krb5-plugin-preauth-pkinit-1.12.5-22.1>t  DH`p\@`/=„Q(! ->v2:V>[\nJم9Br./9ơ _8KZZf%F =mGuҰ Xº֍vUcWvd7 ҋ~@^qLC"f?ay|i!3#툪+hP ,$EΏ~`B̩FcQݖ(ikԡp0Rc *nEw΄|z;CcIoF\5Oj.Rr` f"݊be6a83c2ae7e7dc9e74922bcd591cc743f2b5a58V\@`/=„@x e9goLǛcBP[@ Lj=oy)Y3ΆVPu)\QlK8NQ;|{7}>;1#cK q/~ t1%e8.) ;c1Wj|--w_gBϊc9%IC,ǿrty$EFo(}?m* - '7\ b%iԺ P8(3hچ=Dd}zOH֪">:X<?X,d$ ) ]04<@S\` y      0DXt`(8Y9Y: YFTGTHTIUXUYU\U4]UD^UcbUcV\dVeVfVlVuWvWwWxWyWzXCkrb5-plugin-preauth-pkinit1.12.522.1MIT Kerberos5 Implementation--PKINIT preauth PluginKerberos V5 is a trusted-third-party network authentication system, which can improve your network's security by eliminating the insecure practice of cleartext passwords. This package includes a PKINIT plugin.\@>build77@openSUSE Leap 42.3openSUSEMIThttp://bugs.opensuse.orgProductivity/Networking/Securityhttp://web.mit.edu/kerberos/www/linuxx86_64@AAA\@4\@4\@6\@6cec748a1e1cacaa2a13dbd0af847f7f8rootrootrootrootrootrootrootrootkrb5-1.12.5-22.1.src.rpmkrb5-plugin-preauth-pkinitkrb5-plugin-preauth-pkinit(x86-64)pkinit.so.0()(64bit)pkinit.so.0(HIDDEN)(64bit)pkinit.so.0(pkinit_0_MIT)(64bit)@@@@@@@@@@@@@@@@   libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libc.so.6(GLIBC_2.8)(64bit)libcom_err.so.2()(64bit)libcrypto.so.1.0.0()(64bit)libdl.so.2()(64bit)libdl.so.2(GLIBC_2.2.5)(64bit)libk5crypto.so.3()(64bit)libk5crypto.so.3(k5crypto_3_MIT)(64bit)libkrb5.so.3()(64bit)libkrb5.so.3(krb5_3_MIT)(64bit)libkrb5support.so.0()(64bit)libkrb5support.so.0(krb5support_0_MIT)(64bit)rpmlib(CompressedFileNames)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsLzma)3.0.4-14.0-14.4.6-14.11.2\4[Z@ZH@Y@YYY@Y@Y.@WWE@WwW^@V@VwVVA@V0U@U.@U.@TT$T!`SS;@S@S@SK@Ra@R@R@R Q4Q@@Qn@Q@QQU@Q}@Q]k@QZ@QR@QLGQC @Q7/Q4QsP@P}L@P}L@PyWPnO؀OЗOF@OJO'NxNxN=@N=@NHNNS@NP@NNP@MMlM6@L8LeL|L|L@LT@KKŮ@KK"@K@K@KK&(JJ@JY@J&eJ @Samuel Cabrero ckowalczyk@suse.comhguo@suse.comhguo@suse.comhguo@suse.comhguo@suse.comhguo@suse.comhguo@suse.comhguo@suse.comhguo@suse.comhguo@suse.comhguo@suse.comfoss@grueninger.dehguo@suse.comhguo@suse.comhguo@suse.comhguo@suse.comhguo@suse.comhguo@suse.comvarkoly@suse.comvarkoly@suse.comvarkoly@suse.comvarkoly@suse.comddiss@suse.comvarkoly@suse.comckornacker@suse.comckornacker@suse.comckornacker@suse.comckornacker@suse.comckornacker@suse.comckornacker@suse.comckornacker@suse.comnfbrown@suse.comckornacker@suse.commc@suse.comcrrodriguez@opensuse.orgmc@suse.commc@suse.commc@suse.demc@suse.demc@suse.demc@suse.demc@suse.demc@suse.demc@suse.demc@suse.demc@suse.demc@suse.demc@suse.delchiquitto@suse.comcoolo@suse.comcoolo@suse.comcoolo@suse.commc@suse.decoolo@suse.commc@suse.demc@suse.destefan.bruens@rwth-aachen.demeissner@suse.decoolo@suse.comcoolo@suse.commc@suse.demc@suse.derhafer@suse.demc@suse.demc@suse.demc@novell.commc@novell.commc@suse.demc@suse.demc@suse.demc@suse.demc@suse.demc@suse.demc@suse.demc@suse.delchiquitto@novell.commc@suse.demc@suse.demc@suse.demc@suse.demc@suse.demc@suse.demc@suse.dejengelh@medozas.demc@suse.decoolo@novell.commc@suse.demc@suse.de- Remove incorrect KDC assertion; (CVE-2018-20217); (bsc#1120489); - Added patches: * 0115-Remove-incorrect-KDC-assertion.patch- Fix for resolving krb5 GSS creds if time_rec is requested 0114-resolve-krb5-GSS-creds-if-time_rec-is-requested.patch (bsc#1088921)- Fix CVE-2018-5730 and CVE-2018-5729 with 0113-Fix-flaws-in-LDAP-DN-checking.patch (bsc#1083926 bsc#1083927)- Fix a GSS failure in legacy applications (bsc#1081725) with patch 0112-Do-not-indicate-deprecated-GSS-mechanisms.patch This upstream fix supposedly fixes the issue resolved by the previously released workaround done by 0111-gssapi-assume-that-mechanism-from-acceptor-credentia.patch (bsc#1057662 bsc#1046415)- Introduce patch 0111-gssapi-assume-that-mechanism-from-acceptor-credentia.patch to all legacy GSS client applications to workaround compatibility issue by setting environment variable GSSAPI_ASSUME_MECH_MATCH to a non-empty value. (bsc#1057662)- Introduce patch 0110-Fix-PKINIT-cert-matching-data-construction.patch to fix CVE-2017-15088 of bsc#1065274.- Introduce patch 0109-Preserve-GSS-context-on-init-accept-failure.patch to fix CVE-2017-11462 of bsc#1056995.