samba-test-4.19.8+git.430.a10fe64854c-150600.3.18.2<>,HhvSp9|}V4T<~Z)UOZh_±[M{$ vWmʢH <].^v>LoHhk"-bn}":)jZVHü|HƋ@izA.L׆ ey{`ҹ ;=Q>]8Qp`GД.XSogd)1b 5+:5? ,$6`TB#d=iaNvce9 m#A%?viն̓0@>@$?d ( 6 b -AX^d      &l 94(:j8:t'9?':R'>>@MF\GpHIXY\L]^7bkcdefluvw<xtyzCsamba-test4.19.8+git.430.a10fe64854c150600.3.18.2Testing tools for Samba servers and clientssamba-test provides testing tools for both the server and client packages of Samba.hvSs390zp37+SUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/Applications/Systemhttps://www.samba.org/linuxs390xs HH hhAH Uҁ큤hvSPhvSPhvSPhvSPhvSPhvSRhvRhvRhvRhvRuhvRhvRhvRxhvRy882d9d1bc50182304c126efd663bbcf0fd54b5c84221e833a34050f8c9302b5191b3238082a5ab2b08046a95428a47d9a4b9eaaea3d498880a06b3f5a7bd9a6c3831c8c947fdca2232ef19ff69980709d0152027fa3f830b2df2f77e8088359b7a9d6e4a719929561e741bacb3ab33ee0cfcc07a32ea7b292f98a13aa5aacad720c2f3e25ecbdaf336dc293bae9abc7c4b53b093efb99d0e3d92f0679df9715cd0c9c55c59f0187b59f87bb1a1aed7f27384c14cdd862991ffd40d71b282d7c2eb3798434f5832c9b33ff4989ca21f468e203834d7235a1e4f8685f209ca3d0b287be9d89c9a3db583691405c8e4661ca843f765cb429e399be7e1742e8350ac75f36a7352f40fe1840893525762b152bef7638ae62307fdbec1c8b2795db7cee77dc4c6ed316ca8dfcac37bfed0d33806fecc7a1bca7f50fc2b0dc3ebb4aaa4522eb394e25c21921b2cea46fc338d60272dfbb00ece001e52d3f87a6b99e85524f1d24f83bc2df8c42c0fa0b2cc5347c3e0b5f91bb2ae6ec3593354430136585e426ac0c19f0c65468e748cc21bc63f974b8f54d945d60112ab54e62ca178733e0e60c31efc149c6ed62eadbe81c9b1f88348566a617e756f5a99ab65130844rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootsamba-4.19.8+git.430.a10fe64854c-150600.3.18.2.src.rpmsamba-testsamba-test(s390-64)@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    /sbin/ldconfig/sbin/ldconfiglibLIBWBCLIENT-OLD-samba4.so()(64bit)libLIBWBCLIENT-OLD-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libMESSAGING-SEND-samba4.so()(64bit)libMESSAGING-SEND-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libMESSAGING-samba4.so()(64bit)libMESSAGING-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libRPC-SERVER-LOOP-samba4.so()(64bit)libRPC-SERVER-LOOP-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libads-samba4.so()(64bit)libads-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libasn1util-samba4.so()(64bit)libasn1util-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libauth-samba4.so()(64bit)libauth-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libauthkrb5-samba4.so()(64bit)libauthkrb5-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libc.so.6(GLIBC_2.2)(64bit)libc.so.6(GLIBC_2.2.4)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.2)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.32)(64bit)libc.so.6(GLIBC_2.33)(64bit)libc.so.6(GLIBC_2.34)(64bit)libc.so.6(GLIBC_2.38)(64bit)libc.so.6(GLIBC_2.4)(64bit)libc.so.6(GLIBC_2.8)(64bit)libcli-cldap-samba4.so()(64bit)libcli-cldap-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libcli-ldap-common-samba4.so()(64bit)libcli-ldap-common-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libcli-ldap-samba4.so()(64bit)libcli-ldap-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libcli-nbt-samba4.so()(64bit)libcli-nbt-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libcli-smb-common-samba4.so()(64bit)libcli-smb-common-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libcliauth-samba4.so()(64bit)libcliauth-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libcluster-samba4.so()(64bit)libcluster-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libcmdline-contexts-samba4.so()(64bit)libcmdline-contexts-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libcmdline-samba4.so()(64bit)libcmdline-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libcom_err.so.2()(64bit)libcommon-auth-samba4.so()(64bit)libcommon-auth-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