}0ΪaxRV |SDl2 Cxi79Eǣ!=p*9p1~ ,= 2}ɼ &Ib&TǨL q, _U}Q;$$ lKi 5S"qp_gnx A+Rs& wL+Ҹo`]hwwL2?萏)3MW &UNiMD6C쁟:m dA: 1dQx]? C%P!)-2iQq<]VC]v UʳW;Z A׹qV^ǾWl?j Zفwyk /cs>L ȓ`2glBʶڄ: Q;T{|]/owS*3Sz;ʄ_S&%rPb%n4BeJk90[Aǘw͘u:;B %Q?8j"14 h!MȏO޹+)dN6z=3D*ey2=,@h `ʼn+"Ɏ~)3l6o>[غ1qJR >QG.)KNph 99ր!\"Mr֦FD ;-ycқoXWv `p*Zs*IƸ;‹DQ""s}a5܈Ww[FYT#:i|EYNx;89wм!RUZ]!^" /R )]ʄecPYhگ]1Ӣ`wj1і ύ/aD&=_5qqIAqo7UCO<oSlOOAAI#x̌ !bT~ ܾljv-=r>4YQ'O8!lwlQ6@Ύ[sl#QCjǸpVRyiSL,F$x{o>,~c=e*^2³w[79p^~w~UP9g H c%\?%X>I8Hy>a/%hjЃKDU'; `gX>2nFtP~=nxcLJ2g'_F˙sŢm&4B-fXIc? ڭAfDzŰ AOZ;ESzu NLk7ZChځ}%U$vSxx&qPV~N5 3n*j[ 9klS0\ӝGn@P~ї ^  jp*dX)Mֆ6Y0lO࿾\ѯu҃ q_0_?P&h'1eKR?}u5CI lLJn9ށ򢌳wϨ( lTyrII9gdRlH銃j_ ;. kѴuR)7?O|Ѐw`+<ȵ\bأ]c6 %0~M噫)B;5a|ga7FD(/'S-y<2d1K'IV͌d55_kQXP`G]`;vyfu+TNCTfD$ 7nsG:p2݃T0y-Eׁ3* SoBap8މA4ߨeX4 y Jؔ@YmWkvx3DF,)!hV( .0#42:$:&G6^4=*IeV#xN RWje[+イɘy4לqֳd慘Xj0݄"->q;w񕽬TjmXn'˴Bncwv-31cJnXN#'wG #)oW'M9: 'eiae!q~G TߴN}|n>#p&Ӝ?$*~׍ L_ 6X,o1ylKuZSE)^C)o 1B( *NjX pl/*kox޿ۆS`+>07ku)%2#'|}9)V5~)5ӯ$^JJGqn-'8FompʗW4𹨗L:TZX6}TX5#볃7i)Gdb?ie!:lnXŠHp. 3JB:їQMWUm<ˠB2Oy {rU.[*=x\X .ȷN3q`uT@9d)qb+- n^g죲Y~`LjQlSJLy 6ZCy zZI(,6UL#Pbg./|/o+j;zcx_1 9Ow= ɇK Mێ EI6D< 0WHK;j@ŋQiM37G"{W\[4k,{IN:V#@[ͳ:3lB|"LRl7>YjﴹĶmtxZ:wvmu.%]& s!e%iVk~ R:D|Kj61g*3vSka\^][.C^;G2Z$NBͥռ&BDͱrø QXSmR SIfW- K .R6h+x7Xj l xCZo3x}_{5jW,Qon9Bަ z1_ Mot8 ]jxWHg^թyىn.qYK+\ Ql FQ[ ,*lht"ltQi?UQ$]#ضS",·A՟jIe !K\[m } ϧE>v17|!.&ċج'.lD_S]4{(dՃ jh@؇M}vAK0ƙA")չq|̟Q:nvikv3GW/s~k 6.n|5e[Y1[]+Rj] y3{fo]qaS+\yαQ I=9PaY[]t_c%hTTWInơ@pXX NH f/Uu8L1~z.3Z [Yn܄–9,C݄hzEKF=ኈj|؃>n+0\~cbQtJzSa2gM 5k"rkо@3p$u=I V[C%tN w U(Eqʋ_7sar+?[d<1 MZ:Ghl'kZճְގ79D3E [7j0,z-PL|N_ ٴZ)ap$9OKOQ5j~26^F_~Lfr'ϡiBoXEK5 )b[cQ'F$ 5U͋6wfdߎX93Oz0Ǒj/StȶȽ.6TL Rwf[wWr~X/"ly {`:ӑL,5ccN˃ 8s1wh,@Fn Xt"3~Y$03U"n[t 1*f(>mk97z-BS p/:esW]'6dDlde\i+.)c*(4vev%^4H % r 5ߞ%#r+_13V- I +Ӿd\ZI%JJMFN%K$NYPXWc9X(HvJ[~:m p-Z'ەcR6Ώ._~,e#:.wM= U&%/);4hrrD uP|]M lX?-_ *?ZB>SY]V4a De-\b؝w˂Hk)+Uz8jC$Lj W|uB4~,~(wAEM2R^a?7'7n[6UhF_8HD4jsxsƒP%]iRrDrfsd|PS)7#>!PVMQ짥"Y6oJ8'}I# '$ {^ct:m\&~o`,|F1V> ,YXnP':a_kHP=\ Dd"Fy`xc|/ޮKo>իԠA&(g^ k}Yd 385W6EwH<]Z; YnL EBjAw-ː%}Q$ 3˧i7- MX.[WA(ƄaX[ui*M6_/<6uwj^hr5wWLGP7`me )2==rΛ)XL<Ƥ΅@J_FSSpuk5$(e%msqzdx}( ;8SjT']?u3[;,`o}4~w"Ӏk{.5+KKjM: -.j $u(]v1F«y1'?}MlmՀIx@ R xdx 깎j@zc$f,ߏm}QV֧Q{ª,p߅n`]GdyR+Gk9fxL`0 O)@7ףwG=qcO8 &1\0j(^QlR0,ח+ -9j9Gȓ1cjL@*vHO{Fi$Z5{JX1VЌGA|7H› :V ,OəSl ުn??gBHkZ+0 a9|e(Sʽ_9Y#tmk[udT jSj~@<  |@T)8d2ߑѲŹ~ZzT6;CD{Ǟo2ƳuqOqF'yMaX_ dَɾT\ %lt'Gʮ/cokp I,S/+|߾5h:Y.oqPf%Zf1,J,b) ѨDK)pC0H8g\Gq7=Mp20u.UL]:h4W'Gǫ+q7}@D* =v_|Ia^'mfFs @Q)w)n ߭@BK0UD %w6ii61 `\|`JVvNd+Bì4lMx'fB @%hb|cm7ݪo1ĀtAaU?Lpta-bq/ט&\}Ɵa\T l?!d 7'% n`8eM寧 cy=}/.Nk~j']]'U9 p3%zLlñ#3YL]8U}{3ӷHFK{iX5 4?@cV D瀑5N9doIzncĻJe [~_0;9dAUq{'[Qz>c m:anid 4܁K:4 F/^4h4yȯRk]L6 8>YNŜ8$쐑͟Vb+fVl>&,hr}B@5@^]iaa3 2t`;r<7 ؜̋pBF)<_ q՗2ֺ 6ylLY? 1׮*!jݽ=)3g?~@A4{&b1oK) o/+M"/`>){tn7C6A)L7<8!N5g$:CXFhP.6.X8}a~HX|Ȩr,(Q۟Hg,r -H'IjX*k(Z?֚szuJ#Kc6%>jJhtƂdn'2osm,'S~f?yY5;t,^isDMjz؅XA'K4cSr9-L5UwL8ukOK`aeG5u6Z. <ED>vJ8IIXǀ[vF*ػ7Si#[1|x3c7V( {YRH7@ʩAXiz9 w}z^,>GF_q4_&=r d\%=>MÑb`dnf?OH:ȭ 2IRL@q7ӭ˾pQ[\I5j~*,p '>v;)]"Ϩ=,Ow8EjW~29q!׃ֽht1k^$Va%[\N!XNc0grk31 jLuJ{v>(xA=SCmV.&cQc#È`4Q[ɥeu%/u[Ij61~K8W(ð6 A{{S1&Hf}&HfMYBqeccc fo<&V\Yp[ҹF{l4)]hWT5cd̞ [fVVP*o(D Rl57Fe߷LL8UCM},h.|9g)f΀oxrq,ڬ8fTb\|{yb&םq*?jYVe0 R*^͈Ҫ;G6^1$bgAx>PH38pȤ;9+F_/;M|.ʼn ٞ.2&-H_ХLdD"Ak?IwpMQ(VfLwCTZ5bVԭ1mD Fƕo lHn\oz*QC9_ :zb+ĨΛ:囐 Z@ bd]=;)dX1aO,Zsb&Ίe;Ha4u $AYI+PW~nx3`B+ZMQ(NHXG؟谇Y|,Y^|O`{.@E!o/ +/Vx/RZ$+W|=k|{#{mþ,Q% g#0 կ֋0JeXq B$,&E7Y?U q8,6~ĺ-:.#|oY$гpUer !UWncfa8`[-.݂ĠӠ+S/_Cg31NVKzKdV\sO&;\|wN /G3=M_2xZ5ȗ[r,3 U47PMzۀK`4~xt%1BmŴGLߖ^Bz BLV}/C 4:qs\:a ݨwr<%)Nrw3\ 1W`rZ=@K"~g4.bS%rK27SNkMG=p eJ`<>R`X2ShpP"MsVm`Pe2§+Y+N%ʭ*T(=1'_a$\<,J_T"=^fbCYĖʬK! ._!l!!4JsjMY|lsv"|fKikx!xe6TKE+@&`ky-xM ų K9yz36\rp%(o:ι'J15[Dh&& zFbPj%JlJg!-xs^v}cmֹkBjo)Dz͓LZW?pV4k1ֆbUpDswzӎ#v %!hU!S;`Kl7r<lz`AQp~wu_G?l3VGZx YS/OEŽ$cXKxdwO3SͭAώd9eWnd(Gm hC/u-v(WY0,%ēTF"8a ;4X"e Pɶ͔,۳ eE8Xuj12"LpKm6Gu1 qcwev 1q3J]#8;fpԌQ\fKf`` EKtFRp3 xLD|y 9RK{BC>W +lW%zq9C!ZE;]bz_Of^OONr+r;pߙ7bmUkHv55* FqBusd2a)o5H'eI;.0}BwF8qLFŸtK\*M+\mğr&ZU☾tc l ͝iE#cdjHsF7W?!2AG-Y*OV]C92G`FQpPU Vtʉ_~ғVtkb!41EC1([zD;zM̒sNhƂ|*Xxky@rqI9TI/l|"b*`Vdy2V 5Onz* Կщ=p61DۣI U6KC>5 ~,`t%-I온h,]Ou^XFZuV Yo8E1Y!Z3I%wsoNޝBH]n!$>?32VDcNqd|G&1eeY?Jh&5.}|MVh7GgYsHj6(B*+^n}3%LksvΧ4G^t gy?<1PX ; ou2 =Cl( noJbUn=[i76{]}ycnSk^*YSHO:*I!z)&El814o5+q)T}naTۣ'd'OzE{ P7uBs]?/cl9d=0eS{y3mV$5{ks\jv" \Q?v',ؓ'qv "Hbpps;mmF,WϞlN pZ,yQ9"~EÆO XthChh"?vA1/uW[ Z͸nXdS~KrW&9FiYz/Ͻ6IH0׉i|fğȇl (`|"aY@/pkS .y jt]IRU^/ N^}; ՝HkгK\ fvɚ!^Ui&wJ X9]ky|^gTS Ϩ t'q0A6@Za#WL13jܰO\|< -*wLdjR#2N\M:cD[n7Wep#RnFI>#ot9 9뭖$sRǬIwTїUW#oKnW,o u]^Cfn)㲌CaP8UJ1&*TxNsFwJu-yB([||ŨOjl7{aD8xY2CuiitΏM/R>F=bFmAWn!&<t'yNAMetۋGu2f^ͲbKmkV bC= Q@٭%F_~HUG7: !8[R~w784N3x/q hGZGA޻ځQ[XlMY-AE.J kUjJ<]g!8 e 0 $XQtœpik㕚[}=0Jȴ>uji0e~oU&<%}փ@-Tjx)멮6!!+)\k$ -sx8VsHKMgv ~=-dgqO ְX^N: CB Lؾ,pc5+K3lmRߕS eb=f*)0ST7Fɴ=NO:!:F u>qUɕLX{x*PvoSsp*LَnW!'Ũo<[[`Ld,^k s+@痟^YyWP2s+E)uk"f5Jzάq'[ dSxQ -_7pkSWIh~,$}9: p7j :.e-ߔK K2ѷO[%W]QZkSĤvab%MY^͙ʪ&t\K6RaVހFΥtc{%Gwx=DV+ 9! Jl~|S[I[CtB§b 8Cѽ'g(ODy֗Z'"~XgseQԫt_[.{in)aDm:( !iX𒦿}U$^2tiWh`2yZ^+M ?/ZŻZ6>%-jIxը+>ކf.B8Ε)z%jrX{bDm<aQqֿU ?Xm;쐠"~ CB@jKklAvHmOd!.=p쟦t|`:|<UG |;lL({#QJ*ETX,.88bLR?3;9oUC^zVёPM ] 4 j? X-2e/jɑ!!k/U4ؘw\!>~8}'ޢ׵*|2z?Yh,€@+veL;~Ṭ'O}CԂI+յaowQBƂżlxrˍ!-bl'"07OȔ=G#f@*GfICEsޮy5 WP>)o޾EvBAHV>ȔUj^ >1fpO@M魽Vҙ;ȎbL5ay<Z~|]R};b ӄ"B/\f/n UA]?^i :1Cj1N\]5x=^\HQ`ڑZ"lB6J7eBôkMPOCYif2=<| `7Qm&p"#UGtj &TPt`uqks$Hvgꬓۚ8KCqM=$w_܃a{ΦzâbcE5WEي8~"9/ P(81S5zx[ЂOi;6\,ʑgPUT):$9#ߝ|P pnyWJmH6>1pzbAЬ6T˕QV߄(wd ޜzS[̂ۜWuGl͂J,aG0S:@T]ꐏ&Y%J>d"֔Lr"uZd$oouHHvA,-E.TiI(O2zƃ!hPVUQ_Par3 >ɔ!C}]zi$. QN?4 01 $;[b %1 lN TI ZMp!@ǃܐHKF5/'1xv;AETj hm@P~FQNOmȈmMxx$?y"ivz?J%c@&(IQ1muMR:DA_Ƶo3 zs 5ª¸ְS xN9 /@CS\n6Q&\cAeP\\$f7oCE0VEl'^uW魺|iKq$!ogt19mWr|'?ƁO8:?1lʂȄ=RChU8zRP9f!'<.S.XŇ(XلVOjybݼqA2=[.Z3I1ʒL-i "HJn^Rg>{VIa VUO@RV?OwEvp!);y7ɚ=`+ʪbNxț[*?n_t18Zܞ-BN#y;/j u%k.u[[4'8E*%5$y 2{pN*|2z#rpu~ew+bWsvҗ$֦A9}/Ag+aсdb?R~J>w:d!Q$GX 惞xݒ al(??bVcά nm#hHT}VDi'zdB#(vf @TJPy3qq&1h3eT`̅}L)sr>w&͋Y'UL ]Zfp0J7!F0 b]VG]<>91٨eԄTUp4*FFS7aCcWx$_;'QwҖ=&G5j Zaޥ?hv~guMs"m@8p鬢 =aֵe喔D&{_Yp"U5syˆTQ8܃5mX2@j4 fOILjsPC\7pR-kƬ&AI>&GDT76K h p>&/ ]bY@ެ_}F y BPU,6THH]F~˒2ƇVYYo;1R5=7߃YXWĚp)Jvr(2O_Fl~V:o X4m'~h;T99 bMjѡd"iujUG]׶."mǯ5|8szG,p9÷q,,^3+))4o|[ƴ0[7FM mUvF!#b@nc*>AC@:ϫ=PϺ`m%Qb sbE>[ùPQYnoC?P ٱ G9f!P` +WU$!/aga@]B!:WXYuy\(V5+;Z_=0"8fZk97X[%VG\8¹CwiTFaupŲ5p::Q}\*tCZ75yW&$)ΚZruu]pq[0阚'e9cFՎV͠呟$k~M.N fN(AMqx{cCZA@ٰ(hsC* k}TM.{e(΄|[m-Q(6>:!Bނy9h%:qzys(e?!꧱s{?SԂSf:%G[-o7)QHǖ8Yz= R[a'` g,x@;~o $Ѓ=,wh+@/ps4CszT_u67R۲`q;M]-&d).Dd-(-)&&/maB 3d#$J~}i"q>h˨ͺ]4Wգɒqz?mYfpnQE @>9-Z-72|Hc>A )U>ꪅ^yzajS~nYݘɄU3{&zKv!~#wTliGg8T0/t>w&99ϋ}l{V{A%NC~dH](ե}KA.eu`@<,ͥvvD owV #QlJN.Ax'\Kt d81 y $6$ n졩:Z5[?n{o^h);bbEK)ԪmĜ߮VW#Јzk P9H Qsj. L;aI0˛EM!K@ YG'枬.K}Ar-܌nt4u,Y T*i ojwq#5!)̝ s~ylX+kĀto90SYdcÕ u~ZlHILcU2 28 'K:D~i36݁l]bLka6Y;MгgQ?('4nJwiSLU&]I,Dn$YS -ORh?r&ZXoǒ*]32]Eq`SraBe6u1w'R>ZsI߮glz믲~ݾԥ5=5VM546/P N6SMlf=h@t`q2%*ee$!,萣pz h =W*g&^N\QI_o],I|a-.z~!-eEv&,CB?ΗsQ0m^.pҋKm~u$N$">6g{A?+om0q2rXqgک^o79cBct$i"{)hEP*mZiQ ]#P+p p3;Y,7Xz;AbV/$㾳Zcz괦L%U͟)NЭW%)ZM8gGo1;c1~ר_%?Ez]JVws?Xha-pMp¡QwJW(V?X<20TxS>jvwzKf8!¤.Ұ8^= FTD2S49èjY lҶ%r޻WtGlHv*kg~#YX*`m?;\@PIHj%O9\dxkD5Hf.KKf09~WV'pz ffrhyX5S/;GހzK?bcHYn4v05F!AJeg7uopQ29翑^p]k:"j|aeTٜiRYnX"`K`,[tqȭr =&F|b,Oc1g9 ¯WŻ+E"'uߵqpڏR+; *dHh+qPeR3/L8w$o#Է\Ŀ`s}ߺf7Ngt(p`k䳔MI2_\0B#g  TZF-JᎏٸE@;yjV vvXXylx;(g><XNQJI&FF.glgw[~ bh5l B|_@->- IѸCivGϕ7"jOĜvYOrV x!\#Wղ\h^_BR3vV"\}bKO%BEC,@*~>Kt +KCѰ-c@.|69>n,nrNN)*c~F +$PT,<6鼨V1m*.Ply:.Vdwhw=c/,̴#n ͞Yаe"ڳEEPm Kb|?ڣ-cI3=$Mjcq5 `.P-8ET67^0\VꜵF3X [~Hn3uJ=M`h2ɯtƲcM:ݪb@GįKWKW` `5 & 7JY`Q$o.7{dTǶ |=seF )11jV 采6%حU8>N{LO-D'8Z])<;e;assrԤR씴ؗcw?y~2LWHv[oOװi*@R/U~X)vuM9mݘ"tiGd8opHZL3&$a`O 0 nw_5n&fVc}@7JC.g$|3FSԦqS7IGT5)mdjG{v!J&RDjyFnXn;؞fU/eC5qaD`fQ2nwu5Y10 !֔7u&PH{-PbLxO$WVoޔ[hP5JS+P u5zb!v^ C m>9R<PR/ٻ-ss݊jtG>$Pdoio#-qb*R*BA`t t*"`(lAXAɤ ڒch 8|Il4ĿaUjv\.{?@{Ȼ;ztW7猫%CV rÀ`Fxv-"QycWxIDdlq%QTsfY3a+qB/ C_bHme5E<3 i Z/L7V% ksH.uQ+ e L SmF}UE v[ ^8)8P0xl5Rj]!]oi`-L߯Y#pӃ1JG^pZ36p\>iqM5Zcl{/GSZĻ[CV i9usΪ P%RshךFoх:7"C~m FvX\~5u(<]c´H%+O,<3= 2_I^x(v}H<ou_wTr!#QqFɿ#z7)1UDm&fA(i ¿UܰyROWA7(]uhڗBӊv!àPDWRU7WM`%tGF&XyX3Bq(74ZV %Mٛf-Pv9IuV~W`4`\W5GxB+Rq86]6ևMaI}^ف"Fv2kԝhYnKh, "m‡d~1b,fjdsgƷ\!PT\F- թ0h`ISUf@u\uyt _|V dQr8Fq!{#<(u`{Vz&oe>eȑK0m3P%[ >nlC0AYsziVXʉY&8M*/n+xUaN`$Bнv/j2I?DR=N~ʹ$H0 W_΍y>:;oD+DB 0zx"yQ>mTY^ $eyg%Z݊¿S8RƩyBŗMZCD=UOEO #H Ź(c`pFf.OݳMXkhY40'_hGN$~ %私x*@BHi:z±,htl3OR?Sx,nyUc:>9GpS?