- Set "rdns" and "dns_canonicalize_hostname" to false in krb5.conf in order to improve client security in handling service principle names. (bsc#1054028)- Prevent kadmind.service startup failure caused by absence of LDAP service. (bsc#903543)- Remove main package's dependency on systemd. (bsc#1032680)- Remove unneeded prerequisites from spec file. (bsc#992853)- Fix CVE-2016-3120 (bsc#991088) with patch: 0108-Fix-S4U2Self-KDC-crash-when-anon-is-restricted.patch- Fix build with doxygen 1.8.8 - adding krb5-1.12-doxygen.patch from rev128 of network/krb5 (bsc#982313#c2)- Remove source file ccapi/common/win/OldCC/autolock.hxx that is not needed and does not carry an acceptable license. (bsc#968111)- Introduce patch 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch to fix CVE-2016-3119 (bsc#971942)- Upgrade from version 1.12.1 to 1.12.5. The new maintenance release brings accumulated defect fixes. - The following patches are now present in the source bundle, thus removed from build individual patch files: * 0001-Fix-krb5_read_message-handling-CVE-2014-5355.patch * 0001-Prevent-requires_preauth-bypass-CVE-2015-2694.patch * 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch * 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch * 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch * 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch * bnc#912002.diff * krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch * krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch * krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch * krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch * krb5-1.12.2-CVE-2014-5353.patch * krb5-1.12.2-CVE-2014-5354.patch * krb5-master-keyring-kdcsync.patch - Line numbers in the following patches are slightly adjusted to fit into this new source version: * krb5-1.6.3-ktutil-manpage.dif * krb5-1.7-doublelog.patch - Remove krb5-mini pieces from spec file. Thus removing pre_checkin.sh - Remove expired macros and other minor clean-ups in spec file. - Use system libverto to substitute built-in libverto. Implement fate#320326- Fix CVE-2015-8629: krb5: xdr_nullstring() doesn't check for terminating null character (bsc#963968) with patch 0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch - Fix CVE-2015-8631: krb5: Memory leak caused by supplying a null principal name in request (bsc#963975) with patch 0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch - Fix CVE-2015-8630: krb5: krb5 doesn't check for null policy when KADM5_POLICY is set in the mask (bsc#963964) with patch 0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch- Apply patch 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch to fix a memory corruption regression introduced by resolution of CVE-2015-2698. bsc#954204- Make kadmin.local man page available without having to install krb5-client. bsc#948011 - Apply patch 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch to fix build_principal memory bug [CVE-2015-2697] bsc#952190 - Apply patch 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch to fix IAKERB context aliasing bugs [CVE-2015-2696] bsc#952189 - Apply patch 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch to fix SPNEGO context aliasing bugs [CVE-2015-2695] bsc#952188 - Fix patch content of bnc#912002.diff that was missing a diff header.- bnc#928978 - (CVE-2015-2694) VUL-0: CVE-2015-2694: krb5: issues in OTP and PKINIT kdcpreauth modules leading to requires_preauth bypass patches: 0001-Prevent-requires_preauth-bypass-CVE-2015-2694.patch- bnc#918595 VUL-0: CVE-2014-5355: krb5: denial of service in krb5_read_message patches: 0001-Fix-krb5_read_message-handling-CVE-2014-5355.patch- bnc#910457: CVE-2014-5353: NULL pointer dereference when using a ticket policy name as password name - bnc#910458: CVE-2014-5354: NULL pointer dereference when using keyless entries patches: krb5-1.12.2-CVE-2014-5353.patch krb5-1.12.2-CVE-2014-5354.patch- bnc#912002 VUL-0: CVE-2014-5352 CVE-2014-9421 CVE-2014-9422 CVE-2014-9423: krb5: Vulnerabilities in kadmind, libgssrpc, gss_process_context_token - added patches: * bnc#912002.diff- Work around replay cache creation race; (bnc#898439). krb5-1.13-work-around-replay-cache-creation-race.patch- bnc#897874 CVE-2014-5351: krb5: current keys returned when