libdbwrap-samba4.so()(64bit)libdbwrap-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libdcerpc-binding.so.0()(64bit)libdcerpc-binding.so.0(DCERPC_BINDING_0.0.1)(64bit)libdcerpc-samba-samba4.so()(64bit)libdcerpc-samba-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libdcerpc-samba4.so()(64bit)libdcerpc-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libdcerpc-server-core.so.0()(64bit)libdcerpc-server-core.so.0(DCERPC_SERVER_CORE_0.0.1)(64bit)libdcerpc.so.0()(64bit)libdcerpc.so.0(DCERPC_0.0.1)(64bit)libdsdb-module-samba4.so()(64bit)libdsdb-module-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libevents-samba4.so()(64bit)libevents-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libflag-mapping-samba4.so()(64bit)libflag-mapping-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libgenrand-samba4.so()(64bit)libgenrand-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libgensec-samba4.so()(64bit)libgensec-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libgnutls.so.30()(64bit)libgnutls.so.30(GNUTLS_3_4)(64bit)libgnutls.so.30(GNUTLS_3_6_13)(64bit)libgnutls.so.30(GNUTLS_3_6_3)(64bit)libgse-samba4.so()(64bit)libgse-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libidmap-samba4.so()(64bit)libidmap-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libk5crypto.so.3()(64bit)libk5crypto.so.3(k5crypto_3_MIT)(64bit)libkrb5.so.3()(64bit)libkrb5.so.3(krb5_3_MIT)(64bit)libkrb5samba-samba4.so()(64bit)libkrb5samba-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libldb.so.2()(64bit)libldb.so.2(LDB_0.9.10)(64bit)libldb.so.2(LDB_0.9.15)(64bit)libldb.so.2(LDB_0.9.16)(64bit)libldb.so.2(LDB_1.1.14)(64bit)libldb.so.2(LDB_2.0.1)(64bit)libldb.so.2(LDB_2.8.0)(64bit)libldbsamba-samba4.so()(64bit)libldbsamba-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)liblibcli-lsa3-samba4.so()(64bit)liblibcli-lsa3-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)liblibcli-netlogon3-samba4.so()(64bit)liblibcli-netlogon3-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)liblibsmb-samba4.so()(64bit)liblibsmb-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libmsrpc3-samba4.so()(64bit)libmsrpc3-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libndr-krb5pac.so.0()(64bit)libndr-krb5pac.so.0(NDR_KRB5PAC_0.0.1)(64bit)libndr-nbt.so.0()(64bit)libndr-nbt.so.0(NDR_NBT_0.0.1)(64bit)libndr-samba-samba4.so()(64bit)libndr-samba-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libndr-samba4.so()(64bit)libndr-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libndr-standard.so.0()(64bit)libndr-standard.so.0(NDR_STANDARD_0.0.1)(64bit)libndr.so.3()(64bit)libndr.so.3(NDR_0.0.1)(64bit)libndr.so.3(NDR_0.0.3)(64bit)libndr.so.3(NDR_0.0.4)(64bit)libndr.so.3(NDR_0.0.8)(64bit)libndr.so.3(NDR_0.0.9)(64bit)libndr.so.3(NDR_0.2.0)(64bit)libndr.so.3(NDR_1.0.0)(64bit)libnetapi.so.1()(64bit)libnetapi.so.1(NETAPI_1.0.0)(64bit)libnetif-samba4.so()(64bit)libnetif-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libnss-info-samba4.so()(64bit)libnss-info-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libpopt.so.0()(64bit)libpopt.so.0(LIBPOPT_0)(64bit)libprinter-driver-samba4.so()(64bit)libprinter-driver-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libreadline.so.7()(64bit)libregistry-samba4.so()(64bit)libregistry-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libreplace-samba4.so()(64bit)libreplace-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libsamba-credentials.so.1()(64bit)libsamba-credentials.so.1(SAMBA_CREDENTIALS_1.0.0)(64bit)libsamba-debug-samba4.so()(64bit)libsamba-debug-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libsamba-errors.so.1()(64bit)libsamba-errors.so.1(SAMBA_ERRORS_1.0.0)(64bit)libsamba-hostconfig.so.0()(64bit)libsamba-hostconfig.so.0(SAMBA_HOSTCONFIG_0.0.1)(64bit)libsamba-modules-samba4.so()(64bit)libsamba-modules-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libsamba-net.cpython-36m-s390x-linux-gnu-samba4.so()(64bit)libsamba-net.cpython-36m-s390x-linux-gnu-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libsamba-passdb.so.0()(64bit)libsamba-passdb.so.0(SAMBA_PASSDB_0.2.0)(64bit)libsamba-security-samba4.so()(64bit)libsamba-security-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libsamba-sockets-samba4.so()(64bit)libsamba-sockets-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libsamba-util.so.0()(64bit)libsamba-util.so.0(SAMBA_UTIL_0.0.1)(64bit)libsamba3-util-samba4.so()(64bit)libsamba3-util-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libsamdb-common-samba4.so()(64bit)libsamdb-common-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libsamdb.so.0()(64bit)libsamdb.so.0(SAMDB_0.0.1)(64bit)libsecrets3-samba4.so()(64bit)libsecrets3-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libserver-id-db-samba4.so()(64bit)libserver-id-db-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libshares-samba4.so()(64bit)libshares-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libsmbclient-raw-samba4.so()(64bit)libsmbclient-raw-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libsmbclient.so.0()(64bit)libsmbclient.so.0(SMBCLIENT_0.1.0)(64bit)libsmbclient.so.0(SMBCLIENT_0.3.1)(64bit)libsmbclient.so.0(SMBCLIENT_0.3.2)(64bit)libsmbclient.so.0(SMBCLIENT_0.3.3)(64bit)libsmbclient.so.0(SMBCLIENT_0.5.0)(64bit)libsmbclient.so.0(SMBCLIENT_0.6.0)(64bit)libsmbconf.so.0()(64bit)libsmbconf.so.0(SMBCONF_0.0.1)(64bit)libsmbd-shim-samba4.so()(64bit)libsmbd-shim-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libsmbpasswdparser-samba4.so()(64bit)libsmbpasswdparser-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libsocket-blocking-samba4.so()(64bit)libsocket-blocking-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libsys-rw-samba4.so()(64bit)libsys-rw-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtalloc.so.2(TALLOC_2.0.8)(64bit)libtalloc.so.2(TALLOC_2.1.0)(64bit)libtalloc.so.2(TALLOC_2.3.5)(64bit)libtdb-wrap-samba4.so()(64bit)libtdb-wrap-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libtdb.so.1()(64bit)libtdb.so.1(TDB_1.2.1)(64bit)libtevent-util.so.0()(64bit)libtevent-util.so.0(TEVENT_UTIL_0.0.1)(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.11.0)(64bit)libtevent.so.0(TEVENT_0.12.0)(64bit)libtevent.so.0(TEVENT_0.13.0)(64bit)libtevent.so.0(TEVENT_0.15.0)(64bit)libtevent.so.0(TEVENT_0.9.12)(64bit)libtevent.so.0(TEVENT_0.9.13)(64bit)libtevent.so.0(TEVENT_0.9.16)(64bit)libtevent.so.0(TEVENT_0.9.20)(64bit)libtevent.so.0(TEVENT_0.9.26)(64bit)libtevent.so.0(TEVENT_0.9.30)(64bit)libtevent.so.0(TEVENT_0.9.31)(64bit)libtevent.so.0(TEVENT_0.9.36)(64bit)libtevent.so.0(TEVENT_0.9.37)(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)libtime-basic-samba4.so()(64bit)libtime-basic-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libtorture-samba4.so()(64bit)libtorture-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libtrusts-util-samba4.so()(64bit)libtrusts-util-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libutil-reg-samba4.so()(64bit)libutil-reg-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libutil-tdb-samba4.so()(64bit)libutil-tdb-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_S390X_SAMBA4)(64bit)libwbclient.so.0()(64bit)libwbclient.so.0(WBCLIENT_0.10)(64bit)libwbclient.so.0(WBCLIENT_0.9)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)sambasamba-winbind3.0.4-14.6.0-14.0-15.2-14.19.8+git.430.a10fe64854c4.19.8+git.430.a10fe64854c4.14.3hm@g`@gRgR@gMgp@fٝ@fxfteԔ@ee5@ede6`@e-%e'e%ascabrero@suse.denopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comddiss@suse.comscabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedimstar@opensuse.orgscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- Windows security hardening locks out schannel'ed netlogon dc calls like netr_DsRGetDCName; (bsc#1246431); (bso#15876).