ᰆ!*VI [8 oFXS5("nV1FYi!}Ғ4 ˆLm q*/T驉`o;G) 0Nl;{cPc&ż^Q jh [O@"oxj}!w&Ĝ1?~N==ir7bȧjMlF= kؘə[ W}`Yҍ(lܲ@V]K9ۏ)v5,h=?4>38A&ʌXpD|XdAPSpUY6pG&[:a?JZ5IeqM_.²Hk8 83qzrI򤑹M>ȮVAcn^ʁmЮOkSNq4>F/8hMf>L|Rs"Ms91=4HFJ^Hk&17/SR+| W.Tj!ӽ]+z!w2`>GV57י$L^ZrqnyZ1N:Kq {`Q]պiOY>>98u~>{Z%}SY&.ߑL7A"2HNRw!ƛ猘Q;! y s-z{P,Iɜp:ɨ% <:D^_};|D>q͠Wyv)gVimUn/ĺYpV%NIsٮ?-09!q0ָ`;I_zʕS_LeM6k鏇.vtZ)靔=ȿgM9i`?{3 ),< -sSG}~:=QTqx._iѣpbQ%8=}ķhX ]ΪR'+rH9nW wLL>!@m-ЏbdՒ%qsKutb3>빇7IYoqS3>ay7I⤳V2]j/1gG9) hm,` Y`8 M'd/ ӧCƿ#…Q99cR@HzݦA4LҲKdr?4JK<Lu y>thT·*l}^Q&i()7 )ލP$/`%,V @L"<&"W+FГn٭Sk-$to\DFlD|${A6-ol,fGqQJ6.͎c^!֩ j/؅Ez}N9bL !ac} {R3Y؏An\FXV/p՘"%,y Y Gj17 ˾ky)aCxܔUdUJx} F(n'2H]¡G\׆:JSsRqDβ 4㳬VH႔dI tJ֪9g-g\7J*ͩyt®Y2 Q W |}iضrl,w{p0*(ze57H <.Fpb--d:]ÂձsTQ1p "iGCӂ1%F`J uT‰4e\Vt>vbU+3zh\4K'\̖?`/>llu$ Ukd˴(=z>hFW+*A~J2$6#4dκq= biSxGAb ThyN9}}~#Gױ׷L_ $*@H&cJ4<ǟBO88vи%S\'ݗ3<ԳHK d0JDIndm7\3>_NC1hF5+'WX4Yߓ&2[`L !tTDf9"kj~ +M piXO)J> җHh ¸}Dv'У5Ħ|&Ǝ>?iNPNP_#қPb$~Q>sL)D+8^ɰɱ ^KK a{0_N|Ej&Zq* >EFFѩw|w̳$T=n@LH癫 X&=en(V g1ǎAPc̹gVz2փ&DH-\=g**ʍN` •?t/涀P[ڣ!ZPTE)^yySQ{%Z͆ }[Nm1~0[dV'nLy ְpx`>3290 y A%4ʾ\YFX㐲ݵF`&u\0 'E 1Xm߽=NoIu5JLɽu5[PpU:Cdw L>NJlXK;:Px>xqM "E+ {~מxLЮ> .7aq[pCNP}Ag+G[# U0 a#Rrsx TOKP K"|ԗ/QuE(-_@-Հc'-YcK܈BˍL <$ߎ-H-k]8~ DlU :"&G*柺俚s_Egve4b"k-`RAlXBt3OE0[Y[^gc@nsq>t2Bnf[feu3¹fΨn΂ss6Tݳz!'r?d-|@2(|# X\/\R0 ` T&>#f]cL~0ZK =J Knv""^>tqïGv%$rﺡxU͓&.c6.̇{ Dùo<Ք- HH>DxhQ'nzl'ƚH'< =~KfsaG.0]:Z < w4CK.ep0d?$XAvP)ڑ☌Zf^1;F}JnaϷ_Z+vv';z@ #pq%fnm.d2}cVlS"2MH N,%1:Ĝ_o!fsY5`3!$^/Y|G -I1$^[jJBy:z%w`kwN6C)j|ϪF 1ɴ.GRxTk%_@ ed1JW*~ܒoIOzI{ҕg\guur y!pV*wٱ߽e8Z_.U6> .u~"h`zO[ĨŤm<:5;Dt1q lZgʚƸ${(N}8WP<5Lm}ɥ%`2bt70^̂P(i:fEw90ʼnTGnlj`Vfc.PzH@ `"Ҡ=/qG2~.20S<]djت6K(> ``;(٪Uq%tGgJܥX!K-w)a,A-^.}D 5ΩE)DYsv+bMϭ#FWwE6E"GD|c[rV/AW`JDBsۀVX!\XޫI<٘WΒÆf0)y.yqCj-n& xXO?;5O^.irx/JNݪLALa vbqBxM.jYXBCHЈF9(԰&)<8/<_OZeƇIAⱺmuƞ q f |^jv3gVP-d-,;MӪYnd#tYV7lq/L"f*Hjg!Y6MjJRf򜌑oU|?J2*9um2g>򉖞>08 ;[>jtצg})RFM.ru,r_nh$7D߳H%Wհ'A_5^VoQƒ(<D eEyݥ{8`jPƐBI]^ =k{16fL.G6sJg~1<(USc#W /^az$nfQ,tMb,~봆B| gpSBi3rTfpcڂbN^ȟOײ qn҇7{lKU gT;pgUXTu"}@So+Czn@ Q: '}@O+,` p[)gxnd`(R80 B}Fdo; %i눙|}a7KX042ԼW;S7SMFѠkdGnr្PGW?ϪrX<+8,kUD(Z$V$2O*# Ng=HTC!~8sh' vI bc6&GUv)W" 7 몡k}bU]%Ҍyuk 짱ʕ%tA ˋvʱ ֗>V:K*rd%SSsn F{7ZMkt'ZIW } Ӌf/{wZ %oIlrWr|VAlm_¯qP̸Z޺ }h֠(ʔ-(]g.fAzFs/ XˢD%% }1 "DXkrO1jVbkj7VJy$FWO '~6|z**7@8P#n7.>gD/kd鼓"<Wkh|\j&I)iNۆވ~*CS\> `>uӎIݠI F(Be(RsOQR# ]mJú@ٔ]җ<fܯ9;LSyXE&J@a"ӓO_7{Iz<%Iv~҈KX0vhCL-?S$IdlY9ݸJ .gwGGRH5@W6S.?cш6X5#ʐrD2D"`)f.i/PXbZkI>\QkXq:bqKaWG` L<3I'A•z|0Ռ>.1aL@N dQ9_$;f 1mBhI‡ a LGV\Tqmvjj!`ڠJWH\҉:+W=^RXGmV$F)3;jO!5Iܴۗ(MɽfclSun d@$#CufB| 5VU b,{ jof"HUg}ɳYEF_جy":ǘD*&dg]n &&cl/M#}FW_[U ,:;S1h<=xd.hQ!!k%"C+a' [Q`~ 9!w`iꇕbPU8aZRPn|UuDV9$*.ņyه٤@<Ɩ*sAΝSv$,ЀhmxL[`+VT< HlÁIUř9H޵gwaD-_ /hrhʦ*!zBed!%kģ*/&ޣ?V9P ( Ʌ'e`Oʼnc'IdDMR 0Id>OeLr}A>?u*`p푿΍A39VUyU:Y3Tg@Va7Hv4AƼힱh)hz\OƢX<46hS**|#`JvcFʔ:IC&!mW XF:Z4OxqshὠݙGR8/_րZĮ+HfAhw~ƒƫb!- 0y}Pw ]o L#8n~J.&V']⧦'!qś,݈>qq6J'K'\Dv?(ٶnBuo旪[zlx: C j6.B _a+\Q#jvOQQȏ`jS\٤ar%"75^>eBE5G&8f);Z$$W?"{dEs}QE0*eaE0<@(1aB޳@9lT+lQF)319D4$߭#ZEKU- rR8~<vTmUݸuJlWQ$WDs47OM泛[5(uIL Qr@=A-{x#W%)++*{%=Oᕠ?qξ]ň-Di0A84pFDNRǽҘ,z̄$Gs'<-Ӫ/䤛zӳ&9y]x+ưdtXk5 \#w7U*{kӜ&L\Q&v.*_r%n*BFŨu ЀX2-t#ljqPM$H Ղf)*:%~ _EaɒV2,5Ý~tmJD͚xJK塊Ow4#+U{FG;" .Fc<:]l|@g$`Am(PI: R*OJFlX@iN&FسZQ˷xfA ]$+K5 X;ue4* NͶشt㫷P&;wfQlb;(hC++G@\K=-e^[`A>U4#'$1Y[r YQYcvJ&q,&{4#8 D9)H%R]Cv^ Tz 2 NYX&՚EF]шbT:c٬Vo]69S:fhĿ8v3p(V Rf.N˾խ+KSwVt {l8!jKhJ {W8ۀE w-Uk" X i. lfM \y  C`nw#QJQp` zfTiiN>5y#_4Ą%߮ ~H frЦ6f3GRE5_5lƨ@;|"]8S˸`i*u6#K1q>ClPZ*pQ(Y4kBDa:^e霳o] 6Ⱦj獏DZdtQC]m59|m" Im.઎7ٿU99&FyO2lvO|ޖ=t9]hzWb B/*RO35o֌+'TvK5BEIBsr/#: Z86ݦR#'Eˆ'6roUw*TK md`ù<̣| `jҠ*fT$lSQ}lܽDYê4Oy/ml|M̊1 ~iMfo1٢ނhWy*6Ϡ+|sMˢ'-Yڕh5",}c׿ R*jf{XhO7Ћ=օ'ߓ"ߝl_JԈqmXn,}l+DȶGJBzx)fl"tm'TY!o7Q~W2K BBvF~8lsA!WxuWJJG qkChn)8FwѣUBbfhyrTO`k'+䤖<,iFtV:[m.5?P _`ZYs8iTVӚ Bcv吂aK8e }Ic f;?T. F@&=S@bXƙEQ߲7]J*OeoQzT=8ٵ!^QR]t!fhRAψ2*9WnX?LtZgs ~t:L ѳzv,N>Al klGO~"+%3iL=}6BLyd  ~KFrPM& \.bfJ׏~RDpKSO0,/05Zqrx輚%%gfN&y+)c=A Oo&gIUCTlZ#c BE}|%f(8,l]:lRMiwgP.,eU [Ծ ^ Cir'XNGKB4sq1}֨Q;UFE 7,URl\W_ DWiHy&|CNL?X|"CY6gmBOC;СBPO1'77X`aM[CyؑVϐ_m™NL]zIFmlWoJ"f@fdINkMjZUU;o{JG00\i B,yǣkK}/,9ƀ-_GX@R[VY'PgۇĊ{;Rl#fԥH35c>$%a5&qQ&@AȰ`Nus4̇)Y4 W^17XxVTfٶ1~юШ܏JaCYU̖,$BC %E4p8NX/B0@%ZX;RG]\@mFzlʊvMQ-ٿTRD* 4mR x4v:({- ߙs-1Cqkv2g;Y %͸ &i˵E7^59*n>> oG=*~ ]W dyuC~I%&EqǡTcH& 4+6ܕVػB6PAIAϕ.%aEoN&v}&]{z-ER~|j$~IȪpUo/g8NxI\|3"!pĂ8Q#Ή0ܦYɩ%[`liIOUe :{JCX' |]BCA6"-5e}ucLfDq$s.5+U b$(ēAĐ4wչ([P2o;y!/jkiǁrMN>lH4X2Nlt|&ˬ|4W;q@[NC=Z~+5yGc Օ+Hvun2/)H:q䮒Oa0Qx 8ꠎ^AFN#HPL1 /!IDܾ5p`?%Ê&,Gb 6:PӸԁR5} cɽl"ǵďs#𱩖ReMJG U~tI\ z r⥆'1N|髞0FĨ$ 'yooʅ ]c+p@a:qg"_dj_6-UmMꘟZdkg y W'Z4W!+Dw ia~:#]eUO@Ȓ-uv2CE{TӀ7@b -# 䒗q0OO1J7l<)h&B]w7fp]Q ٱ}^$cãxOBZ39ԌL-(bA8iy}k}CR}dV2?/n356Loy`d p%7f|PUd rДS4I2K8f3YENyC $2f:Y!/TN C-UYaZ.m6|.y?Y*p+^c _$;@YV#pw4Tű2fĵN- {[nZZz+B/ֹ'3de,Y9%+S.ӝ<2kR|\8!*b|#VA`=4ۂg@%ENmke3.x\Zq,Mxsws}ITِ8BuT 3.&NއS6h|`QN{v)OK][YG֛ޡ9W A 3⼆щ_==IR Ć(uzܙcŷZWƫ (Z0$ZA킐k i؎ϡi<%Bت;PoQƋ 0[bRu/TMm`9 5aYt8I7<%^n'4ǿ_oǃ0!wW}bl溪kή>@&r`uW2Q4F=F +3bs.QPkJW7) 3h+nBmCmjL Z-*D\%w38ݪSp_pHOx;vgӮ>O2 &G#\kRs`HQm|nS׃h|>mls}S !;ꎪVoyȂzwWx.j", Z98 TjckAG$zǮI^:<Ɏ&1_"ڙٍ4x~C&x`T*h枰+:%[$3($}"%Q P'>r)2(cs=?4߃lͦM:LM㫎)DxBBKCu)[X9NfpZQna1ȕEfFO1]/䶁y]ܯQ94WKRra6=StVEZ@%A2l->!iH6rkoJ"E-c<9S,VC_eIQOKPc]K-t0⒗S:nA&oABgB[W&#ip `}&Vs =B]YX*~| Z(Bk]̩<Idl@㭐ߺkƾWV~V6c0q!\_j L;Qg2 zI"' S=B8Ze!@"1GRPw4T0/]'W)"Uk(x\Ym5C~"ӖY>xI¿&jwIReX/ vMzNss؂UJ?vCX$N̙KKNHg3w\hCXIC]Âs&GtJn>w zt?i' |L2koTp%/ e(-S2rGv9;!*ꤸ4UrXwHb=w7C`.ӈVʹbql(!6ōzH8r':HMe&{ =N -^ J,/O9!У~7G+uC<"",iBH/0!e!h>]Z$^ˢM r?9ByMA>)˩>{RC&Jh]2K}oOJu(ys lRsUh ,g.mu7zl)ۢn\mPk촼4o^}o Db0Q_s!)2TR<‹s,K^``={Dv Xlz_ Ԭؒ.̼ulAϯFMwb1}Y?]%XB·/G"8ыmN/TÚYT]{ ۈʹ.onPu뚔Y*W%hiV6@(sKp+߰.N3j-RٜmN{}?alD{ -&1R"&x}+e(3/v;qۭ7AGoޓtWy ֩cF>R96{g:^BX2xjs`q!%#L1e>MOb$m-p1_ejbS3f]K7bfc1Z1Uide"MF(>o{ld"YMWIഫsJxvT_Ѯ±`ՔTA`sRΑ)p{X@*N ~HeG3 [k y3 S),Aʩ{5 2@k$S8!Wws\n(^*f3>1%2ƫ#" x8cwQU^8)) N9l)kRB E~y߂pu{팒rI^ <]o{ЯO]FhLHr]䐥ۼ5_S"6ؗsJ6H^Mؕr׺| 8`=4w ֗Ny k;N9[Zm ߰7.KrfãyRTI;Ȓ ep>si mB˰S)!O:fCA8>0DaO=@)-u*]"mb8QۓZ7YP0K#ЅIW%΋t:rԱ7Q7.Qsȟw:NF 0$DGg ۦZ2=7[0#@_c\Q{bF˼ah(M`$P)*]DSa+gNiFXT CPeܵKH1kGLVOЃXy^jW8Xa8٪%>4cR(8"dk NAc-Kcn}o*߾';YoN}g`U[pOr%G+¸q#'nGwi_O=/3e(|ZwN&5倉Cy(eU"@*52 ;˓$3Ivt m>9-t~q CMp NHLa͆a 44W oTnT^.z3v,6˲(*@U#bEye(r6u,*fxud`3.xỤYQJ:Ց 3/ !ȃ);sW54xqZ?lkן};Iu2׌ޒϑh=]iڪAN|݁i75$&juM_p’&dqF=o`c{I"=j (ň!aN#>jҵ,c/n+(3E/ k jMBJAl\lq6~Npl+R鵢 LUp$oC'"|Tc^Ocnak|j Lx|27aFV[UYC4hE kryC+*jS|c{kܖhCQ\ ;yLOjlVSvLjP+nЃk\XT`cBA_Ғ ^{ȟ>`1ꂈcyKѵ s}_XjskmZO6Re@i#O5Ƀ [Simߝq&ۼ`(K7pD,7F!3g!fܧ>1^b5p$|hq=PTj%{2. Yр;vWF6HO7i`H4I¬ua%a2Ϋ\I&S:kN:udt!.ȴQRn70?kL= 9.FB|;] ʫ";Q_FNYRU8_k,1,&֑"ԑb ?%s!ƝEe GBJx: #T:^ۚw 􍡀7p“99E.M#gdo>HhL}*tkpP$ _匬l\]@I a4Ft8ռ:gWzbZRT"-.qKΓI(o1B<3S]m>EzJ 8^JC-` C)DcO/*'t!gα; #{mӍiX3_57n:[)lb :>VFC($vˢ (!>Bv_&h7|T#VV_v%*а~!Ի9륮p*26ҩ]50l 1ZnZ*7=[cꫤJVze 򾸯 D 81{k9eopOԪ_w^{jP;lKu|_N)GLW;YOwbqVnDbVYf>I~>P/_[loj}ȝ=?4ohEHl7?'tY$Ra1<DZ٘}t} ٞY:?Uw#jS 39DSQLnon)o@Gkh@|hTp8[uYJKԢzf̞sz=湽_Mn\(U=tz^ED-SR!یwFGzqⰬ# "CF f/ƛOZ 'dXI@/HMcFa#WgT'R7HtI IJz7{^ z+9FqtLt#2]F\V-uR\хhc]W;|Kwg}G:{ .*GPq8Hc˫ 6/$(i,BRf>@ZղhEhE4Ƞ$JB^ݜN^ )ɮЦnmwi"Ivjے~=*X;w. Ԙر6fK*(@|,9QڜCF^Rn"fFEjMX呜]l ^T#[g(ź+;z#OE fb{N{wo0".ZH&Ǯԯ簐PcbLfM&_a/S OCӢ EV;C!F)FsqG Z҇ $ό~EFn {w%x4P/at!u؊Evs`Pc:24Ɔy0Sٻ]L:O3{2d?'΄ygS;Y89d}uMQ9KHDh?F>T7MAV~9 ee}5Qv>*B4 9eQ (r1F,$j~Yn7Q]!(EK* ~ϚnSGlIXwoWc7$tķiB57љP2 cq;PcgX`MíӠ$mS1L>ls$JUj7umgxg9nES6\¡[' :R`YZ|op|sA2>C`cUI&◴~30CqTڿZQ7{vY[<@\QTߒh%44wĄ| ~(MJj]J:voΣYҫ0՟\8`!Jx @PfHJChDkD'Ags&; /_Zaxʋ(Sg+TRP ePOtl,ۦ0_T5>uYhדplUs&::n-`LZ,MȣA2$T™W4^bqGMՙQ36!uPBئbCradCLbĮ^-땗JQ gG,y9Cd}ʦ;]4(5aDvn.nrcy 7'm윸JsIpZ8iD2ܠ Ml\YkL#==>vl=cO=%mp}^  ؽjdh F_Hκf {^w°)}|ۅ4Ub[W{8/ T6) ~Qt1kOLr 0ڱēkY*"T3ke 01)CO3p LF'cD2]T @g'|i)z\tɛ^(0ƖѾn}Rk"olV`x|/qy-"NI xp*3°Q0ܘ| b<]%̫VdC׃nwupS6AimBk/#utL> $"ro̳Wx0-Րf0 5EEݑ+|4m߀JVZ-dhP\$Uw3-j?w$&*@?2KX*Td6ӓ1<ȋ҉n?D`5@k07퇭IpD|}HD]ftJ=4)!;ίӨΧ/ښT=bSeC/#hB\HL5 lRFq>Pui>:["X|izq[/2_?R u]@on5k=Y_MZ{]l79n&CڮиR8h t+K@QUnacSMq믆Q_]!q'Gh2OBy73q|!l:d۫"V"C#RCu*\arpV(gcK@0M ť5hwl x >7ѽQyܷ]ݤCP,:.r{*zr*θ npdiP[;`2cmccV "GA;p6Yf G;pTh(d:dB!C6Hq.n0 Ɣ74[Ӗ凔2?eĪ5J]J6~<5i غWFhd rz,OP8k }aЂz5(VEeh F٘.gUK*@xKO; , 4<2m֓Kz:żbR}a}o4'qzLW .m. /r>R9\9xkdRd/%5a3M1:[ i]{_ɗM .^] `t`W Z&[u;@V^ZT >^VҪQMjU=Y9-ռ XOۑ|&VH`vv[n2hX x0ha.2(5W^J;0k$*/ !s'  MX XGoY*'Pu/ҠS9ꎦ_cН3%ebgh83eeOs\~MΑ@v O&` *@f`~aѮE 6 -lc+3VӢ`L@R= 8!˛3Ps+j"Uy۟RZ2`/DdNΗYpAOH!AsAHv5#C twnDq;졄}8 eCP嵏DP\X/g$|hp=8:IL-Ir=0A)mFWSI|+^βw ~lŃ4v̒ uRuÙbE}<;Zp{w#q_$w6+|eWl!w1=k>i= p׬jG˷Z?f.zSֶ"RYcłAZ1lN;h_jjB\̨exoK?