randomizing the keys for a service principal - added patches: * bnc#897874-CVE-2014-5351.diff- buffer overrun in kadmind with LDAP backend CVE-2014-4345 (bnc#891082) krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch- Fix double-free in SPNEGO [CVE-2014-4343] (bnc#888697) krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch Fix null deref in SPNEGO acceptor [CVE-2014-4344] krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch- denial of service flaws when handling RFC 1964 tokens (bnc#886016) krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch - start krb5kdc after slapd (bnc#886102)- obsolete krb5-plugin-preauth-pkinit-nss (bnc#881674) similar functionality is provided by krb5-plugin-preauth-pkinit- don't deliver SysV init files to systemd distributions- update to version 1.12.1 * Make KDC log service principal names more consistently during some error conditions, instead of "" * Fix several bugs related to building AES-NI support on less common configurations * Fix several bugs related to keyring credential caches - upstream obsoletes: krb5-1.12-copy_context.patch krb5-1.12-enable-NX.patch krb5-1.12-pic-aes-ni.patch krb5-master-no-malloc0.patch krb5-master-ignore-empty-unnecessary-final-token.patch krb5-master-gss_oid_leak.patch krb5-master-keytab_close.patch krb5-master-spnego_error_messages.patch - Fix Get time offsets for all keyring ccaches krb5-master-keyring-kdcsync.patch (RT#7820)- update to version 1.12 * Add GSSAPI extensions for constructing MIC tokens using IOV lists * Add a FAST OTP preauthentication module for the KDC which uses RADIUS to validate OTP token values. * The AES-based encryption types will use AES-NI instructions when possible for improved performance. - revert dependency on libcom_err-mini-devel since it's not yet available - update and rebase patches * krb5-1.10-buildconf.patch -> krb5-1.12-buildconf.patch * krb5-1.11-pam.patch -> krb5-1.12-pam.patch * krb5-1.11-selinux-label.patch -> krb5-1.12-selinux-label.patch * krb5-1.8-api.patch -> krb5-1.12-api.patch * krb5-1.9-ksu-path.patch -> krb5-1.12-ksu-path.patch * krb5-1.9-debuginfo.patch * krb5-1.9-kprop-mktemp.patch * krb5-kvno-230379.patch - added upstream patches - Fix krb5_copy_context * krb5-1.12-copy_context.patch - Mark AESNI files as not needing executable stacks * krb5-1.12-enable-NX.patch * krb5-1.12-pic-aes-ni.patch - Fix memory leak in SPNEGO initiator * krb5-master-gss_oid_leak.patch - Fix SPNEGO one-hop interop against old IIS * krb5-master-ignore-empty-unnecessary-final-token.patch - Fix GSS krb5 acceptor acquire_cred error handling * krb5-master-keytab_close.patch - Avoid malloc(0) in SPNEGO get_input_token * krb5-master-no-malloc0.patch - Test SPNEGO error message in t_s4u.py * krb5-master-spnego_error_messages.patch- Reduce build dependencies for krb5-mini by removing doxygen and changing libcom_err-devel to libcom_err-mini-devel - Small fix to pre_checkin.sh so krb5-mini.spec is correct.- update to version 1.11.4 - Fix a KDC null pointer dereference [CVE-2013-1417] that could affect realms with an uncommon configuration. - Fix a KDC null pointer dereference [CVE-2013-1418] that could affect KDCs that serve multiple realms. - Fix a number of bugs related to KDC master key rollover.- install and enable systemd service files also in -mini package- remove fstack-protector-all from CFLAGS, just use the lighter/fast version already present in %optflags - Use LFS_CFLAGS to build in 32 bit archs.- update to version 1.11.3 - Fix a UDP ping-pong vulnerability in the kpasswd (password changing) service. [CVE-2002-2443] - Improve interoperability with some Windows native PKINIT clients. - install translation files - remove outdated configure options- cleanup systemd files (remove syslog.target)- let krb5-mini conflict with all main packages- add conflicts between krb5-mini and krb5-server- update to version 1.11.2 * Incremental propagation could erroneously act as if a slave's database were current after the slave received a full dump that failed to load. * gss_import_sec_context incorrectly set internal state that identifies whether an imported context is from an interposer mechanism or from the underlying mechanism. - upstream fix