- Fix Samba printers reporting invalid sid during print jobs; (bsc#1234210); (bso#15792).- Fix crossing automounter mount points; (bsc#1215212); (bsc#1236803);- Update shipped /etc/samba/smb.conf to point to smb.conf man page;(bsc#1233880).- Update to 4.19.9 * libldb: performance issue with indexes (ldb 2.8.2 is already released); (bso#15590). * DH reconnect error handling can lead to stale sharemode entries; (bso#15624). * Incorrect FSCTL_QUERY_ALLOCATED_RANGES response when truncated; (bso#15699). * irpc_destructor may crash during shutdown; (bso#15280). * Compound SMB2 requests don't return NT_STATUS_NETWORK_SESSION_EXPIRED for all requests, confuses MacOSX clients; (bso#15696). * Crash when readlinkat fails; (bso#15700).- Adjust spec to split out rpcd_* binaries into a separate sub package; (bsc#1231414).- Incorrect FSCTL_QUERY_ALLOCATED_RANGES response when truncated; (bso#15699); (bsc#1229684). - Update to 4.19.8 * Invalid client warning about command line passwords; (bso#15671); * Version string is truncated in manpages; (bso#15672); * --version-* options are still not ergonomic, and they reject tilde characters; (bso#15673); * cmdline_burn does not always burn secrets; (bso#15674); * Samba doesn't parse SDDL found in defaultSecurityDescriptor in AD_DS_Classes_Windows_Server_v1903.ldf; (bso#15685); * We have added new options --vendor-name and --vendor-patch- revision arguments to ./configure to allow distributions and packagers to put their name in the Samba version string so that when debugging Samba the source of the binary is obvious; (bso#15654); * When claims enabled with heimdal kerberos, unable to log on to a Windows computer when user account need to change their own password; (bso#15655); * Fix clock skew error message and memory cache clock skew recovery; (bso#15676); * CTDB RADOS mutex helper misses namespace support; (bso#15665); * The images don't build after the git security release and CentOS 8 Stream is EOL; (bso#15660); * Fix unnecessary delays in CTDB while processing requests under high load; (bso#15678); * Dynamic DNS updates with the internal DNS are not working; (bso#13019); * s4:nbt_server: does not provide unexpected handling, so winbindd can't use nmb requests instead cldap; (bso#15620); * Panic in vfs_offload_token_db_fetch_fsp(); (bso#15664); * "client use kerberos" and --use-kerberos is ignored for the machine account; (bso#15666); * Regression DFS not working with widelinks = true; (bso#15435); * ntlm_auth make logs more consistent with length check; (bso#15677);- Fix a crash when joining offline and 'kerberos method' includes keytab; (bsc#1228732); - Fix reading the password from STDIN or environment vars if it was already given in the command line; (bsc#1228732);- Update to 4.19.7 * ldb qsort might r/w out of bounds with an intransitive compare function (ldb 2.8.1 is already released); (bso#15569). * Many qsort() comparison functions are non-transitive, which can lead to out-of-bounds access in some circumstances (ldb 2.8.1 is already released); (bso#15625). * Need to change gitlab-ci.yml tags in all branches to avoid CI bill; (bso#15638). * netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with SysvolReady=0; (bso#14981). * Anonymous smb3 signing/encryption should be allowed (similar to Windows Server 2022); (bso#15412). * Panic in dreplsrv_op_pull_source_apply_changes_trigger; (bso#15573). * winbindd, net ads join and other things don't work on an ipv6 only host; (bso#15642). * Smbcacls incorrectly propagates inheritance with Inherit-Only flag; (bso#15636). * http library doesn't support 'chunked transfer encoding'; (bso#15611). - Update to 4.19.6 * fd_handle_destructor() panics within an smbd_smb2_close() if vfs_stat_fsp() fails in fd_close(); (bso#15527). * samba-gpupdate: Correctly implement site support; (bso#15588). * libgpo: Segfault in python bindings; (bso#15599). * Packet marshalling push support missing for CTDB_CONTROL_TCP_CLIENT_DISCONNECTED and CTDB_CONTROL_TCP_CLIENT_PASSED; (bso#15580).