(8F2S̸gD3LW I0rS㆒cV.(IVBw 'aVAu˽T9^DxY94>Bڰ7The%yDe+ZqyN(xZ{ӡ{AXMhr/)$XǛg,(#l6VZ[+Cghe6ПJ$"nNHO5Q5տ'lR7}xM*=~e*ag7(V+Ljdzܫ 7bЄ\OڑQP5Qr@\ yeUևJVFIe?-(PwEKe͋܄&vfk~+ I gd ^Y fW)|I/6lU h،sC&h]Z)K:/~̾ cI[lL:SE`3M+9dU@QBvXi[9K&BLu)Ht[cʋ1Q6~(&#qj1o,Gά8  i;"~jZFOrCnz}|*+ 9M! jQ䯂qŔdh ji pB:db,&;ddw5|> BT׌%H~?ȺR^ -B M[:pQ߸/6},۝-dOb*tq_ *({̺N7 Mx <+ - RvbF?PsA'E!爐``x 8=$<- cj`$])I  H'^XUH@r*7<+Jy~(Ƨi= S"gyk8 VnQl,ZtF;`9w)&hݿڝ>͸UviA761kͽ_AYS?sᾡ28  :(Ee܍Gr Rv/P'khlC7zUtwYx|"gDzYGh%(9=Ϧ`_NcA1&YL#'5qEnRWVF'ΧD%IA7d +~XFZ`@tX~y&?+ltGᓋdF"oEK1,:x|Im" s] +x8,Ef{[c,]R&yb9m(. $}O{\9f^ (9qHԇ`+G8\Mo[&5/FD^=1Kx W [VKyB\3V/|[ݒ[M?2;,rj^;4hox߇@~c]ޏxXq{2G;Sig!66nZW*_`۬zU2|m}d5iEwEZ9 4wF=]e ^Svp29-qJ@1ZTb:S7߉1.zhM0VH,C!/ 5"3kkE';<40&+a SK hZ;|PL`r:I+9@ű>vn-L-h\JiSeIq]گ0wr|q:òDpǾU+hq0ߵ5 ?r\pc *#t_z0ИIn'TwqJٸ.!f\Pˍ*?htǎcښkj"DW&Ў9.o Z n_@{'ѦOiV*܏A8bm(8)OZ`{r]F,^Wl'l$2I )B8mk\bXiyoZֈ\AÅ^YTn?ر (75kq0-q`1w|hPlە-iA5oM4_JJ6!YKpLOqs);DŽuY Ƹyd -4JXUk xlP&0b$qeWZU+p8{ܽs_ "=dX+HFCCIŁNxhJߨ;;q%P3}!qM}'eP̵5)o^ޑ;Sl`=F|%r%(jVQ6xzͮ4 [W;3pw\ꀖ3+rnA.љٲRp4 )9dhç8,e&k1<ӣh"͔ye+jpN%Me?$oфrɎRv>yGh`I^K39? 3Դ֪H*[_eMAJC -&+tMD㸢ai ?>PhҪd5PDža&٧WbeJ?E~s._qQi2~Ĝ( 2Bxgh]$2z5R[Tl6QLCX 8<h$ʍx8h. 'S윓$N vR2 l SJ/$#|[ ': |laӡy;I R,B嬣)ouQ9Y7< 92)DSBs,ȩ{ψ c^AiO 56[I)K2 mtj;P.!,nH5e" TZ+e^q+_`B[.{hP壶G9B'@wL?ZMl<D$N9;ٚaMa<x#׳@bȠ;%5t gi7?"xml1J|w$NL 7@q]S:Pp3|n(d3oF*<ܕ_xkݲNnHQl7R 8\^]F) ԣ̡T%G-1̅dQqPC%j7X/};pIώi$~߭ǎ]05Ő!D8}V )lR|[dN7h)å;%`ąAxrX %U_W綒CuҬ' %Ume2¤ַJ}]T0Ein>N?M8RCu'`~XkMU  r0C1I<[8Ғ cii_|!qNtL>KoѴiPwHzhc(@CMw 72Ҏ5&ɶB(I#c'︰Gr) ,{MvH^\p]~l&gt:|0QOmxkZETfע#6{ql;d;j+ yx2܅ ~C_?chL\ozdz Ozk~# AKOw:^2R6p&F5V%w0g_6x$b=!~ k%P bz Ѵd9zbv5"xY?fw4+WOoD1|s%Ro:2(Wq~}7Q~]V0R\_Q(0EiNU)1d{Vc(z++hGi&df(lkHAu8u:܈I* "M7@Ў?32tt^:X9@JgBCВg0ҧwg #4>ͷ *kVoYjI̳.[+Pp-lΊ՘@M$~bfCUWN5z)'wY}~!ra bxmАcd/+=1X@5FriS9e腶ʷAK]^j>K7(Wa;e-[xK];6.AXkPZG!Dj]-4u{0o#.J`xh4Ӿ~\Nf6xOPB,IYΒjx (MBUc—Y QB+f{fcbC& -fo^g?*^^1v6긜[F(Iaf; E4#}3q-RLaDYO5q!@M]@7=>,L&׶`t <$}M_"[\x{6ϾN9Q˄yg"HYq~*'=|+0]UPC: Md\ +99oa]Lh춘f=q|*Uce˧,N'SaԔ<⸳z\vh٧>TmVr x[1桶7Sχm#VOާS08 2ֵ$C(;'o=wS-\F񥇧85A'e[9c Է f苸wtES$l:M@\{Vx~*-YmO> dBkrb  ~?pq$wI@+]H6F2_ Iߥ,LO :L F[-:MڔTqplL#F&> eHDߠOORZV7LMG;!TU=G%)g [hnp黗 NLecK&"S69QY{{mDƤ?q[9;2ZRo߅G./bMSq[W24r%7i\_ӊcE 2L1i !j=/LrhY PT n5@*6Z?-u }Oa8vݕ@.=O#)D%HخLVnFr~+Q1"27=de1 <ҹ2lJWT-0D9(Tȅc@hU''- 6 +bXz'i݂rPKc:49@0MUeS_}BHz{vSP3i2CL{3-2U-7 ꠗ#.>T 1:fMs v?u|9 "<3\6ސoHOu_! KQ^'OVsH>cdңx-7?95Z&ZP' czpZ4Le*ywy2{gUıA|@M%- ;mJ鵾1>Z츖okBz\odZL ~ҼTugY2h$+UfVwU}86>=6}AA_1iM%~TԐA㋇gG15Ho fkJZt`ѧvPĚy[C~nt1V_*gvVDRp u8w/ozse,R.wlt$`xavW0&OZNG˽wE8l 卒6Y7[nncwdY0Kt.<3?Ei0kDH)|RG[Ƶ k&s%b{.&Σ&V^N3p;t3Zpb WP)m=:9Ǎ6D[/Tf"u0ߵ}ʢUvE԰bf DCdU łzZwiݝ_-̖xpFV1겊COzl8UUx+ _՞o0->EXJC*G2IfKД!$)fApl23~Z+[{W6pӔM3Hj>,ot{Tmp]-3*/]˩UM <- =e@+YwBM&JPː5~0szĞ|׸Fc$fʫ#3zo/dTv͍a쥵g8l?BK8%> 6GsI9y$'j vw|Y/ Djfnx5Ojp ]v ~l%>jDD*cUIjysѫfw|'sam+W 쬱8Ս"hD.éZ$߅I߆IuOs%WZ̃NK"d?sl ^bqN뛿e;#u|&Za-iy &WTt7嚻Y Uٰq%㸅I@q^n6 yٱ<߭7WEe2$tJ]ofWdV h. -j6Bf^O/zQX9D(!/`ӳhiEëwq K泭A#?!; S=g6׆RjdvH@1kaQ,6]~RNأ$wJd& R{zX n;>gk&fzf}vt8 5(4 uN  kHȴS|.M~3?;RtgEYgDbISnm6{Ιz":-tic.jJ;m_Wdsdӂ&Ŵ=c BRҵʠTϥ#c6p.GÚ'Bu[DAl֨ɳ;4Nl5\ ;&@|wɻ>ͺ(gY9g2?2«: q-7OoE4=k-V$ϑ`2G):uJZI@{B_05s,-Mfxa0`,Yb_r,Mu5鲟bWJ|c 3E;;)8TlcJڗ1Y2*?Vif@]RmRmL<;pBF_Ѭ[ŲnWו꾡Բm S筦 P9i~`yoON??e卣~+͐ ,ӱXϝn 攖j~^%τ*S>\u9}n5Jz ~bttbs0k^%~i/?[$~qw]ǶJWdQEt˵oUuKb̉^JjIyW ^HZdo zl)Di\S?Fbuv]e(!Ce=}fNj18>(an}hIDr ^X$o/NMtN)yխ˟uV)XLO&a#7"!l,XkZ{Bc$Xȩ 6JHS'7. `xC fjB kuQK :aIEUx\YHrfW9 de p"ⲻ &ұt|Ӄ ^ dL4Z~aXؕo+EDOE؊v= YӋbޤ.Q]NC3͝P-j ao} T:FZdrZ5? paCނ$WҏGpFٜ/jmJEUEJ.6LAqg_CD>=|N8ECO#-~Ƈ8kjTVAZ4ÆG_2Iɶjひtry i-Ƥ亦Cc"`ʌ\f,* &q; pM7g#}> /bE3\s) ^ZVv$1iMN{K;}aWvvI!9stk:FNj.1M&VJV^bCD*AK#GQF7ݓp8Kz& 0M6''u"qTB>u)WQ?trdz6.`{`؇#bj2̙ywy$'; }|K?2ڛ7 |X'+;t-YHguf;ƆH>Y ̉-_'״[tXHLLI ˄S pVEc'-_[ΣR=aAAH8wb;F}K;Tx.iÒ8(?p1A3BW)to"!}>*>?X|L31)"HPB)vK YadpI)f}UL*jAPjy(dٟn5T44G-"mV5} }!t -ZQ "_x5? i]"'>,Bur?J\5{L&H~v_bx@϶4]$PK޼>L'W#;;c=?3K՜ۻlZ$jؠyQr9R[ݫ.܇4HbL[ƽWȁ2[>h(#Jn%Fjn G^Cr'{j5n 2;s ׭ Nw+!`]D1 ceɣm54p7yS۪qJ&p >h|u:n: aǸ&s>} {˂oi1bb곍6We$X /EUy34fHfo\ M фL"抶> ) Hā{  ρJ(> -y>fu=\^mG3zHFstT)M BCBt1Pȿp,”<^{6 O(K,) e^I gi1+Ɗ*Ġbgp=>8J,s5e1wxJ)ϊ *ihj8% z\uHՍ%yay0V[ nfԻ {O{tѨO% #0H cpKhe߂9LjO)Z| 0lw]W <`v{{A'Ќ3"Pv5l*GM(<͔USYxQTa2udþNSU@ M)Z,%ov2i_y/y?htG?ԄnDva1 ?P\#\β,m:Bizʭe/XD}EyKrXZ9 YQ;?=WKQo̼b(g9ѕJùPشzmț -jUu t Hom;uб$]!zIf[7 %jz ݞ=ۚZR5=GY֗΢ӡ(+rMDnhJr?tboZbΩL/aB$PW 6Hpiܧ*਽^f78ߝT&=eb['O1T 8sT]'7[-}j`_g 1[!g+rLb\ې5kԘu:{pD_~ӕ•dr.vJE4FM"ď*%z@NVâKsO!<"pl6ڭY=.JZEZ䰿S= 3 ]mDuJ4^bZx,蒳@j-;9Č!襺 JY^G*P$0(A4%:qɺo / U虛Ga vш؆' 86s%ZG 2 Qkp=cotFz.VpW_;m G=S`FiMd"jŋi俛i!^X2_>2r_#ByǭO ۑ-i%harx#E!nZ Qo5g"Y.hH3͇<mSď4~eĴaoۓF"wn ןT]%c,(**̄g-0뻍"jKvlNA,.ѳ!U;y_S#3_gEg\>j<7SvFik-HE޾,exæ nyQ*pJ'IKPq;|5c^B?RU~K颣%DVV *Ki!r΄/fȐG7g.MAF}Qt՚T[Wh>T_}ǢS%k/.i=cW'yq⽯1c{ 3L,hoa4NsibFA4 ͓* pPDiU)ZСCBC2)epf~6,@Bm~Q[v0JFrZubT 4x|8W) b3Y倗dq ZRfzѹ&>8K_5//&%}{&3DtSEEJ@\ݢr]/$wӾz]j_ʆWVm`M-3G=ʈIۅ _4 q펵}yAY`ƚL"1%OsqKRC?JRCnX )YM j ͏k|O;L`\H]i;Ciت ѱra-kRI`4,:@qOɴ; ku!<4sf^2i|Z˔ wHu=vhθir{NԒL7F]X`kwԲ\j]ʁ-7RJKZ/i[@Ωdϯօb1=}A=VO C4<,DB r|'@&ӯMy^071pmߙ"{|/tPT#,Ty5K󧪻[џzpxf` )`l .>iQ<͉|;{=W\4VփE`|8]߼xME0\KR-omήP>ML^cC#~ &կ :\FpAJ Lc3,}.[aM Y윮(R^#ǂ#s4H\L긭Z6p 7:/SdJ W߻?l3>$ 5@)e*{n!qa;B\&w$w#ah͏v6myfN<73(bq/X(ʱ/nͶuT+(Y U_+(URcv-jdwY5*-,,tj/S^ȖJ|ω>xvӐ9zC1`ZFω1̻ʈkJ`z}҈[ӛtqѮth)7`CO4MDF%g,ӂwIJA,QaFZ_\*ȟnzL%/%S8HMRpGۧӪŌr뾂vܼjl (Yvq[;Yn+!fwV.fPrj+4ԨαER)9xЊCNqՓQ ^wرxod#hGI@*{#kQo:6,?f2neGZ60 ۾3ơȥ&@9*5%Ѡx@7S$RkbaZ~V*)}cjOpWG&9g7T7٠d ӈ]dNq A+w+88W)oKdV]m ǘmwQa5}$0tHwir'R-uv y0Hۇ \:i.&b#}'ֆfPtҤ=Mŕ iJ G,n~`; mY5tx ]o"BŹm`:ƒK>8ܦ Ȳ:ti8v{0lLI\{ܒ ;c[7ZEփ=z:VW0,v<3EI. aYE!a|y- $biG/C -|YϏЋԮ;ƛAnAj> G,Ju4[œo||Kì<ވ>Z`*GU`k\CiZ2cu4ź[AIsV>֐8B@uTUbD:/ BusF՞``Ai2П @G?Ҧ~l[%Vg WZԞ R nWah^67o>^fl((|:=^WsZڇ}OKoOIZP~j@T]…-qAmTzcr0p t4qΝ:f3dA\~T,+mQ\${F O_aoK]32A1ad֕lة/]Ļ,!c.#.^-q5$?Q!·4͸y €VKB5OdD֪R= g~maY?8L}C#_ʆyq~mpZT>mS mIe_-zeeTSM q3CF3qbׄQJC0hEjR:S3KsE%p|zD?Ehj/ t$pwp%ց>m݅'"HH a  6KdE8ܧ2b(#c#f@JUHXRlzI T&9'$cIOl *<Ω{ #kʎ$XN7$J\ :éXD7NKK)zXky;Fɖ12p"jNV A& AFv\@ Sk:w`ʚsĐ9c,s74!bo=ӆ9av"MS{%<-^Ke=0TnaI|P4p9D eb1;ZCvܫ0l 0?/{7&"FnkءlxB[a_he'61}^8e$j2*nc6}[(8w^-TKX=b+2wyFڒi.KPʆW^9.Q% z CРppk ̘r%-Х+zA.7#3AػBp;C?ۖ5S|Td9s"њ3Wܠ>:7W]AW1kOŲ5Cf pMHo:k)$X; fUxR{prlo[/ND=!֚JpI7`F܌$UR 3z<ʛ`O_'Aӫm&A];G>9Rc >Fڦ>H$XgLRS +vJm -x^*i^}|^_p.=Fhƌd"3#aG ة}/yHC^Hpw@[nyX[lUn0x/[o6ܐh'ՔjW:^:UQ5hD[l< loM7R[{Up-=kr4;kY/JOSٖ"g Q9A4 WyCQȢ``8mj.:;4)EvBHţVfYMzƫ@=BgJC}i`Pp4kMH`^ę$tv;&HLJZ--gtjK-SŔ=4qp"(!j(LB w}AjsAϔ>^'-YE7.u l<ه>u ˵ESj/O@[N7D ʒÌ_6Yyx&{J'&<) /*h]\&t!gEc|t㇕=\tBŹ*3EܧptVJĩ A!Wd`NƊkcmhHOXb2vL B";zneW7 79i ΀#k=G^K̢tO1锷0`g-]!iJfE!@Ռp~y/͖-Ye|_])$ avTu:.}P<{d ϣ6-= *aL)Dzr[g)1zȶZNtb;&c;F.pSSNZ>#|ugY+pܰ z'&$]`VC|oZ…3- 7ͨnYYr>ھ(HfW|'xV":<>nW*=7K)nO̥ZYwWaTt*)G VltqfErG=!wK[%:ChPS1UGF3KC٤99_3=SF^*2E糎&,{-~t9KJ tHZRmCl3X T̤Ԡs qٝ:%8?Ӧpp4Df‹l0 $0er8N%)0 fK ҁ7S;]Q֬+;͊-?*r3b"*]`u6<õ`\w"򩷭uvLjLˎT *`X5th-lU)鎤Z Egp&[hDhUou1wCHGvv6OMCXl ;p 7\ޥZ }MJ{g˃M2@.h!UWQ16V=qy0xmlPSF ,55>Y~-+Lɬ=A'׳op3ʽ~_W%79QP^Kx;q6N_; 3ؼ=:+j0/ _5 8,[[7OkLjßP Jǃ/mb!u "};Ի}iBd+0̖3T%=|IeAx.1Fr;X JϩP P_bhNMKÐbiV/@8__cߒaDaiQ'f;nXm><)O8TD#~9"4YlJ*!G{ ( RxvٸoBc/> ð fuFZﰈ2GyH ۀ[jڈܜO8=@ f>m+=(UZH *J%+[\xG*&0#<TI#\ZEW/OӥWOdwib+& _|fVdq{ΨqD1ʈc+ąg7V$ Gr+IV1H^Yx6Y E$]}R<8fBst|M"( 5CH w6OԤYZEg°dcx\tueʁ۷ኪëev(C?b^I ۬%rHk3yp>@Volu\SUܛcB>7VI9fHTu`ǿ bޜFTD9Mi ObتJfAe }&\hXϯLyoeyb[Kkkt͆~6XtIӐ ll ̞y') Peu.y5ftBlPV"PKAي#k%a>s=SZfܥ)rP/g;UNĎtSOL>%4VLQʢc_3>׭>^m.09k.0~K>hnf t'\wc?_+g9='pLg5Ї몉&<~ZEbki0` <5|հ`e' E0é4:ah*o̧Blߝv#N\2! qZ @~?\-ka(~(є>bg+=`7хCd&چ3ҳ |@U҉E]UtjMD4$dI {R r lQƓvZoe%;2_'Wm'[ɚͤrRh5+mm\|  ح3΀OܚIPx86=.ß#Cixl}x8X. Ӌ?[.82(IP UEF?rk|Qz2zOkP/LNy\-nxwgUPL͓Pa1UOo0ץڳkQ=CFꋉ|cLf52[ ePwVxZ}3pAc_ @G0aTY03+ `Tfkr#rq-ԫx6Ur#Xe' \q^MqBu¥j'HX. u zڭ qMShti*]S-}[U^TLRDVV;!4WДІ]G[ܭ7{U"a9}L-S$. Ա\u{{|hnHKn .9n7YKNtˌ,,7oY7hgk膏Z/ "\},,nrTw?aZICm8ky >ܣz/6lS#_:0Sќ5NS,z1bX? ^,:U^ogLH}}tY^Yo/fa1t,>ۛ<庑kL+aV4^ڤrD`HB].N΃zfș{X5IvCKU cen>4ecy T6sيwR\Yǰ ]{i1XL|8 xwCJե ++-lE2O;MDI"2eR}pYSS K._8`Tx}pY9" Iw5@U^Ӌ'B_w]CGD-FSv;Ufn?L@sԁ:WfҋĮ;JOA`/P uFf%?̓=I(n9"}Y{ KPW3r%eK[s;4!pqQ-&)0}`c[e4)qqyEIJ)M^o9H! 6,;ZzΦHBs1ʶKphvNGI(z^Sߏ=8.(Ml.kc&\։f.)# De_fm7>ޫ$X[ _j?gJ2.`Rr}d(5;Z&s4%< 2N⽽'nZJ3URa\y~c2_ 위M'" Ӛ\iŇyHZ@U&*A2ӚFYJgܗXe*55F dL~^,OGkheQcj(~F7l9IUxאָK;3xۓ%')7ӳg:BJ/lJPL94N?f`CWwx|ާ RΌn̢96BrmL[2;^xǮ?*NPI,H7v-}/m eĹn"$VżJuM8ZT?sC$ȑhxAҀ)&}&[熞.V 1m@ g2i~fB?A;) c~G>Ǵ7UguzyOsY >$d=&L FIQzP=N,vY-_ZiDoIb9N"nN>ֹASCI*:1dhȸKչ!