obsolete krb5-lookup_etypes-leak.patch- add conflicts between krb5-mini-devel and krb5-devel- add conflicts between krb5-mini and krb5 and krb5-client- enable selinux and set openssl as crypto implementation- fix path to executables in service files (bnc#810926)- update to version 1.11.1 * Improve ASN.1 support code, making it table-driven for decoding as well as encoding * Refactor parts of KDC * Documentation consolidation * build docs in the main package * bugfixing - changes of patches: * bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif: upstream * bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif: upstream * krb5-1.10-gcc47.patch: upstream * krb5-1.10-selinux-label.patch replaced by krb5-1.11-selinux-label.patch * krb5-1.10-spin-loop.patch: upstream * krb5-1.3.5-perlfix.dif: the tool was removed from upstream * krb5-1.8-pam.patch replaced by krb5-1.11-pam.patch- fix PKINIT null pointer deref in pkinit_check_kdc_pkid() CVE-2012-1016 (bnc#807556) bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif- fix PKINIT null pointer deref CVE-2013-1415 (bnc#806715) bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif- package missing file (bnc#794784)- krb5-1.10-spin-loop.patch: fix spin-loop bug in k5_sendto_kdc (bnc#793336)- revert the -p usage in %postun to fix SLE build- buildrequire systemd by pkgconfig provide to get systemd-mini- do not require systemd in krb5-mini- add systemd service files for kadmind, krb5kdc and kpropd - add sysconfig templates for kadmind and krb5kdc- fix %files section for krb5-mini- fix gcc47 issues- update to version 1.10.2 obsolte patches: * krb5-1.7-nodeplibs.patch * krb5-1.9.1-ai_addrconfig.patch * krb5-1.9.1-ai_addrconfig2.patch * krb5-1.9.1-sendto_poll.patch * krb5-1.9-canonicalize-fallback.patch * krb5-1.9-paren.patch * krb5-klist_s.patch * krb5-pkinit-cms2.patch * krb5-trunk-chpw-err.patch * krb5-trunk-gss_delete_sec.patch * krb5-trunk-kadmin-oldproto.patch * krb5-1.9-MITKRB5-SA-2011-006.dif * krb5-1.9-gss_display_status-iakerb.patch * krb5-1.9.1-sendto_poll2.patch * krb5-1.9.1-sendto_poll3.patch * krb5-1.9-MITKRB5-SA-2011-007.dif - Fix an interop issue with Windows Server 2008 R2 Read-Only Domain Controllers. - Update a workaround for a glibc bug that would cause DNS PTR queries to occur even when rdns = false. - Fix a kadmind denial of service issue (null pointer dereference), which could only be triggered by an administrator with the "create" privilege. [CVE-2012-1013] - Fix access controls for KDB string attributes [CVE-2012-1012] - Make the ASN.1 encoding of key version numbers interoperate with Windows Read-Only Domain Controllers - Avoid generating spurious password expiry warnings in cases where the KDC sends an account expiry time without a password expiry time - Make PKINIT work with FAST in the client library. - Add the DIR credential cache type, which can hold a collection of credential caches. - Enhance kinit, klist, and kdestroy to support credential cache collections if the cache type supports it. - Add the kswitch command, which changes the selected default cache within a collection. - Add heuristic support for choosing client credentials based on the service realm. - Add support for $HOME/.k5identity, which allows credential choice based on configured rules.- add autoconf macro to devel subpackage- fix license in krb5-mini- add autoconf as buildrequire to avoid implicit dependency- remove call to suse_update_config, very old work around- fix KDC null pointer dereference in TGS handling (MITKRB5-SA-2011-007, bnc#730393) CVE-2011-1530- fix KDC HA feature introduced with implementing KDC poll (RT#6951, bnc#731648)- fix minor error messages for the IAKERB GSSAPI mechanism (see: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7020)- fix kdc remote denial of service (MITKRB5-SA-2011-006, bnc#719393) CVE-2011-1527, CVE-2011-1528, CVE-2011-1529- use --without-pam to build krb5-mini- add patches from Fedora and upstream - fix init scripts (bnc#689006)- update to version 1.9.1 * obsolete patches: MITKRB5-SA-2010-007-1.8.dif krb5-1.8-MITKRB5-SA-2010-006.dif krb5-1.8-MITKRB5-SA-2011-001.dif krb5-1.8-MITKRB5-SA-2011-002.dif krb5-1.8-MITKRB5-SA-2011-003.dif krb5-1.8-MITKRB5-SA-2011-004.dif