- Update to 4.19.5 * Windows 2016 fails to restore previous version of a file from a shadow_copy2 snapshot; (bso#13688). * Symlinks on AIX are broken in 4.19 (and a few version before that); (bso#15549). * Fake directory create times has no effect; (bso#12421). * ctime mixed up with mtime by smbd; (bso#15550). * samba-gpupdate --rsop fails if machine is not in a site; (bso#15548). * gpupdate: The root cert import when NDES is not available is broken; (bso#15557). * samba-gpupdate should print a useful message if cepces-submit can't be found; (bso#15552). * samba-gpupdate logging doesn't work; (bso#15558). * smbpasswd reset permissions only if not 0600; (bso#15555).- Remove -x from bash shebang update-apparmor-samba-profile; (bsc#1218431).- Update to 4.19.4 * net changesecretpw cannot set the machine account password if secrets.tdb is empty; (bso#13577). * For generating doc, take, if defined, env XML_CATALOG_FILES; (bso#15540). * Trivial C typo in nsswitch/winbind_nss_netbsd.c; (bso#15541). * vfs_linux_xfs is incorrectly named; (bso#15542). * systemd stumbled over copyright-message at smbd startup; (bso#15377). * Following intermediate abolute share-local symlinks is broken; (bso#15505). * ctdb RELEASE_IP causes a crash in release_ip if a connection to a non-public address disconnects first; (bso#15523). * shadow_copy2 broken when current fileset's directories are removed; (bso#15544). * smbd does not detect ctdb public ipv6 addresses for multichannel exclusion; (bso#15534). * 'force user = localunixuser' doesn't work if 'allow trusted domains = no' is set; (bso#15469). * smbget debug logging doesn't work; (bso#15525). * smget: username in the smburl and interactive password entry doesn't work; (bso#15532). * smbget auth function doesn't set values for password prompt correctly; (bso#15538). * Unable to copy and write files from clients to Ceph cluster via SMB Linux gateway with Ceph VFS module; (bso#15440). * Multichannel refresh network information; (bso#15547).- Update to 4.19.3 * sid_strings test broken by unix epoch > 1700000000; (bso#15520). * smbd crashes if asked to return full information on close of a stream handle with delete on close disposition set; (bso#15487). * smbd: fix close order of base_fsp and stream_fsp in smb_fname_fsp_destructor(); (bso#15521). * Improve logging for failover scenarios; (bso#15499). * Files without "read attributes" NFS4 ACL permission are not listed in directories; (bso#15093). * CVE-2018-14628 [SECURITY] Deleted Object tombstones visible in AD LDAP to normal users; (bso#13595). * Kerberos TGS-REQ with User2User does not work for normal accounts; (bso#15492). * vfs_gpfs stat calls fail due to file system permissions; (bso#15507). * Samba doesn't build with Python 3.12; (bso#15513).- packaging: samba-tool domain provision requires python3-Markdown; (bsc#1216519).- Update to 4.19.2 * Use-after-free in aio_del_req_from_fsp during smbd shutdown after failed IPC FSCTL_PIPE_TRANSCEIVE; (bso#15423). * clidfs.c do_connect() missing a "return" after a cli_shutdown() call; (bso#15426). * macOS mdfind returns only 50 results; (bso#15463). * GETREALFILENAME_CACHE can modify incoming new filename with previous cache entry value; (bso#15481). * libnss_winbind causes memory corruption since samba-4.18, impacts sendmail, zabbix, potentially more; (bso#15464). * ctdbd: setproctitle not initialized messages flooding logs; (bso#15479). * CVE-2023-5568 Heap buffer overflow with freshness tokens in the Heimdal KDC in Samba 4.19; (bso#15491). * The heimdal KDC doesn't detect s4u2self correctly when fast is in use; (bso#15477).