ݑ}*>E܆=WX e!Iӥ:SX4em8O=ZRa?o]94nBm葊h5HMVL4DF0 ej_X[̘3!CjيuA"X{oTMD _4QQ:!kQr[TN3,v#1#xSr|Np, M ZW&Ɖ6@]4o'3Y Ab U7]~%kpAn"ΟmoG7yƙ󠭐y 0Cvt3WV#HxY~u.{м%3LL) MOA bO{U>Sp[ }*# fKU I CPq5p9֧_##YG% 1_yĚEnt#i'/D վ@Lc}(K C`DW:yV(*+"i7ڡ}L21Jm (UY*2z n=L_,@Wf8ǽ'!d]65s,մ!|QwYz;z{?}t +]BЄIH d'və,f-ඎ>2OwxܾIpZ:h^^u\ 3>59lb{}[2 "t%+F7!ז.O 6axCWl k穢'XCoOo<2n?2x z5s:*rw,:IRL^8,x^@xqP^w-j'4HUy\=-qӉ"UXYҚ5ʧkY] 3*w-EŽbspkӅ0Sg$ ]@BUr_ ]8q\Hp` Aw:`,|g>k~ig6vO:}~:͡<Dnj8 EZDRqPMc g*"PF՚Cn럧2wQRst_npW W_[͚ DVIB /2>Nc}A$XsTٹmaŒFjD6v IM|em{-1g ~45BNMTN3N>_alovޅdR J3|b| w [K (G$A 3:A[@# V)}Lr߅hF/T\D؅J7 9r?5w>)L I -x7p?)=Ik-Wn}w'dn Rsj|̩=>,)EKsfd 5~#g'ju8>~? U$>6a{q!,\!Yb00]'pR8瓱ǖ3&Y Qg$/st=4:Q5TBx"L(%nϊ`%Xʸt*Wd6'Fǂl E8b1II;$46]c`/E{#Td g.m*ӵQ>wb'1գ6fU#.~z.0`yڏJ]/ދc/Av>*m7C'N`y YB&$88Wkgn^ Ml/e%zC&K(¬WN@.-mgRvbaa^%qE{q"fFz[Nf p7Չ4@'ۮ+~.pZ3`'CGS!/QᨵV` d}Ò?e绡 ձ_hU$Qc?49 .(dԨx1s&6ɵӞ>CQ(ޭEəNTI 5v%[*-AtsɻiqIdBg.rN&d]?ftw2֕mW 4l0x6 DH|F=Zo qHq,)K+!LϛW NSko³"Pv;N۰!++m.3B/+L,bQE Q -?dh%P!=R}'iFQRVI%lLfAv7ʔ26j9%nTCaj}.3LAʫ!A`'o{6|VImH5D+5o:[r(jXRG|'$ں_jv_p54ǝ5!p"3G`Y&qbh0!9zWocӡErqkbUA]xeӐRCdӟ%IrܓW+IP#$gnF68(6O:IgŭǕ-ɫ=I܁"|xU۠o2Z֡aftXq;v@g 4Rq{g"c2%ږ3ƍfcرO<zn| !RQpFAX7cǠ.[lmR"hrg!6ź8 +_òi?՜[&к]_9KO| 4j}:eZ ]'Af˺Om9l|uhv9;yny855="7+>9CiWwDZI y,1k{ }`WKuHKp1"Gv} Gb!᝕&fAEV$3A聜6ƧS'A^&uSz3NY;tQAy"\)Ae 9O6#uH83=X y62x/o$ x|{v~,}*f%IcàiC~zA:گխdA9G1NJE/){p aP=]=z|7 Xݯ/ɛykW<¤UR5|ABbuQj/hSGO!qh7O(PbPյg/ӹLK^L&_OɄ! !VM~%"Ȓ-UԷ4Go^wWH |-{FFW _ъ؝{]V'AR7kmٶ?nd6<2i<ʤ kRBX+7{!ג{o`lL ClNbz'OJosŊyftLmO^`Fcam F" /M=˝{iqb;6˚26@FpTh,'Z+ :cRbB jiRTZ)m]qO{ &#MHԤ#t[fq_QZPSW\Tu4ތuZmNB-z5?=rxӊ:z]BQM=pH5E{Y(|xlKIf?u[bq2ϴNe,0|3G ?w{ځ|NAyѧm+N: iٌKq .m"r[mG] `Ĉ^<[} )j[13k>^@н2mƃб4D#[V˵Jfx[]>c("",< L_zZX8;$\4Ҡڰ<kwN?6 f͞_j1GWRFmsCV2TQ173~Z-@sWO;SMK%(? :3,#:M '@a|5ME2 G]TO'S i4[ YbY"7.10HTvGÑWJ< If܁H,\>-Q=31Œt6~>#YEƢKl#*cSG0ᇖ6U+X'm<2W脡upG@\s=Wy׃{j곿](&(~FUVȅ:sLcȄM.; C>V )[fmb*5":lJ'Ll>%Ffe<}DMt76bAp&r/T=aa.Q S:D(i RUr#g۔T.{b)wzq|Ĕ봆mv& w% m:꒳b2 /R{:͚J&s^av-eݟ܀Ι5Ek쌖֖/Gn ?޺ Uv}i T{m0n@|f8ܝtgMqɠ}F!Xc6A;,)%tAQCΏd;l 92݉Xw. \?Z@&ɔ;BD2PMpH&q;fћc%'~}'nHT?0w0M&xv\6c_,ʊX2eNT>#^ T7J΅%8s2dN1jwčhؗE#ԇJqQa=Λ!׋Y "l&UyOox齼%,Y}LZ, /޽ؓ# J~i B7NW>H?q+^8@4iɦ8T:m!yZ$,=S?/?׺*s}9sLuӋ$-wY mn~Zy-;\b\ݒg E>-<h|FzzxUy`z䰤P·BLhM H%o69ӡVnwBVuO '3jvTOG bV0@ֵ 9u(8s/IwE)h!uqZD|oxb_@]?[^Jl +;gHO'UBU}>q"nr*CC=׶ u5-\1akdYqVHēE1=7X862`]95N`4AiQ z0{P۶P-q3$ɛef}Z<_ñ(߅K9<+^@_3 n+N:la[4)/7: m$ c,^+H⟵{@|So_!*{P{IjHpk|3DUeXޏULw5Y=K = dd%6 y| @bt0rNh%kؖ⎯XdԥR 04&'-CUJzk6و+|]ukT:qժ#љ>Pkm&Q. fqqQ]b+)G5Nhܹ p> 5er;|XXqw4 Wݘ:1¹9~ƃ'JVQ)1Rp#&9,TS%㢷gp=;0]B;7WR7dh}D*f`qQ{s$vЅjVzqu kju|b1LP~d  f#iȼ\m͢gw :dC';#sPF@srX/#V~ 6iF:\fRօ ^:qzGx҃õaȻQ̖PGeZ ac,xsHm*_sdF_~$N1+Wy[jۢ/'л1 x(OY5dD@&F^p)Nu<.Mt庀WA&~ι)"}ZC2x]]W軡*ݹ!0":Mm$? fſEWAUV& 3u>qNT2j5):;Nҍ2e2r΀9?K䙩OMSXp[˼i- @Ra,T& jwq'in?Ꚁ?A~) TmTƮ(#Nγ zuď#S4պX A *;/pʥ;ٓ[wo ov34.dk*5T:-ExW٩Gw>9)mQ;TvX_ؚY=fX/QڱX#&zcJNCp\ZM۠ } yt ? ?|CRi^eag+Vh(WM!ֿ#;I!Kj^ާ\a;ʋ!o;FUO}u14竳3f0߃Y:1ˎsc8ĄR$7 *L4Ѐys"a] ԇoo<|H,RgI2Al=J.p% QawŮ I LPjA5֍ӹN1+8.(zJ m4볫 o(Mu\|mCrJwuEl9@F P7(\֗{:S䆕SK~gĺ%z*.#A-|.`;t1N>&Y싀 Ⱦh9dW4 xv 6> a:ۣur: R/86lMlkJuvBh#cq#Qdสcw3PkbZB5WyRrGPoɎ]6ea/rq`kjSԠX:x^<^yR?mn?hJ+ؑKU tlYa3,@U&R$Z>_u!8 P{p%E, t>V|ҙMf3w|$, 6J[+XMdN3 wE;I\u +Ɉ ~ɀSce3q0E2 }c yjVzى*읖 uyR-2䶎{zK"d`kc.3:|]RKpU8k1<_IeFnTK:*"BFnk2!7|=Eѥ9΢^|#IIUdG '222p6u#nTtц(D}&)_KG鉑ci6 J*[þ 2Wb;A mnB\0w8^^oιRøۖηx}l79NKp[$1';+m3?*V 1Ξc<.eW979< džiB6bԎ+㺙P%LjM˞ÀQBNK,t}cNun=߮#hm.0ëSfӷ1b5i嫢}? *<=Ǔ |4w6@ @?XLJZZrk328܈}@E!4~dt{|ۨkn@ۃFTMg3M];A2Z^)"կR4AϻkjotC8f'Y?2w~zH#c:Jm zyr:t:nc'ƒy̸ӕy$?D(]1RQh]09},,o!I?4CҗoQ߇`;4/-uc\챶q QÉ6vGg](kI02~姬ުFjCC:HG9EsEHGg5!ۃg` }ihX|m>Q[a +󹮳F?d^Ns6i6rdA^A/]P( jo_y<||['n85j kOuB7"Wxb,t#`K!cۊc7걊v],6)׃ܡipcOe(ώ܆GEu65W_wr>||W~np{!ĹKv"szUr\~dIaؼRLaY'X!TѐH;F1p"hzCMDԲ'@]KTyl!{KR ;bO S1ǥ`6%ZڷvD<RRvY:ā]aͯRvԂJzϘN qap(qLG)_D8 U7Ű7v(cG:=$  NJ1!6PJ˘ripLCQ_ɗ96o}I%n_V.L+ᑑ{zSehFì=$PAΞ1XluK,g`Fdo>h|-x\撸f~qGԹ*xQZy4Fyb> 'j>(Q~ g3FSj;kealiK-"Pz/10źqhˀ;$_Ԃ;h)o/ɘݚZ3y`. nY4z4uTK-tҁ;~^͡L0OMotՉ㚥 WOnʝt">@b8D}ƾfA5 7&,HVja a}x,"yo j;qMj6QoIlHV̔{:-|vҪ;PtCEu!PRoqƟbzT;!$p1yg T5+&4R}zĵWϟ(atlbPC4Ɖ/#mvdep]*qO<"<dV$鉵TC0b :6gvbso{uZỆ!7NrGihd4;GX/ɣ+Hjt6~ؑp|@¬m|[ÑL=4rAi`ܳsv4Ϟek,D=9Hzb('ȭFmt=}͜*ug_bMnsj[ P}^>J2ŕFhN2r*K]Yh:5n&+[ V*cg=y2Lc0kUNqeȋ9*!& "t1VId2m.7.WLtg]<ǐK5M'hg]vV+AMAܖ;qr_P1si@rsyzLd$-TSUؐȍ6"Oa .N%` B"Ef v0BGaz~Sy.\rY0JהHdl.UY/-T_\xœr8`N5kX0%t>"=݅)>ФbL^Sy>T±nX$&'x:4wXw$YŏKEq@w灄+={LԦǹSRk#\1$;4 L{oZZ;&JDR6U#m!^hM p kjD {ᕿQUYlIL2Oڲ--mhgbljcLxH?!'ʲl,faJVx6!$FG)r:VQ:>cua 6z%IZL)@w-ƹѣ1w6r/b6N8g>M`?,04iìXxKWcal0/0^ܸ[+)i 9GuGP;y=Ε24!AڂJbl'UuZ=8u~m`8Gi0 )rV[ #5R >B-Y$\U&hu.Q-oj-s4$eY.KILnC?ޞ3+sgh !Ig`ɉ=0 N 'yn=z$è8+zW rS1X!lNғaz%LjmDEs+G-nudx!& ePh&% (.@!=#ӯ{, hI+r&rpEb4zz#<֜Mۺ\[&]>z=-*H`32:\yVg8(1H+EcN@Im)e la-Ykru>5Vq#DLW&1G# [.A`żǻU4@uږ@㤑*&1j, .3ѯ"AE|S8t H!) n+`>8#A0YKK^M\SN@r9;j$l1* 8wd?鑕W䣎z[G {RZYk}DLEXn L6*.m"7Q˶]hl( z?nNN^/7ko(C5P>oHA%k^D@_v,rSD';"=='a8sTK*+Sr(IIC(q^_'Mh9!;9y۷piopc1~j W&F`( JfV=9gY\]-2I}JW(8PCCA1$t&Lhhz`d>˸ѕL 2Y9;!t35{a}j6g7lw M5,*<}I=?u,Qnʮ ='y0mɌoD8`Z\: "N [,hQT}vyc&D+F-F9W8!{}LVݭ_egmEͤ8ںcH+YLR%mZZJұBM;[3EK0 TN(Cd5HEd51>+!É#ٳb55X;hNv俎+%E'GV@hj y`Kr5Vy?cУ:Ǩ,f5ɴg&<{OX9Ѹ<+oWp l-F5yɧ(6xǻ2lM o(5Q:r8J}~Z=R8,OY `K+9:mdEagݬfL?Z{=>c~gJ:q:L@R?!e/b@[׫Ezq0Ej2O?M_$ ' JUsuZx995LdOfw"!6Dqk'^ f-)fNODr@a~pIaq3@IPHg:Dk9pts(ks "f2X@/w)~DZ>w{޴lWbz䵠XkC"[͈WV,M~x{P[:S.^!DOsy*4ufTҖU5mmx8n!?GR֕:ur X@B,Մ,OeZ{ٔ ŰUָE}B ͭ8d QO! eJ٥-% **(*[#?,_0GTA$t[?֧C$Wּ ?/h$D׈B WSQ1 ?X~H!P`F*c|GQiSܫ7Bz⮶ 5L$!BMKn#x\rIr9A3wK(Dt[YÉN Mՙ{K XI~ug[LB!MBM,DB}\?; f`镾PDE2z %UW,YՎZ:s7vc~&a) YHkv9Le%TRJZM4Y% IZ5:G|?x`#'yTY9ۀuJYW7#2-oDx!ah\N ,ilK7s  ,BC wr)=()h0 HHE8/WIJԞ }E:A(TﲿfR$tA'/%ߩ-<0F"Eқ*9|>,D7buDoҹ {Gǟ&w4#@36;߆@Jx`pxu:eUReNӯ Sr[U5gYE9;Ihǚw$,]u4^Pd|V-ŰP2j:u6=߿6z meN@v7va5A^ 5ӗU~g0[9hۉ+x핬T'6,xe]ਜ਼'AfҽRziS3 ;ތœ 0CS[lIp@#~h .P]W+ثk!nT9;)T0 B[ \?niY0HXk9[#ĜÙg'V##vVbD| ^5;k:]'x+>r|U gy_Td3^#slj-TJ.ܶGpN7;@v3 ޻!Pϟ-g)E9f@*`Sו"qI+ { 0 0ZxX\WXԝpK?ν۳AL}Ml479X0ɰ1?eH~JẢ_5=ە;rD t U~_,(C>c(v&\YG>$vﶩɌHƵL fQb z\O^Ƚkҍһd@ xztw6V9XA3J]J4X><|rA2sGOCMWxp/kVw%g;$yy 9F"/װ7~iz i˦!mk{ ?CWl,\\u.!!y$t.C=0=ziFn2*-!|IGdǐϡ_Ӱƒ ^;7yQ׷d.]%T:?IS+t^SR ޲8i#!y -avRfp?,P{BUܼ!8:M|D pAk}|{QN֠y G{ƾc>kk\P6g̉.,BΔTӊ~n-N sKU^%J}Ìw|G!{8.n-GhA'^#>~ѾgErPjC5tZNBIJ6%S-$KW]P+~ݓZ>A:d44NKN#{kC͘ϔjrǼtp? j1ވ Ⱥ %e"E59 $c;'4j3eH+x"qQeWQ^/XBIlS-f{4b1<$>ʼb;a?&"M!UqF^^*sAGy0Qkr%Azr薸.hscHv CJrGMÂwIJ%Q7c{PI[zLB8\~ج2~Q`GfU֨]} b_C[l$?j:൦u|:Im"Bm$G$^պE<etOX,͠m>H/0%՚$|4zfnr܎5Tk~&Љnf:%jMeC26︔UL7P地}-㪙™[QJq8+/R2cbձqGv w !*yg ~  ($7@!)!Z$I?>4k4MϠXynT0#t5+jeycR{\bŘ\wWrPQo C_׹gFϏ=x13L+j ?+i˔z! lY'&'(י>eqLP!57Y {!rId6SJSyIWFt 2zBt]ꊠ;ߛQل@l0 mpcgE*~ thm#G ꄌ̙ >E]fm 0jܑo BÐ 4Z4ulWwSFOHc>D8mۀ܈?8uƲSQP#kzkmģxÞO!8$V(JDaevaćG}3 ۿ p)$0SMZzz}_l9!;Y:J\~8z1>-N飧ޗՕx_KoHM v7A_Iyo29t NbPbx j ˒xxI`ajpK>CZ gx) j/VA4qs|vcbE(fsrV AP}~?Ah~z$kf|bNMAT]s2.;f+3 $Ã2 .&/'Ek " ݼUߤ;Вr!|C:2x&16lY[l| J8^GǾ5($۔2tij\.կͫq#À( :O Wp&uݚ:r_B"4t +ϹKz񆂴˜ 9U}z&,$}[ڦ׊ZQdw'|`9e|8-H!CQg:)܉Eg˛,ilIXݮ,w'%Qu 7Yƹ)/~vQZ*OJn>\=g0X슧 -$80ɘm2ڐֿ౅%njYp~/Vd@ : 1ׁ)9Jw#AU 5],6-1l~dh] ipN^Nܘ,E9z4"&c&/Bh}R#q׾m@akxxl`$-tPL ϓQ ӉR zr ~"~y[ԍSQ*P^ۖ6po֙zZvWf߱h j9tYR$ꋔ-n"$2v!fª(S4.%,;& И|ĉ˅SLR4{+;> c`L(;` k\c 1)$U0#bj >K*k2>_MK 䲗\`IX_谮0.d=3Z285d{ _ae ND2 ,W`ndzS! -]`R/oΤ@`,\)7Q Ƹw+-t:*JbZ') {g6N2z1-T&[ĮX)S45gqDpR&3Fȫ .T1će3~H6tacX; vy m|8iL4lY` >e`mYrHX9dWE@,1wjGXDxjԡU.MBxC6(Iʙ;|=/ã @/ylTbQ%i"w )l@@/j`GT7p*&"Ŷ'}D%qb_:cRs*DK:;De-s1g*TK2⦺cN|E2PDm i՞ :A2w%Xvv4Q2Iy +gҨPeu-'D=p&9| Q  ,RqLXʳB9㈪һFeκҪm9^lte1 T}&O4RˆT-O*tпK4y>ʠRE M)Mf*w o8r &T4imI8e)n Av.c tPZOo߀57?KLXAo.x Ohk}&NaqP>Fqg I_ Pį Sgy\Fz{L#N?;3}8 ^ <[j @e¸?@}+E`XctT]9U4a6eu&xyƒa@l+)i /\ \$J(I$o܆3K$s 噋Q8d/2esv0u!E@Rቑh"<Hky:T'09JGF|Ų2.֒ĆA/1n%T~@$ܨϴ;7ɧ8HH}^W%λ&5Qwczbh_˶ <D}lIC%Y0Q$aK<.I;q/'CL,ET~j_8%l!<6U< .!=Eh]k\gใ gBfD891~ L,i.4Ӎx3Yf_DuA?P'540'm?X(&HDŽ,w@惮؅ÄmWslSzcjsո)|ywH-#bJXE~m9OB{]Z 諧Xl@G{+O"+̤W&3jL`stQu`lII0pKzTA&&FlƢ忦JFz$ L &BOS9B/g@FGS,g? zޤs[*fZgEq6TQSP;Ӟ=Ioy 8k\_mUm<}DI2Z^mr@z7Yv7%38P! ş:ΆMwӥ_7o ]9f~DǑm#eG(EPkvTj 3Eid0Lq!?蠹HU%fjώ~f6(cu%%C\W[>T^qHBD _aXaxD/eܔ X^ `~t+'\BsgHuOeoJgAt- z^ԯ2۱IMV GZ +ι Mw뭌e`A4i -TCjta`ʘl)u&=Lp<;4w.'' 7++$|X5>&7hjooDŽU1,exDJYy' `?VkêFG0h.5'e8! QQm?[=B03}>b7.ng4 K@'\E\žLnU*#6j"ڄ V׈KemSg#/v=e[yGɥI%YY?E#+$-eu5"UH$2nYRWg[/vSj7߮{?O+qiG<>txg{z Xtm@ZHt)-b՗RS4*!nChth;QiAs t n zmYflIY~"J<``mz=D冁 hn_?)gB}#LlJ1)O=31v[h;PFBMsQ3:ln'N $mT8K#]}aȁv`8_B?<:z X`#lo!7 5ѩ%# 8E_dP?@yuzG? Nh)4UX%H"JZ`E+m!ܮAKKM@7?%VDⓍ A?;)TgV%>v ]?JTWWnlz˳vD ffpZ4hI xu#VN{wUĠg q.OWJR'<'t1GK< ֓v\Zv0"p??