krb5-1.4.3-enospc.dif * replace krb5-1.6.1-compile_pie.dif- fix kadmind invalid pointer free() (MITKRB5-SA-2011-004, bnc#687469) CVE-2011-0285- Fix vulnerability to a double-free condition in KDC daemon (MITKRB5-SA-2011-003, bnc#671717) CVE-2011-0284- Fix kpropd denial of service (MITKRB5-SA-2011-001, bnc#662665) CVE-2010-4022 - Fix KDC denial of service attacks with LDAP back end (MITKRB5-SA-2011-002, bnc#663619) CVE-2011-0281, CVE-2011-0282- Fix multiple checksum handling vulnerabilities (MITKRB5-SA-2010-007, bnc#650650) CVE-2010-1324 * krb5 GSS-API applications may accept unkeyed checksums * krb5 application services may accept unkeyed PAC checksums * krb5 KDC may accept low-entropy KrbFastArmoredReq checksums CVE-2010-1323 * krb5 clients may accept unkeyed SAM-2 challenge checksums * krb5 may accept KRB-SAFE checksums with low-entropy derived keys CVE-2010-4020 * krb5 may accept authdata checksums with low-entropy derived keys CVE-2010-4021 * krb5 KDC may issue unrequested tickets due to KrbFastReq forgery- fix csh profile (bnc#649856)- update to krb5-1.8.3 * remove patches which are now upstrem - krb5-1.7-MITKRB5-SA-2010-004.dif - krb5-1.8.1-gssapi-error-table.dif - krb5-MITKRB5-SA-2010-005.dif- change environment variable PATH directly for csh (bnc#642080)- fix a dereference of an uninitialized pointer while processing authorization data. CVE-2010-1322, MITKRB5-SA-2010-006 (bnc#640990)- add correct error table when initializing gss-krb5 (bnc#606584, bnc#608295)- fix GSS-API library null pointer dereference CVE-2010-1321, MITKRB5-SA-2010-005 (bnc#596826)- fix a double free vulnerability in the KDC CVE-2010-1320, MITKRB5-SA-2010-004 (bnc#596002)- update to version 1.8.1 * include krb5-1.8-POST.dif * include MITKRB5-SA-2010-002- update krb5-1.8-POST.dif- fix a bug where an unauthenticated remote attacker could cause a GSS-API application including the Kerberos administration daemon (kadmind) to crash. CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557)- add post 1.8 fixes * Add IPv6 support to changepw.c * fix two problems in kadm5_get_principal mask handling * Ignore improperly encoded signedpath AD elements * handle NT_SRV_INST in service principal referrals * dereference options while checking KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT * Fix the kpasswd fallback from the ccache principal name * Document the ticket_lifetime libdefaults setting * Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512- update to version 1.8 * Increase code quality * Move toward improved KDB interface * Investigate and remedy repeatedly-reported performance bottlenecks. * Reduce DNS dependence by implementing an interface that allows client library to track whether a KDC supports service principal referrals. * Disable DES by default * Account lockout for repeated login failures * Bridge layer to allow Heimdal HDB modules to act as KDB backend modules * FAST enhancements * Microsoft Services for User (S4U) compatibility * Anonymous PKINIT - fix KDC denial of service CVE-2010-0283, MITKRB5-SA-2010-001 (bnc#571781) - fix KDC denial of service in cross-realm referral processing CVE-2009-3295, MITKRB5-SA-2009-003 (bnc#561347) - fix integer underflow in AES and RC4 decryption CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351) - moved krb5 applications (telnet, ftp, rlogin, ...) to krb5-appl- add baselibs.conf as a source- enhance '$PATH' only if the directories are available and not empty (bnc#544949)- readd lost baselibs.conf- update to final 1.7 release- update to version 1.7 Beta2 * Incremental propagation support for the KDC database. * Flexible Authentication Secure Tunneling (FAST), a preauthentiation framework that can protect the AS exchange from dictionary attack. * Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which allows a GSS application to request credential delegation only if permitted by KDC policy. * Fix CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847 -- various vulnerabilities in SPNEGO and ASN.1 code.build77 15477376621.12.5-22.11.12.5-22.1krb5pluginspreauthpkinit.so/usr/lib64//usr/lib64/krb5//usr/lib64/krb5/plugins//usr/lib64/krb5/plugins/preauth/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.opensuse.org/openSUSE:Maintenance:9482/openSUSE_Leap_42.3_Update/e09c4136424427ad9b014757de6e7b57-krb5.openSUSE_Leap_42.3_Updatecpiolzma5x86_64-suse-linuxdirectoryELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=766490214681de348fadcb63d6b7cc56a4b8c155, strippedPPPR R RR RRRRRR RR RRRRH94N9P'?