- use systemd-logind rather than utmp for y2038 safety; (bsc#1216159).- CVE-2023-4091: samba: Client can truncate file with read-only permissions; (bsc#1215904); (bso#15439). - CVE-2023-42669: samba: rpcecho, enabled and running in AD DC, allows blocking sleep on request; (bso#1215905); (bso#15474). - CVE-2023-42670: samba: The procedure number is out of range when starting Active Directory Users and Computers; (bsc#1215906); (bso#15473). - CVE-2023-3961: samba: Unsanitized client pipe name passed to local_np_connect(); (bsc#1215907); (bso#15422). - CVE-2023-4154: samba: dirsync allows SYSTEM access with only "GUID_DRS_GET_CHANGES" right, not "GUID_DRS_GET_ALL_CHANGES; (bsc#1215908); (bso#15424).- Update to 4.19.0 * File doesn't show when user doesn't have permission if aio_pthread is loaded; (bso#15453). * ctdb_killtcp fails to work with --enable-pcap and libpcap ≥ 1.9.1; (bso#15451). * Logging to stdout/stderr with DEBUG_SYSLOG_FORMAT_ALWAYS can log to syslog; (bso#15460). * ‘samba-tool domain level raise’ fails unless given a URL; (bso#15458). * reply_sesssetup_and_X() can dereference uninitialized tmp pointer; (bso#15420). * missing return in reply_exit_done(); (bso#15430). * TREE_CONNECT without SETUP causes smbd to use uninitialized pointer; (bso#15432). * Avoid infinite loop in initial user sync with Azure AD Connect when synchronising a large Samba AD domain; (bso#15401). * Samba replication logs show (null) DN; (bso#15407). * 2-3min delays at reconnect with smb2_validate_sequence_number: bad message_id 2; (bso#15346). * DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED can't be parsed; (bso#15446). * CID 1539212 causes real issue when output contains only newlines; (bso#15438). * KDC encodes INT64 claims incorrectly; (bso#15452). * mdssvc: Do an early talloc_free() in _mdssvc_open(); (bso#15449). * Windows client join fails if a second container CN=System exists somewhere; (bso#9959). * regression DFS not working with widelinks = true; (bso#15435). * Heimdal fails to build on 32-bit FreeBSD; (bso#15443). * samba-tool ntacl get segfault if aio_pthread appended; (bso#15441). - Update to 4.18.6 * reply_sesssetup_and_X() can dereference uninitialized tmp pointer; (bso#15420); * Missing return in reply_exit_done(); (bso#15430); * post-exec password redaction for samba-tool is more reliable for fully random passwords as it no longer uses regular expressions containing the password value itself; (bso#15289); * Windows client join fails if a second container CN=System exists somewhere; (bso#9959); * Spotlight sometimes returns no results on latest macOS; (bso#15342); * Renaming results in NT_STATUS_SHARING_VIOLATION if previously attempted to remove the destination; (bso#15417); * Spotlight results return wrong date in result list; (bso#15427); * "net offlinejoin provision" does not work as non-root user; (bso#15414); * rpcserver no longer accepts double backslash in dfs pathname; (bso#15400); * cm_prepare_connection() calls close(fd) for the second time; (bso#15433); * 2-3min delays at reconnect with smb2_validate_sequence_number: bad message_id 2; (bso#15346); * samba-tool ntacl get segfault if aio_pthread appended; (bso#15441); * DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED can't be parsed; (bso#15446); * Python tarfile extraction needs change to avoid a warning (CVE-2007-4559 mitigation); (bso#15390); * Regression DFS not working with widelinks = true; (bso#15435); * mdssvc: Do an early talloc_free() in _mdssvc_open(); (bso#15449); - Update to 4.18.5 * CVE-2022-2127: lm_resp_len not checked properly in winbindd_pam_auth_crap_send; (bso#15072); (bsc#1213174). * CVE-2023-34966: Samba Spotlight mdssvc RPC Request Infinite Loop Denial-of-Service