$J)5X AxGTxð(=`pJE( \.CTc0e(@{2]'y'Nvled_qo~K^PûkxyC[Z[Oy?k!oqͥB/ǢoEdC|!jp8=;~CF8-Y!g?LdK,Yvn[CH&teVtzq\*[b=PXo%㧄EhTF|,uwYv侫K'7jB#Ӆ{@FbҼq'B\~K=ϧk]{鞍r+P%#opwX,,1 !lPw^ȼ$ԘSrsElU $IC_jb{N.mdGԤ&M46x}Y|c`[tjfU,t4 ^#7ğgc=(wǖРYiS6/=F3Ґ .iRQ@A(|wYA|A+޸eNPPbQ҅BլS *P;7Ȥ?!҉=beݢeL գCxKcc n 3ߏbKI鏚vC ayW G[Ts4 *%d38yAyBb/ShR4=}@QFJ= DSP.cv{vӔQvDXK-6gNRr$0DlwYpI'62I @rHYJB*p!i^s +2`p WR墴R !gІrAMf9ա&N}%>L{G* MC촱<2qA۾Ȕ\nG P~8P:B 玿>&JY]B~8CƧ6%__舦ja|<& }LX%ʞ MPj'ĈLel6>WɤN%#6Byp'sS9+[cd;Y" =|=zBP[Ehs SJ>*r (¶WNK؊kgb`B`$]~nj!XH ? w2u ㏤!)8C1aEB|WĎʅX̑Ffbrj!Ƚݕ:r~lA:y*9 \pDwhR7*I*1rǕh*l-eg3j/o\Ctz_NTv,9G>͸? fg7ބ%8=6~GZ!Ri)_g>se2uԫfӟ.) FAW<}<@8喣B)=orGֱ͂J`I'An\POE"(_Wc3JmPn?%V V9aK`F, B/osj˸uPR?ۋk1i xDhWfvl2CшǚԪg ˴2qݮ$c?0%nך%g )Ybݦnyy9Yn3ul`::G3G5Q@(v}H?J]?&wntmd@+*BhF;q|ˁ74ryܳ`Ū#䷾< x#&L PLoKYm&}g N~3BM_ TbZz̗ZO˴yTQi{Nd9+`%Y- zKђWVb #:blBݴ#q{xh*0%`Eܒaۡ,ϴ)y R?v |F;mCcfgϱ< UiohZSyR`F\hz8#) S;C+m Z،1*EuʿTc&;Ăy^k]] $^L}5U+圐1Dqg``|: dߍ"5mг114Q0މT/n,2!Sx3pP<9K d~$= =f|bW@u_=%=Vk,qXԔ{ :'Ƅ]M&}=rm{` 2v]֩Ln}g݌sR[%,r\y +ǣFT}ɰrd[MXV^xG_S8X/ kYsKu>Pa z6o_gj-jo8nib]oEYT\k4#9|U }RIqC7D2D`z_8j(T"tÇ"UZX e{opɍxzz$9 ޤ)O2G`Å=K GzW{%eQ2$ӑYjPͧeul8obir6N\jT1c$]FHւ 4o%:U-'7ll:Xw#.C,(` JX]qR-Mk qǽZi-Ce}Fcz9 P"8Ƞse8>x:躝ڟQd3G_eO3 oѹ``(j+n4pR; Ѝ%+jɏXo>.(|y1 $^LW|/3 5&O$pBq,6|iHa7V*ȎQ ^M[RMpk&c/{e)0rP5%KhIMр5v3wHEډ`[G7Uz~A;#II5tw@4S2kDoxQPY%FYkkJ0)n6ΣZI& X0"#z}Ay =PWO`!%.㰕_CΚTX!ѱw{o^΄A~*Z _ܟ#6MZlLN3TĉF8Axzl|2dᏕ_ިջ+eDSoj%3rI_oڨ$I)yU Wq4ILƜf3Oj^:oGev"< }4f?J44W|O( 8 )"mNxQc\^( d}e軉&Cߍ mfӘ`ufߵ9tIF1fm+@N&A r $6QJe;Uh躍si7hB L@VL/9֮B;FtQ@*p[fZ&ƿo7n8q$huh{$lXЎR~(#& V;V$FF"bE|rl%ϵ;Y=v''V(; !,;ZҟPu|-)O9z9)rS`]hl;Ϊo H$-KڎdS>t_?bmѿ@RzL3346bz[3` 'SE_kn 5+qpkiI8HMjh;%&)3 (>*].3.uthˉz @Ru_Lg P `FI dH3􇠺p:tsu*h' +.`J:<={{ $ >iɇ ;Za!C: vC3a@j:}Xpλmc[k:+CCl_B#t_ DQf c&0Բ%e6#R- pxEXƟPy!xTzd*~t@ns!(ÎVp-ݧ+xW[sCUD\Os}k'a4hF94^(aC_N khSOSx՜oJ^z5Y!y ?@ Z5TCB!=v1R-A|N\1=b2+112,doQă>ɿt ]]rh0sb$Ѳ_(ն_* O.[טk4lߘk`(?~0E_XzOv5an?!17RO^5;5C,4&P$AzUPTY?ݔUhxɡ Nc$(y]'b}K=uP Nje54gw=P)3\<#=GgI{klSrNIFƄCb{ȑ:x%0S|&D ˏU]S \,m*1Yn%hkAaX_~4#Xe( └Fqɏ@2i^;"6uuBR*ZH vZ&@`hbqA!Of{\m wH Cg>mlN->{C\(ؙC9?ngX$ 6)v?<`֯$xU\jgpIQ>mXRmft`;>F+W}ŤNՓP[22)K2 ^8; "Ǯ7}! Iէo'faq(4Ź䄫&9z6VJ!_T9CǫisplPvqS?Rt]kp:B` 笛ߺva:X`c-K`]>k3Vh))XZ%qLޓ0]>+k&D[!ވ*Xhʞ,_ zd&.ێri79݃f5I00ؖCW~E:a9z7U$Y9z"aW~ᝍUX_mda|E'eA !m_ (\"\drɁNQ;+á1ľ2"ROR[rћ+L&a}/Hϥͯ6LA$p 8rmWBT" D7suݗZշV!?a{{V9P#`(w )kp͔Ii"$ٿ!8hO ll*Kw3?g!rͭK&g&NH"(O[c>#ԒPtKi} N͊)c5 *4E]rew]lg5M- ?~Wy]#:ػ1S zxW`9y|Un]D~p`n^R`O-\;kk|Ƕ8+?<&"P! EzMuI[{$:uغX;REx?TP w?yD[*Z{ ;"+vmN=šV?A$'VIVUIu>x>?hsla p.h"'x1a`w"?,BRNtCKHQY 8+qXrjjOe% lhЉoAd6 $Ϯ_]N±|g$BybBW" {w3~\V&%~r_%9kUJp̝o#Vt7Mw'm|j@L}0h' `؍wyV=ru8&L#T7-ޥ-_=K,XAfBE.S݌?cs.O%)lO!"OS7QÙZ*ݯ&q7WT&:?jw 2+! JaȀ;]B? G#>_ZzgEƫwt6`:ջ],̐G ]=Wn'@^:]1$b zV)VGk4rW-ԯsy:<:"5iL!ܱ{A0@l!"*71XOH4}2ƈ>x9 O]ŔP yݤY= R5 {K!~{E[u_Y(Es=&ՍuC"?6ͣGރ"NRT&4)2>EfΓM9\nQ]vuoAekTJ Jyt^gF&ČmI%_xJ.NsM8]@vDEΔ.tzu' qqc ̟<M>At.y5牄 Dys' `c. xt|Q*cEl[\Q(=~;x$5,Z * wL%K)F=*fixʋ̩gY -4QHS7u5CIQjx8e q\>l䜼G:V)<~, m\![G ]@mjЎ𶓌YL&3ڈ{ fU( WXܭ[ ~/X] =|gAST= b]ߜG4^j‚39"+eM!\gCykJfSD4%7;nVGe3AR ! ˗3 C&;wW|^@\IR[ɂG} ZO{ؽW X,J]H}Q=f-X,Iow#B]txhl&,{ sFݓ{ d#eҁyJЀ Z&NAt yX!#$neN1݀@Ĭei wBkJã9C7<$^B 7)? GI$Q2M㵸g%FD;;Rւ @Xh(.@Amh2멹~ }29ٔiF0\YS<:qO#;9I-\쯠Q%߸dgc''߁gykbLUw:ZTj\ʇek9qR6ƒ hG{끞mͪjuOHgIvTHm:A*h>+0hQTDw:$U~?YH#D8HqBhSGm28KO5%GN*[-t J? *_jJѓ$`pJ?qŃ& jȴ`?&@)֪كpOCu$RrOʺhZC/TP_?j^/ӡ(Znun:ŊQjvQFQ.Py 䩖2 Wҋe}A=-粺6UF WʶP$|G"`cWF b+őշ^P0lHYUO0EKN/\|@کsEJt~3`;#2MS?Oɪ%xD vͬfvGCP/!yo8b>XwqXS BB%H'lyg5f\j| j;6`N T9r@U%a}u.oKe?õ:pt\fVg&NĀ'o*fDW"(w+l۷BU h|{AּP^V頍r8Imc(s{uAFZBܘ!UJ itv^iLX*\撽&Yh|G8zOt> !H$N91:޿%9cќ*g+1cΣrwbBJf4'lTyԄZivgp҇ zu; j#-Bq-֍)8߯Dcv'.IW: V/ Zl֚Í(Aw@`ܠ>=DS$Sפb'78t\ݧA"}3"9i0k2tn |ß=/ vpK&Cy_Yñixǡ(J-|ceN}U ˬ.=;!q$+i@װR |IEjzn"&5B7w#J0]֧~hb %a;dq1$itT%f*_~2GvT JZ|g:C0,;)5MJHwLZ0\i5w@b^@k7fWVnDfIEbJr5XXE}n4qud8U2u#OGqP +{c%)Kp~HeFzwT~WrѷobG327]yvuĴ(cW:rK|d]ڠVK;S뜹2{/djsC*8*nc"hY`)7ӗYi5@ȵ˶<";4n7;JG݅gq1?(2E#2mA`ңE Nz.k9RcЫ;Rыw5FedHպ"t33 ur4Nn&C芿l9a(6-u'69 Q3΀p^KXc3̛uKp,e" =s)tm`V¾|E`U ,jNjjDAt)N(X {MOK^]/Fǫ6 x+Szޞp؈wk tRqx3$iQb*,ە^[`tgb_ZxgGq ܛS:6):Ⱦ-g ǚ`ԃj{nP K-,iݖ4 yY#[/q ~NMa AKlEl!s@@DMqtvd:e-N'zHW6H9'SB}=Wo+/=8T36KHBJˉ߹D&wƧʱQHHZ 5;0Y҆6^Icd{(4 gH' WRyH+#Eeנ4>)S =J5ޮ=|߸g1*' Y: f#'>] ȟvBY!83pKe;JVw &<#V>ͦ_ױ ! Ҿli܋0F1SL?X(t \8SD `Շ.N{ZG;N7~.;k٠ƻxz*fƛ,wAWʷ¦Z-jǷͥd;~1a-dm?>oP/g'#o4k<.#ђ m_!"MS=I"%gVmFڒ3C1Q)ڷBpg6Duw˽"Et!؂T(~Q ;35I>, b:"5!vBrQ5Q%!Y@ZUF5`oQVaÇ{{g 7iS䤒ㅿ^ 9?q^Xt?\v&`L|&6ψ2d318Z5h4hwLg{>X~;5I63˴!zl ^▜pSyxQdWuz|mU5[ 3;9ԎHKVm =P6}^ O!/>f 9N33U$bOriOD|XEi'_!Hv[ױްFEA1>w8Yv@P){hs ΀i:%JPjK?'*ȓ:2f#Rٜ.]:gE3XKͩq4㪮Dڊ" zX?."vI:_&UDeA=^)oj5>b9k¤-RqA "+Clkx€#*6f ҕAbLg᠂aq р~{CIe7 o~zGD(C;*,P2eQWvo]t6JG( _}fwgzZ ȄBHRJ eO_.M !I3/f, UCPJhYwqҴMGD9)_B Z}jQC>B^jt0xG-[9zyd.ހ5j8IKA46,9Dqت| Cb-kwMRZb`*Wya*mp'.whء>9Y8lB_Y s&1gSB=Z Ҙ~=.̮%[~ j,z?jKan[A9 ե.yJ97ʵ/mnpͮ‰ϵ[btt) Ztgݩ~!W|ǎY !ء?w5 /Tdp@à7C8k1擛@*f; i]SNȫZ>2c>qOo[A*Ƅ]5(iS*}VASU *;Ɠ#.HвgB´C%41qS{LAwL&vˬ%@woQ _qC0sĻy?gfZ>|̈́/\QY hF`%UIʀvC덅{q"JR} ?>Ѣ CΡҰ 1i։݋ҭc=WvMSڗmKi5eIgf31OŃ7lKW;9P]}x Н4_^?[b|~ ,!Z{;_/Y6|&uw(w +O|I?qe.R? &FhٛHqPe¨ Iߎ[ FI: օ.=e>ލ Q `F!~[- ^UZDwFG2]'ڱeU"k6a[  CL+`3g@KvjpmF9Љ2Nʪ ׂyHqڋ&-D9hM G1;a~9_GŗD\\-lت(4hO4k5}e+Z6fh.@#VۀIo,{o!~q5 +yjx'LkJplve3-|[(_ȑ .C0*ܛߞ6uNp!Yn+mo SE_eA6?0A["d(SH |iup t+7q*Lh%d]ƻt4q%5 8No%Dxƶꓰ P+*uhJzҬ_Pz]B9g`Z u휛N}fX7\ҽEnIWB } YvO~ Y7\s&<u/rq; ||cn:" ƘrT]JY#w``)BX3`9Ӵj՗V^aON:%>5 K}dܝ )~T 8ME'X<~4,5 k0!ߞMBVtrn8wG: {_i9||,@vy|.r g}OABg,T>ӑNz+Rݿ "gINjm^~ VLH&2RJ;џ`dDžb,tU'+4E؈Y)fz_ r( 1f+43goOEQ!r$徉nRLP4z-QnT6l$Q#%*9AjaXAefJ$bިwU7D=ý׫WiQÏܮ5wD8VORZGXeQ+ .5yOdH9; jY̌@~p-~)F-RØ +uxemaj4߰)a^ouoCR{9qYׇ 8f(I|L@(9TR´/ <9F4)2cV1xxkegHPd,_5hI=j˗ր2q!4΂N1z)Z_vx<hCdI 8^4f(Z>h:\by@yfhi*dn?D{\ϔ-3޻I%&U EaOw&.'25 iY+M>+ıu'Sdk8a:&=Ɲ2%3lvȕl}ݏH`?8o  E 9y򊬆gUjAkO plPչ1nixȒrM}.$qϞ-ޘ`g9g3C.u&>-Je开^?ZZ!dQ0'Nhռ#^em= jZj:QQ?o'H[guE1I3X|&.+Dr]1ں7q<~Lі29 Ć-_F{~ ss:4XGnfrIy\b{qA X|KbfifG|%uY*¶N,?we!tR74Hs{.u(s$] &rY!BGY,&+)UHd5Hp]ZOR`tʟa)=V( 02egu K2g<>>m#6%1'K"O0= ԉh;Jw=/<Mƒa[bÜ4:JB;ji S%4g3FeM䏶oe xn/Th8Ny@}R,k oIU9݆({eLEbkzlS/RoseXZrpW=|ȈQƥhPƳv>5YJp3c; _P&6?8)GI)Ʀ Y[8t1td\98fserd:y &Uj[Yۯ +yŀ{),0x\cksް &_twKK<'-+ڊw>M$+ -Y q%yT*E?2PƠR`Uw}ɭ"s`轻;g/e3?v^Ś$:l%]S@MDezǬp| ?}~U&~wshY7L^e|\\9ڂ=Q$6B1'juT`d"l> Ͻ *pX*W[,|1F!"dqh']W(i(0ˮI} B\rUÆeSghZV Z/#ۢM:,r*V>}&IQv<3|m%]BQ uk9;č]θXMօkHدܘQI6PqJ3qZѻ%w4mgJpTX>L}i&F~@|;6x%o/jsۈǗ:ybKh<thGAQE(<;y~9n,6J'zp9Z5S2p"$sM"SI@e&:-MG9|qUJKynLGJsl 5gZFgwқ49HU3?+1j'_Xgm;P{Yns)Ƙ.Q&p,,Qó/YP`oQ 9Sj` =QVܓ6=qVOEQ[d,x[E'B]{F,eQ h en[)u4Q3$o,TQx8DNzt x|¯1E2??`dwÒ 9 H|[dj ׯq.5 {SAE9k}CwN->HU ح֛z􋸁C2YB v75'V׌MZ̭~Afŵ(KEmG4n %:ĬMgMLַXe əkSPw0l5 . 22H7Ŧ{^q*py|tOruʉ Q=h_rx72Mted^i i!o_ RymN/G:"їΒBlcx Nӄit Mх])&Yy`3knLMIXRd@fFTՎ &oc#I^fӾ~IÜ&2P2]À}l y9las%! o:::@8״GBU  L{)R"8> |C .M V ٗb `L'Nǎ2 ',ITwE XUu[u6_F5vEz ̎BC^L@4j2ȼuk)na*!aE|ȇ`9 wԼ0b:t{zl+w􂝶qΠ .p2Ye6άHRY;-7K`*11+UEw1wxߏ>Eɴ..}{?"% wn]n2./jЋ{o>Rȋj4 ̱3iZ^*y%x]$ ~ 4x*GJB?DC:aIiF]i\v+BJr߁A[~yMs7wKƩA8kc/lDu@3<rZ@;$mJ-зGw%#إtTՁ>E'% R-hDK% SmMXf(Ae|"3 RW-wUT"{.l~ޱW]@dM'{(>nȴv$6>J~LBF#u,نĻdג8^?"֟܋GbPę9ټWt:h_gգ8C1bnPS qדPrj eX6$Dt҈ѓ+ a%Q;Of܉F_lU>U|*=QU՝ƁB{Wd<Z6(^3dZT > Eİ~n ϊ "\WEDG;*r8[:yh M>,٫|x#ƥwzU |j:7 ؓ) tg<[dsDleoƙR`0'dNT <:_5&G0t,+=]VYSl}PvcR ›FjJO>~w `kז->䰪Z_x&kGnT95l߼3qpV; 'o1nQQEs@x{CZ#Dힻs\́4Q#i Sq߂3 W\n hoTgLPǚP@96W>XQ<ڲ Tj{j ڸ|w>8gTF,fj%{_z|GY/5GإI}klN[9ZeB,=R(3ĸ r-N '$XNr%>i}Ю %ϯW f9e+>._Z+FߧR$w^SejؐbYNBG_b\Ԍv83֨ f+7/k6+1U۪(=;5R`m >)i؏XǙ}!8Bp^pfPD9O $z' 6ݧ/uާ֤:qِ:CN ,[3d6&]G_<V+0(?{fI̗Kh3;HL[+S8*Kjp*W& PO RJhYUSCg\۳E ̵Qz m47 orJǡ!8dHEK.M&]?xoy^.9LB-dS(F<w i' wڒI5`c3>.3Sp^H#j]ph"'Y SGୄ>Աo?|r1cs{g) wRgb&1f(9ۃ[-N{*D8~^Dh/}dN\$kӗF3UmR g0 B*=VTX:!JO&xΣn6q;MܜL{>f\>ӥU4!,Co;}lgݻ0o_YW qj!U&\f#uudI θMF}:ga0C(> GVMn0Bү!ɽ?Xyx>U/qME:QiE.v{{H?^ Bbz[Zd$@S{mڛ}f9R`灶'C 3T r3yDO4jh i)EV|Q}IT3R$7/dŐk=~j.lƽ`ZhW! 2(XUnH-ҽX ңKwx1&c-c'ؔd,͢e\'^m8d!_Pqwf6ʓWOR!1Qη* F[=Sqℍt@&}Fh{(6y@5[}T@>F_qIxq)șirrDGu6WM qmMy}?;XPҴHI/B[GjM춎C*ócs0Ī*1yuSVfɓ݀~Ѯw,o p:ùP4g0=[=TN8*z?vz+.lGK:C5*wah[m?QC]{wYEڨbkt4͉(Wo/.g\@~IOJ,W~;SH0) :Ɏ))̔M†NQKVK[Ȍ(}ulYҺzd~ؔ#+ԄԜ$pE [` ;Щ!exa1K&boAߖk3Zv=_q;mҳRbAXiVp4 8d1k7{? dtH L>jFv.7o,hfdf5Jnk|!-k`"ػyb01֪1Y5Ru.6#? S_ MV i*)0I[4f}ϒ /ȗfoD<+9Zن48o4cF>5  #09ǡS#šF+EC(:.w )7s(>wy4Њ:;M$Ѷ ;bYTE]e"l1Vf A8ѱ*B*%[5R+$X{wdC)l4ne6tP6 : SqyFЯE x[ilIܽuۋ'8Q* S!ETl"ZDگxjȱ4w|3pْ`9052de>HCtYIh7?مDC|G ONm뫨>5u1cyPZ_J#FKߊ@,7_Cq~  OmE&CX 8! F~3<~쭱|}wG22q6ih :i##v1,ulc,.s_ SΛT$);17Io\BqoA {m8:t58嗲sBdXF|M4:vq;h#]?~vXS`u#ٸSm$g qy|C03vv]So2Q8@JrYkPnZX&@AzZAAyT8 qbJmԖ!6V@yOo9&$vktM^}ڰVm71 aK;;?9|DS=|U2-\WNj\,nj!