`] crt:bLLDM^HA2qF}`RDH+~Vw|2냓ՃDW2|-.#td¬bk <7dinC9wsW$r,wKW?*a ļ'Jt 䝎f12{-o,,ο틚^i_ ?n64(0?cFET"f+ka IFх_J XMx#h9];D1zF!9K.Lj)̰vR:k$"jovDqh1wss#jIw+;} قhfu- ShB 6)(o6|DG #*2+BeJtKĶ"{y:6aV`⚬#6B g=Nȴݨ+b6&օ}mpɗ HwwӣUL}P%HFcwG~##dQFݕfXh:ra{cl[ؐb^(I~P^eޗbK.pCW!Q|E<^xT"a3 jihvIP8Pl7A,jQ `Ç#64)L;*ŌD+L6]/(vF:ب<5))*1hQY>y=tiUsOcT4cAT kelidƚֈq}7hIj[Rl$.e,F@.8'hcK1CiUO}d=Ǔ ^.vNF'8>.kub#r{G3KKa2c&-l |fRZfh9{*2DaSִ?bk 7)h_u9O/֓`=ˢ0Qi%0PN:JR}ܤ-0Yk0Cч<8tX`D0f?ؔqi -Om&Ff 8 i\:s&Vk# 6U,h,?є偫F$GMnI41sqDj<,cc2CdIcPu􆋩0RtڐYPxPzD>м6ꅚn?YTCWMBe\vOJ9W4l,paK}I:Fp hdOK+GdH,m6ʬsRt%/~)F ,(>v<}Xnr˪jxQϦȰa#;}]9H c:G mpbTӫ߈*/I$I%ܣg\fҟ~T6jP7?kC8n6^,YtNz. Z%ioM8H%l`lԊ=28vv˦Z$E{)!KD(?ȈMj&tԼqX㇕ڡMOnY,n HLs=j-2`WxASm[|FyTe[9hY_ACg ֙ϧHqDÂqa,szk6ևha/&$0`kͬT<= iÃ"lx*nrR#FIIV`_?vA`HO#v6uu؃wR8*D'ۛH$95:'k 4ťTuUNDuWB]g^vS=wy)ܿD=CaeRz*5N=N@͆q|JI("TnWkA[Z~&],z+ѕ)Ej6:6,Ja#w_-s#QK7uOzf*5 k1vvD!ix(Uo}AtiM |ц/EhRbR`vSD_]&o* ʾ}-)r0T4!lO෕t&u +OY%X~"R&+pXXoh ⦨Tb'%ry>! $ŒۮYw!IUdPuAb9bovhvhwtht'k7|80m7fPB9ڮـp-!NZ~ZtICb+.T[Nu,t M`54ȭ7Уn7t l^X}oyhaK -N=(}if%>CoeydR4%[_8_%@%1+y +yAPS+@j.zW`bu W,"֜ToBʲ߸X,\ZvݫcZ#m3Mc[CczۖQc×{V:XiO%"ct^ g4t刋],Lxqw8m'=»> G0Cū #,o3EX גh~)༳+_;ZjŨCTwK } ϲ#g(?6ihS6fFUX/Q\ ^9W@/s%}^T(n",I+,8"8Q=u |7Ѱɇϭ](Z[Y?t4y3.BaqQ,/oZW[E̱߻itKCVd^o.Ik:j^s^\pn!\؅">9R~ _ny๔4q$5@&[Y:"J_oCH,A +f5QJمH~PWXa83hxBJ2oS:M]C p9m)a%%I~]yQA-'@rl끥<Чm^xyI[ޯ:A2'}aH`J GD[{igd`EQqBh5E?v!_=E 'ʊ\|aS\d0UVSǍ=kR`63_6Q4,* Sh<%EFL-nL^Z= `ޜHZWih_7X,jW_=epHKYz)ƣgڮ$4+Ovgt$MNh;M__glQS_1Gь,ϩ?%&$VDp`x|ǽl#S`g 6j4@+q]gətN0K{u.`d^%n7wRgXǏe,IkgI0zU::{sKXMa33=.C)el\)܉'֛/=R5y,_:}sGۅMl3,_[^F,B]LnX ,4tAɵ-O:;wZ@䍗SV"8$IςK  lo#^j  +F'n2‰' ~Oc /Y;vVXϬđ4A+қT}M@$1%V oj}KI?GvJlgŬ#{IepI#8!yS + gL Rr(*29G/`.Y$F&bWŒAuL;q)`cF@l-)'#υA.#z>ݜ ݸ6M؀WXV)Zf|ŒRDF+R{0Ĥ&:ۓk?IB)sNoxMƉO)kXYny 6Bdas _\JV@҈ڡ@tQ\F?F?] w=HZQ9ZJo-&)JkZV=5mj)N c܎:8ۑx7-?LBVF_£'p/c`'?]y##QL>cmOq>яJ$}"+ ԡEqj48`~n%zs\L[H xs`t'VZ|qCF_ f_(pHv6ss~ >(Mx@?wqd٢ ;{L2א?3a9?7 pEz6VdZK{o$h(R@s! S{ EY6xDJ%YSbv:cii|_ .$K~uQN #\WRG/qcLTü=;LS_0$ol[LE/~w=7V$ZUOytDw%o;>&o=}_02Y-e؁p+#xa oZHVr-F2y%K~#=,)VZUw3 s~[ymfmo`r_a^.k3O @3$5'yR뵬 S4-a;q; ׀j381yҶ@IDrjԷ@;RVo@:]MFͬ˒ij*ځQ'nVI ^ƽ߇NK PU O(*L\;hE,ՋcPwA#@H(ʤ_d-ñ}҂2}2Ey=OybIFQa)yW OBg043>^3זr٬儆SHk:NysNԅL6zu휑`s:Ԡʿu",ޙ`Xrr EF/+oQ E >k%;#E)cDq߹(tJ\?*mP2*$5>I` YRxJC$H%wHuXmѪmV5MۀUľ~K{8 իa4XRVRB^y/f!VPD tx K!VJŠՏq8r5 .hgoL\f<@|g0(fh`Czf\{w8Y8$=?d#GQB1WLs7U:;McT!6h0 i}Mn`RTw-8Un9 ^v2Llh5ݓEi/^wyu ap2M e;Sr!I-O)q(|R:e,1 J [cܴ 4gYMB8FDW")zwe D7$vB p:X ,62a 1SJSb[H r`̛b{e ಃ^"g79ƽA53hWYJy9|lKǢ1/?z _ |p$VW~2YSWxvtƴh)Cy6K1& Y<2o{ ×M_MR߱iQߺڋMI̫xs$sȯUpN{8Gyx)+t$8bQ]]"xmE qkǙ 4TC'l$k~ju?$P&쀓aq2Vz׵(|Mn{!0mllKru\Bn d|<=dDI+!OI郂'jwG:ܝ#*ccڙFǹ"6ލs㒑ކfoK:ş= 8o84`ň:ʐViUOPx1䲥XTj/Rҁ IO(sUx́wa,21ᓤ>Hn@n䖼ټ61"?ǡ f$4-R>k{s6Z$/l@(xYNJ4 Fʠr+1TqC-}=OXi~ ;Y>N3< 9.ǐ)2f+&#`㫑pŅlzZE>+̞dtfVaFƶ=Xri1 H>FO@ w#]'=z>WpC_[#n L0յQ uʞnYJ{H=OKeD_G= ./uk K7sF )sp+G֦E:N!wr8)S螰4Š0R+ W)RT}|#V<4o0AP taeKeS!ݕFf& T q6o& XP}«b9Hy\ovCL^߹*0R!N%_|cl[ Nb$z7F3%ϻ?T3-5>6PkPg_tcBGoȐlU4^AP}4Է0V$J4+_eP=!!Wڍo4R&)a֜Uxv,^ OG_Jo! "l=2?gq}@q =Z%Up1K~w LV/QDb&FR`d$UEow4;#G"S_{Y`tNq?1cfQ(f LVa6xvtxlg~rhns3ZeTX 溗 OJ}7@!1ٚt@uպA's˳M>WS _ãZ-Xli%5pov(>Dl_MRTu&)4N lNWW[g2I[m) B}6`>3!j)lSe4kZp8YH={іe0fJ6{Y f Ch;b?I~ƒ3%,`4$R 4ΩQD+no`b`#|^%a#" $ 3 WiM*vl0//Y_B,=:jz)0@K`&QrMsbrTOʡ*lMwUFZڮv:u-bZ>ε :S'N3ɱ;8Doq͑2t0'v"@{A% #hC' ɖ%o;bw9W b)@>\L|OoCK#$d{#ϕ*2, ϕ +4N5SPb?н̜#i tP*%x|KW+HkwQg3;E?[R %v>i97[HK܅>:w2 ;ވq0v k:ʃU0`i}D|ZA^RjF=*)er~H 9)[PFp7/hn ~@|sYbY),%Oi}J@SӉ_`/N{ 76y F5og$7_}oQO*liJ+oHS4I"њ86We5=h<\ݛ%<]R`.B]ʿkeG2/ %OJD2W!DU%}}89c9)F%ԍCd+>/`?eMgsudPo=\ɫI8JBtQi#hwʶ)+E/,]+ sYg!{pjŒ?^ГZ$ "y;B.8eC'n[4)|㖏ZPECVaIJf T?5%)q mBz#&u\zq>fKd_Snj~:zYu͠!o/ɳK _&}4MȚއw~ R9= U"Z-f-)vѫC|=!hQ nǧCfZ$L°JeŠLU(|Z,rA0t q''F;`OU )"jcZbq4so>&w{bqV֜쁤4NRo6_1>:BZM?&a&rjЌCjF'; Y^Ѿ =L/RbψK6ȟ!O<( yz+#̖FLJ\85Mx7k@:#K{X XIY4xgh cz:2W`lCFYMSzMi I iKkJUMRSUaMDG?Gs aWM Lդށ_?03^5<|nGvjZ-+m}Xpm%!vLR̝d@(]r6FWmg8T,:귞MAX=\JIL)$84wFcyVkޞ ?vѣ68 ȏ W~Z7BX~0YRٖbS-*ZZ'hΤw-8jrK?hhJ ,C  IݾroPjIG@$`Vy@ChsnF:xceچN3BYPQX\D?