΃;\ՇD0: h O`J,τY`yBXxMU_6 졹O.wE"A-`5А:e~f SuT֙l\c8MWo#H%b:M;'X<J&&yp7t*FQf)7%EpIFˁalm2#@ga(36]+9HdIWgaL@\rǷß~h٫wĿ=L͸7£;kt_ rƢ0@W ˑd4tPq"n;\K:4os?8X*Fn\Pj"zY_?TiɆ)~edX9{/!XtuSxbjڪN6/.3 8٨ [` FM8QWSCwsw EA9bƊ2ez]H}xpȇ|l`1T:%eJܧ?0rNTI֖fW3fW!(A*?&(x dz.{?٫n ͱ$짘ngfP!t059[珚XC=U53>Ky#s=lRTs‚u<38P5?p>}-Ӌ,f$ԠR/CK{j~gYKsj~*txWlW= DHH6qEW,k״rm ޜaKq2*/o7PK!S<|Bh ݃㓨K($>ҏKMfaoPr%]{uGӕK$ՐG}~t'`ErbKF\CshmR0AQxmUoϩulFbf\1s_`)лOo$p5CR\صr]rlPq޽h= ?O'©/j,$chpaN܅7Akr0I[tfښ;i~Jj񒜵n.a`|pF\71smkdFlxI>99U;9N# TdRE{EqJܓI+l>~F](: < S\i% 4?7\)DcO& n rNߣێ~=燰&݈m]6խnӺRȚUKa6,E\J,oo"dؓHT6wQ*U]ڸgaT\g8ʪ/[J@( Vټ ڀ˩Y 0/}I-?C/p#+P{oB#wi@\Ib5iCR#!ʯ^:GzBwB' _w)V =xƞriz3;ҝq ݚ/O*d{QhwmQY׹x/o@TzW7Gb`*#څ*ܪwsz%Q#k63/೚II/] 6˃<_{!0wXIA߅./lR+?7*:P4 P hy˦U J(maQ7;. #Uc0/Jg-6U.J {n˅D B\Qv X"$TfڠmqzڰoYzhB2Fpy1Dn' v{z*Pe>$,tlRԲVl6l%+/rAl| b4jԂ~-pJj4ZBȝ_d/!]*D"5(ԛ\ש*mM`Znt'\W80=CF<%PIF9kC 0C.)ǂ Fs!Ck_QU%)]Tբz gAgfvOUn/ ChԀ{mpk!?܆fE39gSŹQҺ+[]g49+ {7V56)7sejީ0bvqkCE^A6O*AQKhnvZ۳le41(ẋ2AiQX v놓W|v_{jm([m,¢_RLaqOJ hd_ɻRV v4L3A)eWaS٧Ł[}L BHEOf`heީ _+$P|O7$DEa R yu Ay5(1)+:GK@H,K )oBA]uw$ ŐSVE81%bь7AEL :"0$`L(hQܾ-%Ejж]L2lP6*v$=bk ;.mkHܬ̗mhN `(t}w:N͐Fcuq=E)09jvڒ xrjlGVr| @NY"fPt7E\iHW-WJ QuŽB:CpL.+G"}Xh[x~Kt{9'u>$aQ#FxgtnY~$ڝlR"4 ?D۸--Z޲oCTh񬌪 R0&,DR ?8UrNM?RK2)aP)6u2E $>C,~*}4TWQ$Zu顁`1)'M&KdxRLh7{oJfrD++v}6 =(T ExvE6.:r]ֽ^rܩ &CeNp?D|JMsQQlFח_U 6&>%P~9c6__½iCχm/ܺ^lTbRAW[{3{94 <`U%{(mF CsBnm=vTY4* F{&ͳJة6PEf uij{rT`CKA< -&@\XSO8r@!$y.~w7%E|0G/8A12\UpFWƄ,礿T''x!Q7ϱ&SX?-]gяA٠9F uP?>zN밪1>{YfF>Ac:b0WcWF5,%^X.IHx\|vyeZU6㟀dM_%ּ {Ct4ʝyg9 J%t@;osۮu]0" xv',wc0c*,35J^ǩBNGdc UɾL=a'_VTI{NZM'tlUnO"F%]Bt)kk:6bH $Ko{jYEXe=KF+,9@MCuɲ$CFt_>_Ȃ_!+rB9@;I}*Wp}1jd8(.$qgBm-|h;_\Uo䃖al<=n˖XC}I!DXO|:  ߗ͠iiz.W2ы=~ ;cjx:C~b6Rͷm^J&]R&ڸ}7/ vsRUM= kj`S4GZ1*5EVNrij7.z7 kE 55ڑ/@#h]P)8hUŨr&߄b`OUq[M`d 'bg0%t6Ne7bJ-R,3~jvu͡~d1vD6) 0j^ s6tPzG+s:Cv^/)en ٣k%o( LȺxĔ[Qb CԒq͚ՠwr[TR)n0nX,\u4BNYњ N1dgG:W*ޛFs}{>ԛ[-d`%4;pGQ*hSMng Sv=Z4 Nvg6-;7zsMU?)j(ȅZi1}ZVj)QAd8`4()D }`1 9O/"*8pVGy[s]Nlec-upV LD @Q6KUXo"[gfbdHcݹmO׻\iIᆣ/u3ĩc/ʗ}# A^`1t"J3 E cFHvp٣Z3hkCKn؃uic֌#ɯR$Z>rǞJmvFGU(f߭-a)6]6MLE95 Gm_(>\Ul|2;6Mɇ dzfvyow(iEdYjKy4ȾK"#ܱӞ$dvLAY^$s.C<4 1s+S*jѧQvscuGDL tqjդ99Da}RöM-$Xہ`7vb{;"#NTI,0`]yx %TB[.b҈2oa2ɸ2O+(Y97igN[,*p-&4n=;kDS^H֍#n=f=[lֈ@.*2WBV7vG[Yʖ 9״2.3.)acE.{:DK`1\-{6ld20v^\Y3J{Uʽ&7[7Jt(+މ(tbzl3*\!SH@tv-mVϸN1xaQuWZb]uq+#GGp 䬸&W;UkTMϋ1q7f'2*ⱹL%֬[|fW7IT^V[m{UhD=%+5v;>/AA ּe^q&bf>]l*]K7YMkT! ׍!WcXY1;b͡,Svk.!Eg'n =lD8 V\ [}gCƿ)E$,m3=UpܒO '[^;%QVKP'ʧCY&ϛjlJ˾ex:YLt;Bu#ԼkaK:2,q]J9)xetRxW'S¼Q2mw!k6mD@V-(~f3R]Md[PpB"PHm~-T:%f\ǣ.Y`w7P:ި޽MXliir?-g6scۇ@{c]m.t)f˯$-&lj[S+oJTd㎥svszɴfYI;[€s7XAIµof@՚﷑+I1Zs[3:Qb>~=UXWXz:ԕtnPLƦ=9q$-h--5=lK*77=OF$,3TWOI)1Q0lo&TXg\X`71n[ֻ- 3<zO,\A\iTlGD?N̦XbIbj! t)P9ؐ³cgu>ָ1GXN Zy!JZ|n ތqX\jjά! >"}4YOqK\Kv~mL#TǠF]:-PA6zZd+8t@Z7S :$yblau^nɿg:٫+Q]Vvt.]nE=4mpY1`^!^ 맠qs`Vw坰e{"~"F /tאB48 Jw,5eMw<ԫiɼ3wGLJdL:8%55o_mNg^" M9v{GaفEB-q8lFZoQ46g>D865i`S#sc#U99`ܽu}j< t@#-=$ֈl1j܀AIPm?}%g =/M7:F&|.uT9>L'㵁3zx6-܎$qhe$"&Sι4Q՘a'orUVL91X2/S gYĽXK,L<' uwW9yX z}KΩqo%cv8&,A)mjڹܧ$*k9T1(ξ_UDr*Tp"HʽK\nsluVhElgS$y:.ZkuF&rȵ\ HEIegYw0:0&@ư,ey*]8L9y!lc:GeJqtT)u9PqƥgTP+}r97}-FZ Q&پS*Rk8Z'ŎJv[P.#0BH1)/ńqȧΪM`v; z/CFtR̴> ɜ܂6?ibv VJ Dvs59)N=ذ o^G'R4f83fQmM%8)$u.".kO9u$h\m,xM^БTzaw ')P9B92dw{WPk_ jUXsc, $K _%#" >ּ%}ںnZWNHF4ށ;!+i<^\9?DOzɁ- ;᎒U 6.+Lb4wk%1%aJ#+RM =ů90rؚV4K g5Lj.?5֍&qET/=Pfd-L@m6cIchYV!l䜔%nh[؇ڧlAO z( M8;>܏`0O9d:7fqjKLrcMs@ #de:1#ddf:c8|ʧߪ@~!aF",_ >%z5p:HQ׃{}Z^ YNGݘ(KKGXD #羪 gs=/jlhěb'(cR tS@6'E1j1XK ]Jy %۩['RO"~æQof`(}$8q@mo=$O : >AEZ ~T[_nz5G2 T /Y;Ca0ȟ8j`, z8g3}lqUVo ؒu}&2o'ء"%]NxIU=^ PjA69`/M23^mhOdZ[ʃEui2Fi0L YnʆTH׭oM2Ú6x6xEtecB'g(gD{{HlFԦ*Sa[Z_(:TZu3 i6S&9>ox4toIr))*Nio:**q7B!Hy獻Bk;χLr̿k0"qXW ؑ@Y{j&V-ܞkJJxncbKdUDc-]c/I uwÀ+7 C5_>{w.Jazb3Z2=2CJ08qG"\:^raŗ: ss\9ĦDs ]N%&{,f +XDU8]֐œi9폛P ̿_ ~% H7R`nXuxф }Y$1yLjeɢSH~]_4Ȥ& -ONcbU@gX}Z/-66bJXh*}4eӆf:SuFq&V[V7l:?ÔՌCnA#/I'HpM# I lbӶ[b@qЫ- vʶ1d)G7`Qk&DiWˡt5 QS/ѵھ5S#>pNH}eK}"$dz_Y;6n} U_SyT:GGqꓫf3xZ'v\t'pC;zzÆq!I݋Ԯ$EwD }8yDɊh n0V N5 lP ֨i;w6U}iB{P"L6ʓ6ඤv_dKI;߶懧#eJƦT4T42Mk#q(?); .V@t:lOȀeME".#5%jNvD>ѽUsxܛtTKtIud]i@̵pjVQ9xV75|1f<b옗'9ыnI֓mޕKh;fQZ{myD#_P:JԢp8Wٺ$[hԃQј .'nL^f ב1 peք1'0>1Uuq+FdW:cA8@v98*I7 D6.vg!ţKNZ=s%T25h~TM_dbiD C Hl:}ǫn3mXxABNkn\&qΔcdZN, Z5QSR1j/D,v h3b>vEt{U-RDѤ vr(X-8*RζY}G2.R} k狗#V@* .#@JQxioX'w*֧!5i!{jh ױ۱9!"OA 4LP9fN_W0SV6{)('/K4Q'??"bZZкDct[C16@ZCNU%nN#HGRTz2+`1?qEZx_>7;ziE>(HCn\z\#Ffu1^j'{qӏVŠI$/zR]|rYQE)гQW4[;rJ;-!e8W o>7E.e ٟT V+ SE^%HFwҧ^=K>$ $ ttaf/:4bەl&J㠢 U׈b?&Jm9?][:U~ȏ 1E3G#3K*ɳhQQYN=hF WbCD3TVl+rh~E8A>=͔ɲ/XԱ{kd* CK:բvt}k!mq4^qa, Xz7#E) ֐!rK w[XX}kywD* ׅP-,o4!+@_ךn oT.LFY=/`<ՙfKp1R@ǘ պZE'*?_;;1śӛ&&b'sFxG`IbvdNXq WR -SU6yt\S~ 81Q>Z 7 G;3Bi52|ƬV$axe@`2 [Or`dA?I^6~V"7xH ).9ہR p2R| woTΝRL\}QGfNh{V"`+k..DTnjS rPԖbK oc!=^ ȗ\$Bw%+Db 9O,:ɇ\L&Iοit}oU3!":ÈPW$>NbnFUl$Ήa__H@ONҖTtз~ fxx)%C񥱺\A*>@10i: 1/[g8AIUT<8G iODhzBB%S܋CFV(ao|Rpж/GomP E3t6tͤ=DEgBW\U!~eS&J/{d? ks1Q?Kfۺ& إx7#pz$7t;u΂6b)0%~c`0D!|[gwQIG;!kчa߉5=`I-TX?ɭ  ү06A> v"pM|U =abRaX1II{hZ x8 .~7{)3eTQ/4ʗ}GW/ ̅Q}4 _"AY` ~fGX/cZk W]/Vl¼Jw\: IN.A5`5Rrk&90^ 5<4ِe`+Fm=@ĸe0scí٫ѽĄB2 6%]f<Jp`i̻[k!nx2 XvkbzI JZ:ˡ1.HUd,D#5ZU3FDG(qly{TfA3*Z7_JAXOپ¢ONVɞ_NDk;i"LkWSx.j Ćt:{ r'ʿ%f E9sQYgz!ק PoY(]a,%d5LI 5SNؿk9_ǠwqI8冩Fz;5Av3脍%WQVҋ_&" 췻EVB=2%uٖ*m݆`[68̖n|}70%=c@"Ћyf]tDL{h:=\Zm(ֶ H6FȊ ʬc9gt6OHj hwށ`4V[vv dT8+X_]CcRAM6o)2 & s%4K.ZyN#zmz 3v ) )"[}3ϋv0l@0>rjbE0a~*ziQ4 9em2{vK4el:WT):"D.ж2ߠW[]7dJs࿖6C;Z4B71'PZѧ.ұl  Bw&-2ȩ] ib'@[Fm0CL M$?Ǎ.N06>3M8B] t]*v㠳]å~?=T붐n#)񥹘髷oF$GDeJHֈͣu`)0̬F `RUlhJ =MkcZ-#& YP&ʩQ[ CQ8?ZBXMQc`UELq"IclZ4Pg"1<ԓa %^xM(J' ށx tGnЖ*Ƣ&DYcoh8_;!>Q@]4Pg#C~ os,R?*EmQ9} cS͑M,k(Xw$$ՖwQla&&;.DBtx]c‰J6 19rUEfҘB4 dcEHƈDce A6ܺKekDg)"&\~c nơ~]Ȯ h= G2R[R>jzm@41>5ÑmǑ&W{LMm+3єV'}?'6Ecغ lZՑ'Pl߼n9\GP{ f, |F[I]KӬ#]XoD,BYíD>/q1 It7~TP}BͣAEw>vNP E\RQ6F 6qu? .NmJ҅H='یDE;[Nd'^4|esX^`;ܱ;>eE uY#aF.yvВ9e8y}T NiR't?JJsU0ؑ"plwĐH˕#Me ^Ol.40BOl&}$[,޹X7Ү@S|cedv"p>·vvjEFpuľ(63% ^L?HZՑVsW>n˞\U8}99Њi7;)kj@*@bً_8'&ܡ`hÖXb%Gz/Ѹ Neлܠ _|<(RLT8݌V<Fsب/'b :>>nQv(*'s_|XohP5,ӊ dVJ"bܣy7 RmO/j8S?k1+į&E"Cxrd 궳~Wmt_>@Ջh-}--[+ձ3A;Aupv54pɵx ]h^PȓXQ3ve8Uݼ\ fcktDIw6֤KT'SWlOTo]&W;׻1Ŭ! W+3Hkrr:/:uU:z9MS\s=S7u{Aҳ͜V:YyҪ7_QCDv9*nlct93>f}fh]$aACqP^ GRAJ>b2M+MZ%WNעU>у)HoV,Ri89C3gBTN|zbn/J 5>BY! hIR1+1KjәZZ蜘{mkBZ Gf̈ZǓӲZ13 <1+<+Xڳ؊ S j1mO 3En؂v_mp mWgfZ$+oQuH^=`G֟(vwlDcLɢ1m?xp8ޯU#lE u> jxu#]FLfOTӇ΀N ޳>9icVh _(5–I2^ؖ]]kRҒ ,  J Y4gX evH1٭1H@~葍rKEz?#.;G7=6hQhT?y_p"eHjxsbh7x(dn,=m٥I:Sk$r ^FTeE p{mj+2AU>jD6U6o75ZҘLԈ)ef&XX:jm]aahrSb'Ŀ1 ߷5>Q@1Do&2^Q7{4j: u5 skVXƂxRAҿȤ1X q;A&ld"vxgl?ي[˸ v(m>cбVDG!ݤ/=&f!,jX_6ii<?'T|%r^3+ޣ5j%J]4e4zce!5x6yT͗KKyu $%:aIP%|z+Q\`F*K  yF{:\'nƨ`  oLL$owU^Y(v_ ID,4A *5Q#l U0?I Na##;v2"\?<[{& fo;IU.B1NzFkCIa =U:@Mok^fT; 52G .f ?OcFI4Sl״v0"w3;Qɛwwy> Qʈb_W-0R29-_-a @K\ɔ6Ai5fҳ5E `o0 `Ȣzq?bJb12`|ݿ-~:m.("5iNvG{:UA)4e\$jOswah*t9?p׊Ņ;I\z yaCy4`"]Jߚeb9CWwWS29aLXxNXuїI c IF%tad=eG.g{Spj.3=w4_=9>am[ouf=V~ț)8D}`k IDH%AΗn: $=mU }NM >oh^aCEv;]xxTw/jj1! J lY+HEZ!` ܭ5M&܃+)1B~0"ˤl/!Gc*7-îd#vzԃNˎhlCaޏ&c3R501B*}g2Yx^ .&ĭ<:׏l#\:h@+^$M.J`+'ϱ0ʓFcmk4w6^jS  )ZD ֹW'8n̐E<\ ׿(lXcت)PK'?T@DBoNPd[$C{*m{XA5tiTe7jblp84T}7`'T"˱܇Zmq 9eb Af =OY~|Uk(QDFU:!D ˧(rGK3նMn)^䩦L1nB˖,Vw}-@ a'RSѺט6d䎎粆^P/1DRxa !M|a΁zYG_ǁL- W;3suMc.Tñ5ƚIf%4]JΤ*F`5IOe xD244x&j:RKJjʩ 5dL kRv }}}!,KBҪ9|b0!GP,SR$ƗGI͎\nj67U}]*">١5ѣWړ&xdE/Lʚ<,:qzO 6#\ޤEn;g& $@ef229!>63A3dXsinҨUJɀ޳eSvS^.69F$&L0@]޼7f;$_k֡oQ ?je1cA!. P?}_7\ߣ;}菁*w"wln6=(;R)6H$@qkއx.]ֶKhOjρG479˼NebפC٨W \Q¸߰lӦu=غߒ0ga\ʲwMP1- C(k|zĽaAqɥ=V陁wnL֙^x/x7F&/#J=#@  \͘"®K͵vٍ+57ia?&?>zN}QV6c4r z Ш4oo׀d1C JIM/L; xvjZaR;1G"fVE{)k @vq'tvZm@ 9Y 8'ZG73ķR0=t-5 ֹ MR$lb?>>^ 3lH!bBK% Jx;aX~^@IA:I=kJ\.qEp\K$ ZؘoS$ξ'Y}o{GzEH+tzL2&]q[m':scY<&(5×#  5w'b+40߄d="b%k,:`HM͏T =V.14\ϻK%3x\ޣ!_PHu{ߟ hCŘj&8.|8>Ҿ_ ej7K 9qxp ]9ljLB]dKjݲ'>1 C$*FH䇕<@ ی -uW ~/B(r}); OCW4|)ҨLNڑ!@ٶu,($8"#}VOR%2cY~S2QfzӒ8&~[| ['h-\ NyV=/h_B0n.$ŶEbIvak^L;";}T#"h.)k#}p/spp:JWPr Z(6v:2OȎGqYzM%CA1_wh v*Uk"jr[~6gàC9{@RO=q]XH 0S7&mN &%;|9O͠Ħmixk~B8H*3T/ǘƗ.i wfmI&zy A/-Dd+~UMsݨP^Ddk*I5ÕC|Okoz4e i=FṄ %pcl/OF#VewYBd.;Ƃhq* #es}FTb p_>Mo^@7[~lZ| V[3u^<<\F?wx{2n*\#~@eRG*ز@c fm>74hY ?Y@2v3ė48괴 Y֩Lxq Eh䇙4F>)6hױQ$bP2V:L1A dnjNQ6= 1fK4JAE,{+c^ӧgv]=5^G :RXVY+SmV;"!/+rμrZQ0xlJ!-DgQvA%m9Ͽ`7lXvSDw;R\)F-ˌ*cU0ˌFJh9lohɕ:C◅{逳>?TG^|<'<.-@bp YF$l)(*M2}㇦SCfu1|2qT(',!,oN{t%juD 7qO)ξZK|"= ~.d%Fx,- GavGЯ/jaҞWym*3R `fmo'=aBIӄUc#Ek{Rk!,ez%1v,"x"ٺE^)Wb\mлgd:R;_j A3-ϷYExլFP@wWZ42ʕdN&^΍B|^4j"qg9:sV֘׮5?B/3[Y4Ak`Xl"O jLwgT)@9`itvf0WW2e`}fY*D\)HCT Xg6C\ޒmb" "Êw2GŽ`ͱ&)ªp}T7JcׯՉ4sDt2ev Źr&,0T0Blmg]8Jޞ~Kqz.1ܑH]g}2m&SUEVFy8A[?uT'M$%l̿jh@WlpcǦ*Nl&8Ǜ*8stS%;gЏ =5鷨o$ܖ1"fQULLC`͂SZ$xp Ѣ9hkB6w1WYs?dWv6MZD)!cC~+EEΪW{)s-jWKthtH*hΛI(ge-虘u ֑j-@7"*Z=եm)XȾ+ku:H!k ;K<ż]AbQ’13qz#ƶb TFCq/gpG:EIbACïK͑vq &/HG~jUl@([zqH7^ YgƙsaKpy.T/YTs0N6K+tJOu yF-YGM&;,)z0nAcN (r]̄ZP{;v·QAIɛ%IyeՔk$:fDjY~'Nu(CϦ¢3J֋M>u=miͩ/<'X QO NWjoׅM?CM琏4B1F&}{B|_H*gf 7 Ng)R,>[ڷe%٤g7 ƴT5Wk0 `eqH:8joƕ~XZwr-tt!