> ">x5^#zGl&q`'C)p=#SfNS8&rG8zFd!aA]&k}%Ƃ *yb{2)佨ϡ@\{0vX?c鑖JV0-OфQDV3EN 2|4A|Kx~ wiVkzz -ʎ-@]e@ ]5Hа !~g\9;STϚ2>34n0L=YQxdA*3Nuo: h~^5]S&Nj\ دʻHiR+{8g@9ȴR~|͏0}a;B(xFtӭDzmTjG._"p"pލNDȖxm|vݬɥf`@DʜK Y xi8HUS!˶`?tso(WȻ'ئx@m{PV:?@[jwΙӂ=grd=Yg>6'RZt6kۅظwU&7ϰ 8Ȭ "dp}_|%T66dpNFb35dBH&JpuΕ^ӜcqγO-]֑mw& `/V}2Cmy$>׫a<L? 0}BA{&zsBPU;εph̐jlED_b]j9+6Ojfh*uj{&\me`t}Bھ?k dD?۞f9"ndɥ fK#@0O/wijjZSB nj=CTlDڎ+6D:LYW<{ZnŷY?ǭcۦoS I6d;OW+Omt[=54ل2ٻcoE }RecHmqG4^zs2D$K17l>7zdf̩!mġe+A-W)q]IE"SW:Z.ys!FF4i\+YJFU72|0FxeVBo\$Ӣz{029TNDN)1Dh} an|'誵(v=aag^@`!>j 6Jp;|}R=e`Z]8G޵V_mp e!GokW"dguUH$Mp;T_3k0_U(d 8 Qg+H'̾rB=T*}r~Fٗ*ZKǒ̜3'cHb]8nc iҥ[2|P@hGv\$qwVuJ9J*l!ih XXT[ID'_)c~^fy [Cxu4ه7%d'54AOLF1w̅3ȸsb" X.w2ah.EEQ>0ora$%IdO^PWԑ{H=1֝Ṕ.\9HA)"rUPۦth%#o1ףY4[ lJέo"N~]Է_9oQtnK`wGЄMp-4r[4>q'V kʛm,D"*{Ya˥|5S(<l@WC ۧGE:Q)|M`VPG65 7s5=="p)rbH~ac.zK7#Ӷk)yέd"BmPtEZv{.L5e7۝+i|=4s?0Իk-to᥶+\f%P$C~YM+T)meln@uk57̀ .ޙ$A"O>+lY:/v5ĉ7>'+9B]: G%(L#zx@~פ@pSqTX7V g>(pfuclY:]QoM!:d3 )h'km^e$Kp3&`3 Qi[^pl‚>"|-'*^1A+Q] 3o\TvX앭Z _z]?ʚ#s9?P>w֡/]s3(\KT3 )]AwԲPwz4Aa%1Y3$iaaUUђ $5+ ͻS(VZȟM_1Tn4Twۙz. D8Eg] VW+,ӭ:tjtW%n@!'7~n!>1䬱_js?p-Ü[>#8c0I[pG!q/30t@v3#{MqM2<̲0 R;j8V #Yԕ'RfIM0&iypaEɔD=)nS4mQ%\FNBvNIo^X (ᔞTef35YNRD*ޙQ$VqqVeA UIlB8Ν68qTuuuDp]Vs6@iP1P?vq:`|Xu/4UQbbh5JJ!+CE+T:s].c0u_!rLx+qs6 c[+RRڣzjM U wOŃ}IGCe`~ AҲ!Eqv*<Ϟ^s!^xJ6ClhK .tܵh }jq|])?hU LZ«Y;ŋNݦd%ºʔٛ`\ ^v:$q[|^Gs##Ĝ1կ2򀫧d-Pt{* jB~*ZwH}nK6@}:_Т̟e<P|ݣ^Yue;[ ͪb9!F3F؆(eavOP,6%23˰u(V^wH0K{5dHu }GaHj(ǿG FM DLͥp}|1oH*&OEkdi䕷3Z5[e؜SMUc}s`hC<B,r;?࡞Y{|5%ERH:`uT)B-wn c5Q'l w ?g^ȧR, gwJgsBcniVIWݰ̰ЮT+Mx0)bAvO4Δ+=Kfjy}JIk ܺ7'qBi.+d A]|!ds ib PDC9t :TZx8|3)!iG=iHDVn)EtUˤ0TH4cvbe$eZn.FwFc6Dw<贳]j*.ҰyϪ7t0wZ6LF)n?eୄ9K?np@lRtx`Kj{v&\Je*$8ޑNĒf Xw#:Qd$u;`X(V8Yܘ膎89~o4׬bV4R3:H4w󥍱\( W\n(Pjrbopt\@Ul"{. iUaR:p8`75RK옉1FGk M,̈́*mZ^݌B8Rgp}5lt<{n옷7' D^ڮI/!hN R$LJE1u>F4_6ꮔ{ ƾHK׀^v*1U*w2s'<9i퓨#rsyȂcBv9O߀(>{-EsǿͱH状 فN"9W*. cŢB4 N*@s! -z>m t#՜Ŀ%T<80oaƴ"t+xTB}Je@^J}ߚ8@MmY[ֵȗkwH"6{{(| Yr{t !{QGa(\yhF^?LwU{6+, &﷤\zL&kJVFUlWʁ+K=9&(g) W2ty 000WzTI3B>Ɯ )d]k~ck."]6cQ*ԬHYV[,H,mne ^ڎ%< jyy1;\MyGT)ګ>L.d43X̃g)ĤL,C'GڵXͣX:"ZG=&; [Sb6oG͜ d8tdKbjƒs':Xl|A<]3%F2zS Dw0k!_ &Mo}yw{?n:|1ݷT'g3gp;;? t,^V' 8fq1%U#Jd X5J]wͶ3*/*$B?ج-Wi@b TR&d~: d14#ń S韇-F^LIZxVH7 HCFv%ژH{ptu{Œ#VP9<b@+ %K(+mbww\7K<ٞb{Ac h~z|VH9W^D\jL edv^Y@]:?=)a |2vu-*3ҹ 8bӤ|6Q̟BÊ($sיw&wG{|w%^)`I7{xp"gq_~UF-7S/$-l/$owycDD] !ᕒE7h".0 x#D}Q,y«XjYqnO%cc єM;Jyn[ݟ=A\q9ޤ _8"ޓZ5Wxx_A%K(5K6Yu9" '-K S@%s +'A2TjE3qHɪ>Z6ZniݪH CSa/5q\I5r?CtT|| ̖!XXI\JsF϶ 2ˈ a%As ѣS&9+ˣJStC䬕|=)5NbjrEp8 #J+L[ωc>GM4yrv|He]3yCalɽMV<9M,VG{1 UPdNF4gN(ۖpMGı`+q肼6vS/҄& '>ڒjl~3n!} Ϭ+p5 %iBE⭬]u~ 6}RcnR"OGN==9FO:;ȹfl1Mfl'R+sGIq\ȔIEP.ߵ8ortd))VӉ(9ل]Ʋqv#u#B XZ A#&'R$]R%ӝ!E~Ȏ_ m3BJ(0rbxvUL:a"AUYTBFGg"HTA.V!I{RLBU%/S1 MbNf)Fѡq̹\xzjڛ "7eJ蝐޻W1իBKsP?N[E8k5(e'qȖKF~ql34:QgPu079mNw64Y.Sې+nn;b* O&.-^jhe5lV00 rzUGmxǒc ):~_Q,ՅEp:LK%8:|% I=awFzbL{iD!Тqti"TLT莰1&AH)Y{.MU[^rCq+[PԀ#e[c0eS=`0ں[_MrNT6?Y3?rrLP`AvF:v P@ϸഁ:t:a ~9D<٭^,b^س C0ZH`3VԚ#rCܹ׶Hj`Bc4'{ix~59.j4$:'}2a7͕3N HڹitCCkK,8j~7C\#x$240glGȵcYXA==>E%g'MO*D.zB9`#iBbi=>bIM՞JGEpemU7pk)Ư`o+ +lќ]ݕS$*? Z!fBF8 :w˲O|[plzЕJAܨl/; Rc6ڭqm.sn폵X aJuzolLruYEBWڔ6W LX{4sē#F 92fo2Ď]@-&] 7j%*PqƶtRqD-j-ke{kt'@FmG,a d#yLs=VوNo䉰0EPFSJWxTF5E`OއG_WG_JѯZ/j2:~U錐 乓ySm;9hKFH}.7U2Y c)1u!İ_ۤ)ypIR=n|Ps/bvܗh}(eyGF&wOnoW~poOMv_MWp܁/FpOc[7iew( 4It-A Xno~ꢺDe_|fE7ňryqnV^V6r=LM{:{Jy8D±ٗ8Vf%&N>m~sgJ.+~c*% ({j݇w]pY9z2w#jo?#ާ1+5ߖl'vvK~" 4sd'ef k?2~2tAneۈGpө kh#'jkj:1dM,/^J6T/aT'^= jDj4>ֽ$~&_䬩I䙚.&_dFs[[=չx9J~tsl 7MTƔp6[b3s$_<>_&ߕbɔXhU$*ϕK[e 4JT#I"O\ym.~J6*Zz;[&ƃY>,hv1Up7kѸ"5hK[ *##Vk'8s2: R)_\e63T4vN(,, 0ySg$D-bٸnjZz$'-P}VV$]I<1k LSh'd6_{k.ݯ[x?2AzNE\&~lX: "j8:RT6vґ;5&C\oOgXU|fDVԪMb?[ |tRz9CF El]qvܥاIOVkժ. E׹1z6rd="kV|eY )ǪƃAQa{\%2fk 󱖫\/:\F[m$LT-Ho-"֊TR9wئ9$:u*vW&\8r>Ŏ蕦@MgbDŽ9&EjPV䃽SêdZU{2vV8.|Z>G.L[a?oe/ 2v4s ^k m+]Er@tWaPcE&(&FH=)Hkd|Mw„us9BwKȼQnE}'630bYw:=Hq3vvN›yxd0EYM?Qaz.H,fhFwOoh- I->CP[L`3y}N &( דQ`{@AL >x`@k2ftkV͔E?[9^FeRԬyguZж3R9ٹc͑Н 0sD7$ ,oH%%"% ,fEe34 $&rFxx* .S}Lv?A.k7(kiyV*H6=FjgDiD}N:ΛC$TLgw (jKQo5=@FBL3r9HP 'Ԥ3ZbMhE7ԠtA]ڬ{:'.QXY-ԡA@=E|'PY ρ?CWJ]O\%%Wuf_]ţ h>P *6H \w+hFoQ{2iC1›)=h3p-aqY^As /!r#đ'!~iXwd - )d(\9ko2Rg jNU,S52P $EZ1܆kұ 4Y uX8!UlfBQ R˗+A$(A߲Mê#;a-eR՗6`J@!pfȢQI&dة=FJgٓG>?8KplVJr+ʄhpm׿{"53/@7ܥ[M(cըZG0&_gr9Jo'n6B#_Yphk1bo&c[s&5v%ΆPK~XղL%)֯SA.Ɯ',lg d8DG%]4FWfriP/ԶC0ٱcSf.1WFhf$3?ߓ}b߶+X[Jma5ހD9B Z_ނ)vT1~/ٽ~ ,S&e2Juu]Z@8:*d#/zO$uʓy_汮K$Bҕk9;YxZFݼt&h}JtRyX,K׿2J7q 6A/V`w||vi똖s%% +VkTmy-Jg-5]ARG=Ӝ>Uf脇wr!96} 1Q8w, a:Wxnpt>x+¶>kz;IM*WpsǬ9ZJs[YdoJCQw6j) ΈG쎱'{V02'_ Y \+QݚP sG"n|GKlk(~6ҭj թ8§̹_9qyw_ѩsH,ɛmE(r^_[xV-sYxn=ߥy!9ae ZY*'b-NY]TYkRպȖ:6/ӂʥѥlU <ҝAqS{<’ڛ 2Z)UZ9Z(j[Έz [`BL Dyv8,|,$~ 'P.4&rP_ EeJ02M=I[r;}GeƊ8̱ aO_h}B)Iᅫ8,w5nO:͹;{!_=.' Yz3l{qPBE@p[*yydpQ _Lv9lh'Il/CϜ8n#Cw5u⁖.:h R˦?o}BM7cj\ (Z;7?$<[u!NxJ 3 fi7y C/έM|BF!!Is'Qkƴ}5'^pՌ|!pdQ;gdQ0҆^ 2fbߐpfr- KMVZ=Od*^=CE-&J„“UT$Xȇ} o$6Ă`^3]Z[fL*Åt^F\邘%LSB1}T^rm3}33k$яb:8XjEXҔ V}rP1P*ϟ̶A9z%?E A ۖbA TO1J܎†0\^I)ΰAᤋBs?qsI| OW?{{ƶd0*οAz85Bl,B3^:uJJ2!ջ5̷1^/ p:T=:?12 w}w•nX^cq]^ 33%f R8"bc|AA8nJB7}i)IrЪaOJT_hV7fr[~偝[^E7Fs{#t i+k 33T5ڿg}ql G!#I1dh"&`]w^Xol"9l,#t"3Y|xb“C{/'T`*whR@(lDg19R\&N\i{eu΅ye^4*ݲ|@&x>6z'7\n^t_J {KoJ4)͘: Tu\?N*,#Q[b+՝JE/)x%ngr  tuz.xoW͊^{5?&b`[R}S q>WjT/do$xSFisُ7-Ij6w0o]bDYcd֊<$;< g{Cl'G=q+1өV{aΈ-BIϰ;JoDbL-퉢pf<OffIUb?Du]ȵ§T®'WģK>,P%ɂYyganK9<}k-KQBU^_z*仾afxX7Zqآ'Y&2+Rm2*WͬQ+?YgѶ/)rVpMruz(jDrTe0 -V(EcR:yPH?1,XOxy#sNHN2H]gzEg#@:dܴ5v*,yf}~GBcGĠDP9. qHɆn?Aг+_l0_:̧nHDXb@vI<<`y'^ǘi[+PTX$~n'#ڪ>.5I0]\GQli4>ˁУz1T-ĥnr*9ӱ  i<6r-Jz6ik%6A>@ըOwLwtxagoȅ *KˑNle}&}6($2i+{'=o-p"oNOU;L]L /iA&g݋_X~T'0>ʆڷ=lx.}Xњ!fB\Q)8N_ sk$WԾꞦa$ W{o!A U>}51s•#ix5cam0k_D 'Q=orKE; i}P}A *]`,|Sqp,T7 ysX(y;8=c26Y[EmqI7_{쑿jL!: kij} m!s"Ej0*FҴ{]7kM lbMEz:[K%PNYr'1(^-g) PI4-_`,`h8t¾}5ջ6`:Pѣan{\t0Tg' C٫h| Uբpzd&3Hϭql\]DWa8! qj27U!Ls6Q$|I,4jj}meK}6eX2B"<ėj| o#$rY9A`Q\o2p';t[IY$s#&yA.g,nQ6"!UK0ln^`U CKs̕@zfHWj3@*Զ$dC(2 r/:>V) 'C⊸ƏVz((():עK/1N[!Q2R'ՔJ_zeS 7vj9Wm %c^2ag!w\kB&1M` SLݝȵC XnInl?;$wT$%OZz=H4UZSH;sRȣ}҂ylQI}ty(=sz0BŬ; & aQ%.,({5!Yho<.GϪ=3[=cq7dj݋GB}.-q~J߀On/%fZr*KnB_͟a=ǀ{l#ZK!:u^.[Q]dyF_Kgv+0XzfQ0~ѡ'P6ZZ:A*MjXs!Y%z7+G o$jc5g1Ƌ5Lօhh)cg:ퟻ_Y{YbLjtAX& 8 Qweľ׍L:uq-n4SٙND{(B Fe9b# BY/(p4e^baYkLuC1zrkߐ<7 \CƕWGb$"(Cyv J@5΂ /'4 S}MfU)?:ҝeuaR骖շ$]WÄ DZL_}FpZsmzt B'wގnդP\ssleOZK-7xEC{7N>bx#Nxʈ}l1a~ʑ+޵Sܰ2u7?mp դȲ}̕S=u9VNe~`ތ &5lQ\m|[-1_j'%vuOr1JKr\٣t}vG<>ΩE s륊xXRf%ߚ-MʥǏ8/injsĤcidWQB]l8\^"J S9X":$yg{p)BE ]W'c(\q*k1\m*F',XS3}Vw,oGwPyi?~&<gGirĈl0?EAN,xhz]ug\.)Ϛ~x6 y$MX-6=삞u>(\Y5|:qk,i;xRpAtlF^Qa49#[=#!6uVK4eޟfdY-8?zzgq?ek:ԁvTXܨb%8f,Wh{{G /˟,d8@IE>hed??-4WefBJy2 -2ֆbCٝ>wEZAuk!. p1T #= n@7zw;80&?пn)` ICua!i8a%Uں7)q=1׭VoI !̨~D+E<Ln o0$.M)YBaT"{;RwO"#:!FC #ɢ\R3`SK(|iUDuAҭɤ L8ttv)io  7OX[BkB(gf K+"yI0@!FiHE}~B-ks솧D7'É8'ϓMfS3(Ac.ZE1oPA4po w)zB]ri h˽X⒱v%6ƾ!ۄ=|]aw;"(@=L[wn+E szj8!'vnq'ξ1Z\1o_$j 7 wҒ&X\h;U-ۏ}TfH`ZkjV\5&I8ЫKL η۬$kX.O9$q $]="HIb'#9oH͠ҵI8.i}"%0sb DiB>W MgS+]GS=MkT:?`HIMWx 3½AXWlXQ[Y/1ȀS2Ua37+=HYJfdKchعL tL f&{[GoKAvyj}{2LW89. q}P[ ڴ"  lA=)5%1VU팈ZӑE.S R5._T+woht`Ǖ@w% 6,\2fm@wI{Q+V4%W*N6\t/EMv6b^1z;bA%(,[t+qOqdI "ך_e8A"( 0ͥxĘ)AβaMPѽNa?Hή_1\ۇ>g1:_wT/Nn/MM*퍪;Tvp,|2^KI "~qEID-'B}J&:4Zc JŸ#1e?f4RSA520L?u&{Ih+̵7KӖQ㬘DW3I|Q˙7uPu=#[2,bjh{,JM+$bHRZl\lR1T?ٓ 5/P-‰я1ZλfE 'SpMXT %Bz d:%.nTilN )cy_G(&zQz |8x_>0p<^ gvTԛ+EL0gtWn &Y6 d6Vo21NhwUFM$H<߂*w938u5<}`a!NF:2bf2nE* Ԑt؍L%3jyb1Lfj}?aw,X!C3׽O Q_P=7wI M$Mm;Ȱ۵]SZ}-ZXQ7Ľݻ}bpU1g)- TMdrn *ƂIE=ܳӒ{ lL-}ަ$XjrY : 9ڂ`ǥa*q݉zO{m S Q4# nIY*1Swm}qj~ `b_HaU #coQ'9kpDZгزZr=-*ma;˯"F{9~xg;ڈvGoj9wiךV"l<n¶ 9/'.~K*d,uZa'Sq8&Gh*,nV#񃏅XϼvGl| s_C8(b+X~, '_ |]bB%P[9ҲS̵B%Hj)yAx8Pq!w]z7vDU92j$hOt8IoAzώ  邢>#.'hqi~V;H&9M|osA`͟YIe:ɪqqXyI<ʨECۮw.dgdZRX-[iM[03y&>^PIvqavҋ:VD!ʋzTEB7b* g10'}G_&,ЮV[,d} ('+kVЧ$N=rdJVAb`ϋXM>K7JΗz ͸nHtgD`~AUiSɣYS]2`51nQRMdpQS&IM-gX8)$W6&>IVV~45:(|/ At^0sy2<8~ 0-. JX2 LJ٬{n*4Vᘊ"oQa/b>x=o0O:"c0֑ 훰'$U*kܸA?܊*dBbʾO/@ 8f{z.FV2S,c|.CD&'֊U_ W$"06s#]7M;? N=-Up UȊ85n(vR rCa (bͷVW}kGEeCYc۶XJ"n,Ʌ%#,Ч3~eX\=;\c+`N1|9|@kQ6=W4 RRŢA=?*G7φ 5`cVa^qQ3"ufEAK*n|FP&PwDuWȚs okuhd5t~jsj<;Bs d)KЩ<L""TߵʄS*_)hBBY.\U {;֑M%:{ڔpgo|tGjNDPa14`Nzot샲9`Rw@D],]ETXY.^LnQ&[}܌y:{]45kN *LϮAk(’s3˜fp0֌&n_tGaD j l$&Pe.O&~a<+.,_Ix6 zj9-ƍgO"J`I3o  $7M(*>L>䚞TzzVQ.,13]+aѲE_t ' đ2¢/ UHcs/uqaتr&Gp]&okAsB^5 1-wfղ=Ƴbs jLۊBľUL:  }l8!sB?y={n]a凁 x6ּIN썰}90'(B8Z{>8U Gdպ+4'.e ]$$V2b~o&+{rF ?ЄȊ2`s*iꔨl'X3PG?,I|E ) LiCɁ: 8H*dme סe A$>}Y|x?Y]ܝN1ȱfҵ`ɔb3m:?Y:=J^pXjv,shw\.$f #NM@dv=ט t.ɅT'yߑrU\sfCf ?qDFO3 Ti~P;tDfbB>_ig@٩xJq̱nF7/ܸnAj# L \S_=QPkaSUWJ\!xt+MM_m7;⮪gFk'|H$*3 2&mG_̍WκqZx_O˾VsHZ"@`4PCigWXX@+wt>b`^ ۚkNNSYa/_j UQahTOؔ#dD3`=m 'Oɺž~ԂI/H3nS$Q !~V:E{x;_jh kC4cgP4ҟD8jf;pAM'.]VQ̸ԙ^gqv %G4IҖ[(QH! Tx};_ o jR+}-giW5@@UM9pѴ@+`EUV1xђo`* fDT+}Pb/$shğT Cany1#q9= "]TWp|[-%wvKYa/Z -#hb{eNn^svmPFP<-&Ч9R70PkԸ&{;X{K_[mU# VF2ځP'CCr00ZdNLIUCEL7[D`}B̀S:lAknTu5VE%DMa͉W=/P?=FOUTr(yN_رk]BA0z;+斎KwI9'ڗ蔵tg|&F*$QB)6Y7C2Q:ӷ=EG'-jJ,̥aSĮUXg'*Qq3^v0b7 PQpí04Nur>&HO(UQbE r_W4#\kC,sx3(%Bu-aRȯ]jâ[AQak|Y]Q$