#g6 3k1#'6!٘EW=YϞP}b"H\'*GdEHͿw }Υi3h:~ *6 i06PψdT7R0.Ze~kא[N1*YfyݢmưԴ%͙R4"1*h $X, B{.yu% bn#,hX9W߲;eeB)iͺ |#9XYd(>&VyC.  BڹODGx}$Q]n!3ެ7, P2.ںWS/QIK2ʊJT jxQV4>zT ) ̰ԊԔGCUz0+ZZ$UI)Yf,( :]T6%}ߤ $:*(l|o 2*Y:fI_dMW'ޅ^K:}u;-롔(L0{֯kjltF)T`a4=$/-C>l8<mi7ZwW`Tmȱ"IsJv'-G1E#,1'\xT0AiC5DwœݻpVWMGőg<&*hRCINjR\];Džud,ر?Qk޴;T:b\e(k`# e G^b hn A(C-9ASȚ:%}F \w  owQ?H,僒]B's˕ƾOŘ|1~d>("]2L&PHt%lGV6'o*'=2d\.vD]d)X= ymcHR}kKqvhzlDr<*;oC,m8Ϻ0 bw4p/Um^=f}6G(F8.Bn/QY;W-0$޵a2Q3@r_.xy2u- LTZfη[N[BMQ\iIa!!b9lcu`b7TS={:.(/=(}oXqQ$?Mg*_YFOOd2SJށjVEi啰Yb(C~bqL .nSlh=>Y> ɗ`0m{kJ}y/Wr ^Jk1Aº(g kӛĞӭ4Ifn97i-j8=ACܡa'; )<"8h"wWN@T!9@<痨An;t[: E`E"bKVO{n}9)50%z,C1wG0#%:%dK9b3%YE39s7mN5"#8Ǐme[@_r}oBHq&Yw:KttXH~"=I)L1`.ExUIMQG\2I6&̸5ޭ9$j'%_ gX:+Lts8Hm+Dfx NXdngBHe#GI58 iMr1{7DeH\{+H7T@ ՚u6QDEYP 96?;}Mgb?; Ө$dd$\.7F]N"f6;x~wPǜq|NFrm!+(x`h(C5ajX2Ûf8K'[k;]GLww\:þ9/]0#͠27~ʇ [ M# '#Ij:i3v5 ]=r*sз0tW7L 'ɛlY)r9uzЧʼn`l̮nsKt[E4+ 2T *caXnc܇>͗2, ^vSB HJ"}(ͣA7y8cA(iԟ1C7^ Ivϊu!AQl*zSCte9`|کM1? ET OznPZ~ 09+`TdVx/G' aaO؃_MNlmEOWʃZt.سԹ6z<pUwO$'hy jEks$Pe]CD"Xp|QL |ry->!A`l&=ckaj%,wMbwe# vt.!n­î%}~)e\k&AO_akp;gRRĝ}gr`>NWAVۅЀP8ƌBVژj]g#Yp+jA[7YY;c-aN- SS[~P䷌As7kMZ䴶[GwWϕHJG M IzHtARUҁهU W5Y/&W Y2_)IP[*Vz|E!3 0/Rɹʌ (`䑋%@c.B>~ ?EA#9<15A翋f<}yƢzi<'3^"&t\J^yHMEʍr!hKh]]'3M?t]!8s3˅7$&V?duyX~=<m'0h]i#afS}ȌNV ݶnK̦Óc=ݴ*S]Y4 r6t"ƕwmGGe1lʟFf "!fS+==tէ2ei-R9Cj.w .5$gZRŅ0s[*i(Ayh8~ vٱ8LSG8鸡Fn*IbQq[}Zwva_H-Q9~Gh| '7WCR@ѥߚ0vf* wȇR5irD_<#Qݲ˕+73>WI`W iI,lrމe!=Z0E zɪӓi}~Ixi$fA*o i%=6E_^.E9.$ ~hϷŽ,h]W/kg?}%pu:/p;/+}}R805/m|dqK;ayN?T Rd:ZAj̟ڔg*y{FGe'wP~J wI6/QP 60q_{jwpNQD?&}TK# d> ?PЃ`³z-9h,H(W(KvlK`/GUJ a+*c/aa( 2b/%Ba5iO,`>%}H5+r7&Aq>7.ΰr͓;m\΄|osNoܩY'}9dڕ`pbl_YPg-{C3RXaڻ,QI C`4ҶcV"f2 S,Jd̞8 #1Uaawڔiaj9 Έtū;[>>N)\&xc԰Ð ~IixzAP¹ngzC "!)T@]~X%f}|Lkt( mV[}Ơ C2/܋ܓ7(/.#Ce7Ԣ)(>0ёyb*Pîw1!3L6˫FkpO^f]K? Y3:vn̩fF(hd/8vf!ӠnJh0 Pڣ\!-t+.?ku?8EHe(!+SxACݜw.6DGb'P7~S7m2WMh@i [G[uz-<4e;OGN#`(]>-"/>(Z)tdRv=7݈vrʾڀq[z%+v-*>4]y;k ChjNx3F  zR2 nrX\d%y)%2B^y\D==Ϩa#9u,PKU8kWТҳ-q!^84.yU6}H{'Z%2*"3|Gx Ư+5pևtu(5nPsdʹjboAL#^_T*XQ A VH?thG ksS7{N9F*+L, ndb*kVINx$njIlHĤKQE`f$7yJ]G$Bm:7<SN۝6ZK9eɌI ] q3?"$:;UyMIF*,tvt 1RnRDY՝F* R(V쌍o<))l>*˹[y2r\"e f'<^3J\J!a,oې/'E.H*9VC6% *yO $ Zt[ȯa53; qoi!Cǒ^FL9xO,B]g?cO5COrYsC=+0Rý乕Z)2%Ƹ\RmmXqC+;y1w kĠZhcLޫH54)ʍ  ܖI,a`ͺO1/L1lȔf3EBZ8M Za,B9 J QQhV#y2;@FGݔSc?B̈́@l~ laX{Y$ >2I(B.ɧc]Ɂ EkYT^ !G͖+J o9_+Vŵ:'9yUVBC戋KikSVfͣ !9bo#E\Xc[̗ fw]uD4z.7K/7S N}(5>z(,9ypbQa >!{=ON9t*@A wxٞZx#&xL3ZV8Ika_flߊW_MNՆsPO ~𾋤U@D˺یs7 !L?5ݲ"%zgEGL{Up5 ڌ'WE}VwYBFKڛ]9?ixi!ȏ9XCǮUp”:D g䔒=IG\ ?Uj!L'3ų{Zi)aS $;3ng1fחȌ9g H ]czWd@_nF\VȩE17 Vf&P"J\m \Q)o3ooFA#XkY&s拓]:^b+Kӛ3VVp+p~{t訜j-,KB#܇iq bMaўoׁī>CXR_(]HE?]jf9NEz8v]fGV:(AN0U-\?L8+糫ÅjF' gaM/kT7LH.?-Z7Še'I.?ٸi]G)or 3ER A3 Z%!=>$ v̦R+Ӊ=H4DGSW&ՙh;JOIlI~&a&ãZYP ϣdBL+O6pe׿e*+BzcF*-PțQ;rxN&#~$"Lj_w^(4Vk_ OXgH{ AbFͩgǨ6 xuxQ#}t >OwN> e˗LgrCfM*?%lүS.`SoIzLT8Be9( y +ת{zOD|qqb WcP 'uWoYb)?$>:-bfݓBQv,eg@DVJBq^nQ.fgaUOXs5M** ƣ@*0ܦnWſ,m8Alځ 2'LFQUlFU]I3,ٳ^vςx^WC`8ޤN7\Sq/|[:chFfn*`w^~25OxJRq`YrÛCt]h~tوUp 1j|gꈺ|]*HD<Ѭ\?G#T3+\>]ͽ>s !sˉfnf{Z›ԪGSR9RzjJOӇ5$oEQ)p?VdI@^֒.#l~kb $<2kak2DUSGáqxJ@NӠɆPb[2xOp}[ux 5g:si !Is"L%@a.lr゛ '4v*!d)N^X<-Ⓓ A6EAE( r/i HvtFNk.~"&FxfDwQ3',AͶ%$[30[Q`͠RR|"t[={vv.dtLk8LYs;XMP F=صI|#hdԋq@n^zH=<13d}v? (pnjwZ(nIV6wߙLtG;|FԼ47FuVGȎ7!g=_-?V텏걭mWgs0S>Co''saeS*F\HL΋͐$j3ٹOr?],if@mU)xHDA'p{70Z~ Yʥ7M`gb'IVblÐ,hz>)u F,/i'<֑ADH2Т,(A5{znF\'joHr!D~+ݒ4268 "{X9Ǐ9vN5㼓yRTR*N>΄4p!6`j"%gsmM~g!$u=: UC-M?Q$^@ OFjJ8DV_MUCOJkjCTmkV7mYH 8;j&+(b)t^P49o25$ձV"N-K51iFX_z! L5&h΃mI"m/Q!K(Hl荷==#hdwj+˞DbzUzPW@F0;SR-+佅0=~V42q~X,E6YYUvXO orIkq'_2W' %}бB:X{}0F0r)`Ij}Sx\b~ީ!>yfvށA-|W_bjĈ&\x*Q7 Y4N}f3^u|`e'6.HHVM B/äo;̤w1`H?g[n3։Ś=5Wxp?8J IgsUpK,&f! [(iQ=9G^أR */-O GӰ Zx*"s|Ǭ0էg$ c !=̠t|Fw; ^0/EE9v*)Gq+"7^ش+7{!Hv髊z]I(3 +R-[5x#"6Z !ר0z$Ҡ>5Qn'KUȕ\hQs pnR YU4Q0){{iOqQ@:}y4<:mseQ[6=ZYͺ-ʅwĨG}y$Mq[Sh np6M0s-;OTz1J N{-׭EorJxhD=A0# x!hbxњ)2Ȏ%!iHRU7=^;9yHh-.wJQE(Avs&T%=%$/a8skVr3.wm3?t`oMSFmxt^AaZ$!]$0SS|QgA2epa!.w0TE 'Ųua"4aq'IyǏ6}LM:A X%Wv DxYw=;ű+j50')F;#8~rPcPupG ͳh@T5pC#QwZ2-*~BPH?k\LYXd]E^n }U:soy|AiV9I$K2Eeq&U}"]$Sm߸;!tJ(nzkYk-#h!"8iYhdUmI.,((wޅ5t̼p#T.rZ?H(_zbQLJ](qJv7oZM@Tg= } /Xn`|Wil??ؽƐ"HJbJKQ->y,3 7as.|:|W֠a̻N})D[۪-2I{Z"RR?O,ig6}wp*!LƳz'7lcC(wig]LgOk*2랐U[yd[$@kuLz{D!huNdb(S%cAfXv@Id'm$+;4&q@m;qx, qg) 0q#sGLn&W><םi}MNnU*YQ_UV܂Eh#t ,!SGKnvL9h5 ɠwImbлn~9=f? m=hߊS N$Prh* eg!-ه4վ`&e_K@uΡG^VG(I%ġb~-'(暉J7} *|bS͔||de$_I^r@|X־hϠ Y HKaX`N;ߨfC~X2vN GS KmL\= 5d2=ȶ ` ? qD]LQϜ*xl"J(6!c:!3fyeOZ7^-s09lS߇<}@Ckvb!ck -x\42xDnMwGR IĪ9QM1N-GXOA>,X@jҖν }(A-kBBlv/}f2~s*ܹH1 ccP 5Re׃xgݿ$:xԕ`gBP1,U73Qr rYbyTbq|E_`x^ɸBITȕjoƶfv5=0NPUwxٮpOPe ~)ݵ15Cj'|]Jyl&2{5F2CxY/K@WW9b>1,44^kUI#Uwb4vfh}0vf6*bos8:uR봶͂_vκ-A1O[MCq=>@:Wj:BdLƕ!5+4 /?~xbrWs2 HM)6K}6V,we=%l(u7  }NC!b;i f%kֶ!{ 着AD]_FlY]=ġb57^ 1AN߂7JN,R_OR<0}Ϩ@D[y(UG=hLYN&# k>ss;hHJzzi7IhY<=^gg~`KnV,=,=` uQG6k҆qez` $({7u>+$>3nLu8]vJ`\$}+Dvoqz@ωb1U2ryGf`dүخ=#-,E5T>Z_ѹil)X$_ HkJC`[;@|CzG &BsTðWyq-[H_tgQ[̊tQ/zZ >+Xs}%QB`!F W˿3F.x0WQGEB_u˳+JvJ/7^J @uak(U͜WL,I0@Ċ*鰝~FM)f :lL(@Ǎm4("Z"1cq]6,D|vw[9TX-_cbOw?P֢*;'UrIxBfݫ˴-7RJP{Sr*1gE "wl{6E 55ߓFctׄCFƿoT-Kq1-lެ倽vS42āC#| .4.7I$c 9هsܞ"Փs׽ܥ47Oր6fC{.<3w}G;FnݧnHc,t[q̓3U-zPa ׎bհtFR9Kk7ot;"Ed DH@YtA~}INߠb,f]0GYS^R{W\ C4|MsUֲ ZE%Y]u}x/꣈ӈDWVPq%tS섖s,?w(*EnkMnh}DSkvBH҆6M#DͺpY2ԭ6Dby׬Wޓ`- 9$4{O0s=϶#X 5F-(tSM7G#a _2Ͼ9!!`['[9'\CȵI3 57 e>-ʁWoki TVDHn"?1nH%ee~iCi|>`;%'S;㹰]ݏfԪ(v& XA9ʈ.8h(s4Ov䋝 ڟDLhx&2HWtI텣lۍCbzt Z!$J)@P~*hclyY gJE]O4ѳӷ0lG^@QIXv wPR0^9Ľ79FGQt|NWJ~we+KcԂt:NZ6Ǧ =F=_xhP6/ U"t\as!录nվhyjI@ۤLb Au!xPpfWT⡨oηfF&u~8NZ(z 7_1N%ʚ V⼒W~M2;Slf(o,k/9I ͫ7xee:EF-PC?rDf@oڏZ&&P1ҎPs*f36% PwL}=60);]f.RBobdPZO|dWt;ߘ]…ի$Wm?1 Bh )ן<<->ؿJ["v/& S0:e cj b~mҗgH__aGMj21z*"!~ޝ0QUTŒ Fgro\K#orm.A+W_xT *э3ٶjJ7Y^l1HMfʯ7ARs[;D?t+'Qy_B+omrP2|.vZcpD)`0G.D@|zZѨnKs_P)5BĐґ{OP`mX)i#{X5`#:f\]ImlT'ʢ4z(|O~cM }wAϑ؂4zplC(J|~]ǽvi\ < 4EĉS܎8{Kdc4O5Wl'7EbDCN:_YnrMPk>y;Ũ7T'P:& %ZA-{2Wp3Ɣ7J+&,dPiPfxx'*4@@’Зvze'f+bG+-ofrKcKb!e)0 D4@_pMM-Ns4 k}{Z3PFrz39Z3'uOV1V!CҺ렐Y<60A%*0=Njh7xݛ߽{ 8V}*R]Cg@%.T|86"8=XV՛-˺^ZRwcmOai5[dP=b1Ӭp>>S[^!d{2,uYb= MY`rY)qAa)-GҺBǮCcHJGdJd9g^L?J2hU ([J+S4MmQVg=Ap9f"gH Hy ˦?NQNΨȪG*sf;vhU*RXMXjISV͋R[a~xnHeS٦̈́x WpD&ܕX~|%}RR;ƘC<⌌yiXdp=Xڶz}y\D nmW\9bn,)&nߴ#GxI~Srg+ǹ<WΊ~(!OLW- })ٙsŘm!<̻l5i35{~Eџ|H}7"CwC'SwclFID[# 'ƚ ܸLQB[Bŭ~]\9,6;@&% H c ] scHJYLi/ Բw*s|s5)#hG9VE/T¥:O /x[d,%]ؼl|׫rDCoںvơ>}#o$< > 6~vUUf߲-@L,-t Wk #w"3~qvElʳB%t;CP!u螒d¬Sei^!;Wã:/=;c=4"=$q;O] b%ʮ~PpiRӓarT_Xf wg䥙8e\unIe/'E?^:l~aϜo6gW~_6pHZIC(mYXAK?G(Y.g3n(KH -&+&U 8+ u0Qe)Uc8hݣ(A{C4E,C~ȱD2|yű -hЄa{5>ԚuߑG= Qa5x=q<}-!i8VPHlr}" CV3v" Q<;9}B,)C |Gf=gBosZ^cɤ􂟜Vzg CC48&"5k\{}|mihaᕃʏ3՞s9a`4ls;zc?r@zEa~i12Z>V%kV7\{WLݡ/鸗(`Z5lMsk< ׇ0r+i\1׌(Cֻ͓8"y6ПPp9R;hO45:5/D>tPH]G+:0ݭ Hz:ز DQKbXLB}N y6k6󧤫+֖kIgvGI Gpu[8gW9J%W_ʯ:0wUbR"ͨT" p,;mX)zfktO <.ČԗBtOkˆ?S5[%'Uq#;tΠW^dOe0!Y:hR(<㥡Hĺwe**JYP͒:'B.{WDWא25i2T|1ZM_щ^Q;t*im1LsfgH09 Q4Q#WAN8u>Q+Ӻ,Xt(WīC[D} 4)xw*W5RG;v/b!uP]/%W+ 1E\Drgm4 ?rPce .NtO*tq>)>T~ za֥t2It}iEHv!zw!)qbM쩘t|իt*\hu7J!<5a#'fȟ'PкϔrgoW.Nv4mk&q3y n.JQ)Vc!HmXz3hq5}S MwE!Zq/Z.3J -U1L %Y"O(%6)VLJPf>g7w!D wzx7l&VYH8rJQ&D I?(-˴< _N0<ˉ)S/uM_Egz=c|_|[S*vM68UxDe@0G z8EZ&6xP'BQ{,pFÔ<7J,Ӫ(ȖMf+ҏ%f wa <Rycc 1{/i E'ziеF'Q r} zע9־啾_%bQJ Ze'' )A*=D>DĐVQ*jXvGCf ޔj+-WRcnC; B V^kCȐS*v:1ΝP=80eiȤ"u!] 0e;Ձѩ@TsQ򨕑x)TmO,gP;%<\{ΉJT 7B[;@~}]-f9f!Y9? .wHDzLYtx%N6㍩Cᴫ<"}'^+58 : cT)+N ytȓCZ~Gݡ"XV 4җWfGk^h>xJM!0Xr_S 0zC]\٪{lH=E?KlB-޵Dm<ЖՖR" Np(frc߈b}r/[oZb:`*ܟw4ŗȿp `WƩ";hwجֳ؎{!ϴED5*٧޹sc)%_d?._Zhcõ8*}~6o{f%u 2E39wK+hH ]fgm㺓Mj0"![Nz(~6Ҝ [6ߚ!P/Y3Ju*' *в c1%,+1n1[kyFɤ BEBe@϶o}?r bICK)ClnACxfqDF$?ZTp)+>c[NF&F!MfPZ$I [⻟HveBv箴GpGmآ|< gԟbͼ#+ GV5KݘF6jba0Os:lI' 3Ѡq9i&f#?b@wm}CLDa(;P\+^t GO^[#ב^)t=FCfY h㻙~,,Rdl>?W{Q2B˞xxXEO -{`H kV06]RN7~-hG (.4TolAI<܊+U(?d#Tob=ږJCMewJ#64 tY)EtXHER2"!!Y@77_nDGf +} jx gW3(l̨$Ժ~yVra\l%En8%a/0$3!0.􇄎pw$@SK9j󩫑Kl4*,Zц(lͰ7Vey:g จwmIjqk*#ނC}BO]"l!Bm_IEaI'OW]AzJc<Ê+hty%ڹQGTlFLvt3{6a#ȪNL o ` U cڶgY0%.&Z2y0Mi쟖x6>BzKh=bM$9+-^42^:bAlYnK@NaToj{lDʺ= lxzsC1S^9;i / e=ZP0` -rlS¦͜O.fYC=)NxM8cRrgkAPATBG /q:ktOZtЁlq|%|,X['NƷt /,_@̥ąĉXu:}Eڠݬ3%\csZ4VhNn0e3j \ɡCHϡi 7.aa4RjD.SN i8IlY~2ּZ ./􇑖YLF{ӟJ08D5-nͪ=h~KO_z5k(;vFȜHC ͈p bQ$lC4ۦsa3קRxOcց}y,!;osГ H| 32o,)\4 Mn;t/b^[$l4S UFL%:VT1|r9JtLH/}.8W~;)=UJ[Ns\ָ_& N%KB |#%ǦaiKi>,l6ju4r`n;zj|u1d@y zB$Aw!0)ێD'sH.PI1]GO*w˗Dd͞}BfTMBPBO(Q+W_yU\%A4Ҹռn|q6Co x؜S۵vP]D ֖ 9|ROzp_{r kjòz (oJ!.~ |+ٵ*X}ebZI̱zFU:|٦ ˌ^ ޭ1]m.r;)s SKTS :HGYB9Imq]i|k̩@qϱ05{uKAUDpbk pVnS_ \kdpr}}=#g#uzтi vKF'2g_CRգg]cXHHxwŁO/%di p.VXa_\q,5r'; ]k_%^yJo,k )7`ۦ7~9qPmqDS}?I8eѲ$Jj5 +LثxǠ^yD[kfi)zq 7/?VS*"0"9af=5ɯQ& j<Ʋ֯C/-#@\DŽ*x]5We&4lbc%kh)gZX/MQݖ2?}i|HB'Cdqz'>Bv 310WRcߌnlӍ3b=8gP\}Qf4D%U޸? ݪ$P0<a!'nuOwı:V MJio#Zq;fJ]9![8%~Nb._ bɩtx$7DqT^:&oK"<.)&S{6F4+E)yvoҟ$5jDlneEl9d LL?hH!nՎ &Io@MN5jW)5x j ()_p1uYWIlN3Nji +ѶLP;6'œUA[lY0:ah`%.O4 ^ k@\Z,Q>z;j:>B`D'-E‚H̯EOz_@Z4[ G*QGUl|'", Tg]b (gqKP""JrWf%{2ޚScQJwEXc]`A~uud"إG K䪒k74 ߨNigoM$/@!wv=5y+gI85 ôXHeG ;*Bgv&7~_S@Uq !1joLuVI?]$Ueڢ6'7~wGc߳nS x?qi&˪ӖMl|!7 HBֿyVa* 'B"9AI2Vؓ:++Qf&QӽPhkF2+g pX\eYAFAӃ}Cw18A^l?51s8T kǫJ㣌`w?!DV0CMlԌ?+ᝋے(y/e$>[烡5+12"Y@fgJjf6GWiׂ,N -녾A}kEiIx&E)n} w8_W-dp `?kۯGm)?4wqKц>4 Hwc;𞘉;RO4Blh@ _!*(QpZ+eX}X~:TņC㄁um_ ϵ;7y<4Y@X ҭR R#w@4+OKH&~X>>s8h_T$CVzUx;t aޞ<텪#T.WY`{!Nomj6j"c밲CB83` 3z.3'F 1ȸZӱϲRGeG[Қ<)^ں4M_~+5>/m%P:!e"b&uL"ldx( ,T |4Zľ4 L޿ 樦zB2Lp {Pn߱<4DJ.CRa+KL@xዡ\V1矩_N~Ċ9lK.ii]?bxͤQ~u*Y0Mbz)z%VUy(u5Ǚ,s#T 4/ȮXbHLÒ`Y8Bgʄu}v'T(YIX Syܫ!]Ԉo8BQ?wbr F=/7ʽN5. PS:0Yty)dܬa1脬FjcCj`MLYv\֯;J2 tC (]$_ay=~h8D6+ݾeȜz1UP] -I{F3r%/|GЮY@=GbVϧf7[ݺچםT(Y븧sRt:.YCђwޢ=_dZ=fg=qZ$MsF? \J0QU.$\B-)BE܈^ҷ= :\#FSB]qrx+ڶjyLSEpE#>\~o~^DgUۢWçɻዿ<@-RgKZ7=lA6dk_~M* ,ҘT%i0Gi٠ π~`zdLqP=BЕhi#|2mCPS?D +Z297YWeWxgQ` n&懚3'!߃og:Өdk-#/#upJlEFnMy(VNrUA;д@8SSl蛈uzKßS3C? 0$I|#pـ^zVGOf 񵝶[a|iP]B Qfky[ jc[ĵȯ(w"m] b#n!%~v/s]dÏjcm<?X2P+4/X8a_̈́ $gL p?zQxʌ4]Y\G zƑXNGۑ怣&jL6q PKC^WuښATSe-E'z|r2[#^}~'H\,v)tp/]*Q & Ti%F妿A:y{Jշ\P}aR0[ xE 4.kx֪HϞ-}BQt^T05WuhbZ,fQeH,V>0$&nbsM:ϹQw5ulʉ_GiiQi%D3M;M ]` pRi_gk Icؕ'Co4KpR>(TuU3hA$ gQ`5ӳD%"9Of"~߼R!G': Q64#me4f­]b|M͡%Ǎ2Q\O??-8M(DOsQAS4ۻ3A [ #keO| T @ũtm^Z-#e}OK;*m~ 675X 'Q4EӚ/ ܴ p}z?a[9/q["U@}51=YNbp3LǭhݞEFT$oJgnV='f#C|uSFGH@9s!8.9o\¯ M{HiLAm-P) mɎדi=yJYaTvPE26GdA3Ȣ2#4j pm!n Yv/9T#[IQBLy~po.'?uO]y. (boF"e؞6CUh{$S ӕ/Y>;](ĕmЇBP>.U ܱ|3p'sq&uJuw-7)"o*sxiwH"zBAga fܒy&vGMU^=fsMQR O)}Ϧx@})eާt7‡4b}:Dynw+k|3)=eNM:b 2w͵`X)ڟ7P^}@cI,{$C&Zft\}]DR(L4}՘VQ4*usG!K83p)Q4 7C_} 'ίeL% iȻ{7(7nV :߽^_:fxNXƇȜUK[9Ier>WgMgwr3%Py=evaW{)ԉ*<8w?/& U8fyZq)*)fq"hQbZ88ʈa1nDzb#5ȵ޼:(M Q.K*y#Ÿ*l !D̪]uܲzD}AD'.]a!r]'}&?]a3}D:99 WM[v|K7x%/@j<(aJ}^e3 VHv94ȤZ r&6 h.ݐWf|Ȉh w,U'apl1_ Yjd&DG\zQhZodz'`ԨZs dgWpbI5W%FU%~6Sm}8\ Σbށ{YQwK둿 ˚ S *5Ko-m"? GZ3b~3%w\0$̏G|? [ qKA9~ z:oi(0>6/n鲑\IVZQ{8#LI+5FSZ |a m_nugcB22O+/{ M=?ex}w=rbCJ5,H1eoM]:ۋB/gygJFKSFSI8hki ќxi`8x1;/PFcr]{ -UC˿ӎq?ǚ <^o>W> V[3.̻IÀ!,O^ܬ^oqػ&] bXS a"\|kI)/\ U:Q8?N R}4w8GR# D2k,[A=Q=\ UtM#OU{"[J,4FB ,[xzPKAdKVǰuC'c񹟪"tX)jCjLsyh5]C-Sde ,1fICtPdҧIQg !y퀓.C/pߘ`S_NP $*t,;Hwh|?fnvj` hLp8RZWV8<^r6)F戓F ɵ85.6R׉ݱ\$Qs~8rhV3d)띚sLCp[X$MGs"C6.+ei,M/l;g!qM մ*JA1viMv70WvrP15h"%,7̇,D]t 7L-L09oل;cU Z Y-kÛvdphe:d `'>hEs`xzWL`E"Y"6CccAӌ @E}1Rfp@㸔%*/|eB@ɖC9Wa(a&~W3k 6o>/i&jϖNӾq;Tu?$mAԛtMuLɡ^ Q&띝OOih‰ŋ8U-\E!/.OXjXgG(qV|15pg^F>$b(΁oDȴmw (բC9kIu0%k]+ڂqef:g,:+S>) g gWD_y"9fJ9zU@xE{kKn(oŸ :TkP8&]#_u8zif7Xe:gvͭ> ӳΉYW(s)qqe"|jT}b)e/3mImxq\l}kpAc2$^ΊZU Y:zPI0t\xO [?o(ɠ[wH"‰18:HҽpЁ$]">l18Ӆ{=b*Jt MO.4.Pu(Z+ IҶ7ru [Y@ɟp}ahwz~_YmT0 17J01Ref=֘(pMD#7?,!#:#K,48uҫkDJqU ‡\+r)fŲ$ M)ȫԖrum*[XTۼxqv(gU=%NcX杶%ێ:/9MqhhM]Fu9%g T~raJUw?3և[ )WkφOM?3L=#b72&gW7LDUNLzIm,p oHI_3zћ&lW}R߁; ̡$|kKϋV8fV)ݪM dE\L5꠸@-xq2-ׄoNP {w3̵'Sy/FV0HHӱ !Ҩ\H}ķڹjeXiIhH:‰7IMi#Z )t#%`茦dEi\ξRs(͝:TZ*p2kIS[!w4N{hTq V`fޮkʜ36:AOIpZH|cR ك 0ҎqzE:[f.,Uz^TP'Ԥ ěQ'l]Z1Psg-$XL&)Gi5gK6Q_v7LIdanhKncx,w:Z*S%P Tγlۡaʟ{4OA@ey64B 0 BmשoA*xW8N^yHMϚuVNJWE!?X3k鍬f5p8 Rb2yVATo"'\ :WDx %}=uf)r$F$tT`$<ܻv^KUGYvvB`T·|x`RZ]K6nm:T~~eg'L7"Jt/&v:do~Zf hv `l}1Q!Z1 I83Jw;o-ǒBuqA F=닦ٯ<ҕ9yO~B +ӾutW>ͿS%K/鮥Lt#͚e9'% mӻO2ċ*Q91OzZ_ {ȸ/##r_l ?'n7iL 2ԯoPu-;!D_eWLJ} g!AV8qnD x[I~tp@obj)kmʙXA& bn oRy^'VJˍ%{pZb3Ļ0*jaЈ `#UrH. ݕ?{^ P*k+@&YQ/ jvnws;UXy;쯳Crۙ$l^_S߻Y!Cƚ&61E25_BEj:z"<'_$ַQmsP /xYzJB'(u!YR,wp[r8-ʡNhm*fL_Hd 1uN 0a^Kw&nZ,@cZ`f`>YxptFs8[9@ &CAlz٬-θ,57d+a¤oWi0Z6)(s{Q"=or-Xo$DjCn541%tġћw{ ʼzȢ&qMdBQ=dNH*`vd97:n.ϴ?&JE7 ~)6EȻex)ț:ʈuq5xAͲm17UHC:1"3Fx)TN0PaNˊ[iܳaˈ$5#myoLzqk2 Cm9!04#Yq;XUvm7C&Cڸ+JRH1N:YEƪ{ңPN p]l"qƎ"wwQpf0pqꔖ~N 'iU-rW,*TwCޯr91-u ~ly~u(@^b!6V8JYs|.4 ,3}^h3!%M^8{_tj/I; I g̓}b.jlAd*龴vOy^/|v"+22?A} s 5*m6a^a%]/ tJN'QB7J&BWP#'+].- /R|WazU݃rQoA)aإҹZ*Qԗ-G#ϐ2:+q gYIde`ɥ {)o-NbuN9W{){ ~4? Gpi ^=+e>ڡi*}+B:h N&࢖\{3dL**Z%ylQUBo<* mwǑ2)B#ױGcڛ={ZE-熎maE}Kz{:>F0sSnlG:($"n^mpXP%w߳DBrxh!gnk.~>fmibqku;$JzW|:@Ct QKIRFҞv7cfHdZX%xOfc`'9OlƵA-^,.v'!5 t!y>&)PcwBx c:uTI5Q _ 9!buutb4uE*2貤95l},ku3.\(I\3GuUҨZ8wZW?n|νUH4 74@@]Z'i(hʫ]NW#pi0X`ҼV`]?@`+;#cE6t9 I 뿖V-z _}=,ݩoYLwf)wυ \PI*yfL1A\<݇qz'oeīu875YPFҍ٣I +B-n}Z(SɋUG Zk*6$%)#6DEjfql4g6蕅 ؠW:RZvXQ>v(֞L ?Pሲ+-Թ+ ̥8D;<%Ū-a#Q /@ZLjYIJc~D0ʊoL=Gu䶎q"~YަQ;Z̤ +a VTaVa{DЉoR_ު6)1bnFBDԒ)ez}ܿ^r갈uw'Y |]DwKlD"՚[t3_›&›>V]0HwC,LR @_PԓEݶa51Z0;pN|G9 s} !vM{e[oɒE΀@ @Uxqww=U P\o./}ރ:c !pOmLH4wvyYz3jcT<'θiQ_ἀ~90E%kSӋ/k6qn9fy]Hwn4TL2} ]"`can'.@\A !ֺF_-DodюbhFEkS]Xހ=.~8K!!R V7+hQt'.{/ i:ʮ^92NyvINbN2:jNYN)tߝ@Pxara[*bk|lW|aT"f7jS )ȴ'0 h sY31EM-a&Mŕ8$"4$wY:zOYεUthBN"S*Iͮ:R[ᶛ]S z}7e5\lO|GRg>K qBmt"6AwЖ)b %&'|15D|񩌭jY~&z,V[`*ø̳tX- 7Lc޽1^fab^DoWaϭaigďsS~yccY%V6=%HCuN&%|eNw4b7q.ݡ$IBٚ]2'_&mS8Rƪoury 8[b;d&e;M'dR}^BfD0' (F>(>Щ2?\I=hZd3M]+kLR#G'y^U(ԇ;U Ka]h ҕ󴀿.)ZYS^1=2sRf1!W̢hT?W/{o@)?OK]M5iЩݒŢDuJ^(ʲ^deVB)HH@myS񣏕 ֨HPnTUi,׃: yӢfT. M_eaeq%c\];C(%IhnDt7!xz]4`YV2f C5S,:/>I OL r>Yxmeo0-a=-At0H㸆Bi n/D.U\Dv7grORX< NNXav&!DVs6_UM^aNb䉟0`ϸF)KLu`J|v+dec,wn%F=:#Kk(EK)I.1Y۩eˢ*u5DrKS s;#3!/uuEMsz^sl2d7*ʭv//.`'4 <ۯ!Z."II7NwzlWTBoJNaz>Gl}{[c[ZrY#k剗p[1̧)źUk/HC #U*lx~[B,?ɁHfg>tD|B$Q/(>E2$ݓڶr?}/gQOu 7#xxVxR 7"X8;{PƱY;* 1$6A 7N'@pwL5rS <'/iz.a;w^ceCEĒ̆ lm>8+ė>vb= qwĆh)fQNTs#%lAkV߱R^T=C*T}1$d* aQ3u&xlYvm2['lН#QN&F$9چco$KH!k&M!@.@PLcO[ #YXg7 7Q=_V5>(* ZBw_7p]姇W@(C:rSt1Eq13@GT37"'r<88l R1!{s+9RUvKV:P[4Zl dJFX"..rx6 3Ap:yhSl&nbTU:%:kr@hKߔ m4!!Z ut;r ϳQ uf2_ z6Gf7a)}J/A`wSV R* ! A}dhD<8y,RV-/ '<ڤAI1~ ,~k2uz6MCCD#;rY+%<c\BxvX}j mWЂEpQͭ ;*V"=L2^zFsҕKSMU:*?,3ZU&2|':"RnEËM#> hN^zԻ$ugGRYoC@(MP#,5}|We|Sy.`D}jy8Y쩬9$Y1t/pf_BDpco+kQ b^k NC%.!e Bk!kxKw| %d"mۘmzWh?밡u Wld=r02։|N$g?Q1\jX -GM\ .=Kv0lr\ʇ#5ŮS LFfIA jIlXܱsiĪ^J;nk G)kQk3bOy&gw_c2]s%sα2"@djLQ8޴Fե:p;zaGxa(`&۬I=kIo=2~?NAB'S%^GpjXnEU݋"ÌrqXQ%z|r4> Vg|uM d` PܸҤSF\/b]|8FuJUZ,2~չT=z2?\v~M*X_@!i:E Ίm'bkvU.KFybG@h3bU%B0A -ILIǖo(K*y e:@0ib7A鸫K" )TS^u6q06;u-6ѝ{J=CÛN{h-ĀP!ǿy0PR4 FCP C;Š [< [*RbB`~/gCfQҮd<""hYbNb_:kWIip߉73,.qJ 5\ˡR}jvR߷oWo \$ε$b? $.74͢3V[ko})̨qd\MgE?^`,6k5վz,Iu\UA~<A]IFِ_>%Wͪl+YzIV /mQ'mȖ]V o VI /jX]=M؁x-5@FW|'ޢI&|dqwT]|&z@og)w @nN6)PLT/P k>Iq`/d6F$uE#R |.mIH$1d&TPKRyn9u Tκ(\?4u)Ѽ16<{qq)DiDǘo!yu)Z9TEbc Xd0Dy 8@j*Euc;1YiUW*U|~LWӵɽdZeI)X_@qH9t,7ܵ~k,N#AJe9zo8m(ߧ^2V.M{PvLAɓϚ>F4B U Tѷo d#'H(-ZNa #6qqز$*Ii(Y^{D*mv;gubqf$,O&Q\l4 xemDaY<:HǜK4"mY84)"wrkNjѤqR+j^@+ߜN.c /-.'qU t \qn!<}@1QĒS|c >f` \fo@_iNn?+ }<;"4x`-j#cFxWG-O~c_f&BEe=51/1JL)TZ^ELֽjWr3l!y^ӥ ?-2zNݹW}2_קN'w~O@<{|MĖ-!: ((4 0W쇷_,mCwą)ϵP;v/M<t#]hC]21g^ncnYb&q8.'بDbuMr ! _0CIOg/F@q.R%O !Db{^`Bl&Ǭ0V!nݑn\ӲT'B_;=9`rpy  jz'1q{0QSrAAM$hUB4L*9O8} K")*ޓ"]RJ73ԃo\xcM%WKo.#8}ƽ%sQ3\$%2mLq(C|ˁ^t8tO(SnN%Z0pΞWyphÚEJ -UxuM ش=no ƙaCW'`~v8 OYzL-sP8;_堢B S 4Ə\a+eBi,pGebo,erD oxo,/|svt6~c8*3c:4MG ލ.M c*= ³Qwq /Ͻ a%= s4=^nh} 6G(EXrx ;3R1J6YbfA+Licm;{v~{_`< ی48] &A54ҏ-I4Y|D ?IqŢ7o㪾WrflQf\~n8"e`|V9&& m5EJe"lq`<0!sdۓ>A0ɟ{'HgJ|wG)cSnǘpX 5:E0UYHLY6AqD߈HHTt"⪕NV6hq~9B vC$J@t`f!B`wFYu-  ra#<NKCR[ d,7FC^1>[N[bc y ۫E?4N{(c.6skյ+ l$?BL1zX)V v\@G0kյˆ`a -m\@_D_,le`.NQ@m:'028d²UEonT_AL \Ѳ8nepOcKP#(+b^F}Jmms)o#:oEX}P* {porpO.⤒idA?ls&4e2*ܪ=?@Gv~X~@PHCϤksTT\fl_0j!'\\Ffaa2 $9? u[kzCs60@S|&}M )ZЍJ:Ȁnn#O1 y5 T@ԸT'Uɘ̮n+$:dž8wEݧ۰Ua}K.Z S%~OGv?hW8uj!F{5eј^N0]7+a" mͱ12|, iRVMz Z8vz̮far͔#886$:k1@]l) * !Ba`n t|(ڜHN|(iY@I_)42LN}cݮ)k"yP/8A},?<23@2>h.eӽ\v Rk:՗N魸׹g\7I.:OWi`kDoйhB"I.xl{Q=fdQG.`jM5%4^cW?vKJʠ&W:eSMa"s]ț+tfxP0 eF^kttmzDK?XwrگNS޾^<:ɠI\ Vo Ef~?w?"`"hÇ>r828| 6'7PfIJ;׽CQn)U^ _K{*,1r H::ωԬ0([/M]9KŮdH]|\g|lU\$0{r"J+u}KF;g._RߖL|8d"-o ~wLWJ2s#l#@aƞa0ϟBY]Pn ө ]}(8V8^3z=1fVks߻ciTs90?Ay񐽹aѷuf?r/@V6u<ʿJ󨈁:|鲫^Rq4DQ?c_$x7yyvȓ\5s6fʰ*{ch<>ߡ.J 4NCut v|jtX ):|:xk1>z(jyXӿP(kv`IzY ?oqdnM,"(n+FN*2~vضa\E]ߟS s}+w-'`/G3t"ILa1b @( y4L5~[YcYZW2Kc.@{rYac?֗KW̯&t;enc@sH[GSGy`v\g@\nj)w }"*m7tbapsV~0 UBAɹ]Y |8z3_d%S 4 RJA!i$JF\{nF8].RڹvYMǼ{nɨ3 ([ '#3 .,  qdTR4bDqw?0|x}"fk[K̲aȹ'}ꅕclƝ@oWr|H׈uFYjE>`m`CA9q1XlZ3ӒF\|@xzdTrۜRYVҺKD?ٻ Q'O m ( -LI&{:1^1Σ HDm;yeCR]c\%FU]Pwz|s9IWa"CLy!icT䵚b W45lj"=K1PON{R%ҌHRU'gN;^v!72ǎt͚eDVQtІ=fYѯEQxa:™be>=(#eJ| ɠ IKM x ,OoގMۺ|JΊuf[K;_>Q~^$3k0H-_ܿŶVG"=p Co-@WL*LDAp}}^gGPֈ_~LR^qH{Eؗۍ-Bfd'PcKK}2'+hvqWy 5Hu^~X/b֦O;MC6%MO'hNm Q\ckA7"^{u&hHG)ϜؓzYܝLyYҶAvґW YZ