Vulnerability; (bso#15340); (bsc#1213173). * CVE-2023-34967: Samba Spotlight mdssvc RPC Request Type Confusion Denial-of-Service Vulnerability; (bso#15341); (bsc#1213172). * CVE-2023-34968: Spotlight server-side Share Path Disclosure; (bso#15388); (bsc#1213171). * CVE-2023-3347: Samba doesn't require SMB2+ signing if `server signing = mandatory` is set; (bso#15397); (bsc#1213170). * secure channel faulty since Windows 10/11 update 07/2023; (bso#15418); (bsc#1213384). - Update to 4.18.4 * Backport --pidl-developer fixes; (bso#15404). * Named crashes on DLZ zone update; (bso#14030). * smbcacls and smbcquotas do not check // before the server; (bso#2312). * cli_list loops 100% CPU against pre-lanman2 servers; (bso#15382). * smbclient leaks fds with showacls; (bso#15391). * smbd returns NOT_FOUND when creating files on a r/o filesystem; (bso#15402). * NSS_WRAPPER_HOSTNAME doesn't match NSS_WRAPPER_HOSTS entry and causes test timeouts; (bso#15355). * net ads lookup (with unspecified realm) fails; (bso#15384). * Register Samba processes with GPFS; (bso#15381). * Python tarfile extraction needs change to avoid a warning (CVE-2007-4559 mitigation); (bso#15390). * The winbind child segfaults when listing users with `winbind scan trusted domains = yes`; (bso#15398). * Remove comments about deprecated 'write cache size'; (bso#15383). * smbget memory leak if failed to download files recursively; (bso#15403). - Update to 4.18.3 * Symlinks to files can have random DOS mode information in a directory listing; (bso#15375). * vfs_fruit might cause a failing open for delete; (bso#15378). * winbind recurses into itself via rpcd_lsad; (bso#15361). * wbinfo -u fails on ad dc with >1000 users; (bso#15366). * DS ACEs might be inherited to unrelated object classes; (bso#15338). * a lot of messages: get_static_share_mode_data: get_static_share_mode_data_fn failed: NT_STATUS_NOT_FOUND; (bso#15362). * aes256 smb3 encryption algorithms are not allowed in smb3_sid_parse(); (bso#15374). * Setting veto files = /.*/ break listing directories; (bso#15360). * "samba-tool domain provision" does not run interactive mode if no arguments are given; (bso#15363). * dsgetdcname: assumes local system uses IPv4; (bso#15325). - Update to 4.18.2 * Log flood: smbd_calculate_access_mask_fsp: Access denied: message level should be lower; (bso#15302). * Floating point exception (FPE) via cli_pull_send at source3/libsmb/clireadwrite.c; (bso#15306). * test_tstream_more_tcp_user_timeout_spin fails intermittently on Rackspace GitLab runners; (bso#15328). * Reduce flapping of ridalloc test; (bso#15329). * large_ldap test is unreliable; (bso#15351). * New filename parser doesn't check veto files smb.conf parameter; (bso#15143). * mdssvc may crash when initializing; (bso#15354). * large directory optimization broken for non-lcomp path elements; (bso#15313). * streams_depot fails to create streams; (bso#15357). * shadow_copy2 and streams_depot don't play well together; (bso#15358). * Flapping tests in samba_tool_drs_show_repl.py; (bso#15316). * winbindd idmap child contacts the domain controller without a need; (bso#15317). * idmap_autorid may fail to map sids of trusted domains for the first time; (bso#15318). * idmap_hash doesn't use ID_TYPE_BOTH for reverse mappings; (bso#15319). * net ads search -P doesn't work against servers in other domains; (bso#15323). * Temporary smbXsrv_tcon_global.tdb can't be parsed; (bso#15353). * Tests use depricated and removed methods like assertRegexpMatches; (bso#15343). - Update to 4.18.1 * CVE-2023-0225: AD DC "dnsHostname" attribute can be deleted by unprivileged authenticated users. (bso#15276);(bsc#1209483). * CVE-2023-0614: Access controlled AD LDAP attributes can be discovered (bso#15270); (bsc#1209485). * CVE-2023-0922: Samba AD DC admin tool samba-tool sends passwords in cleartext(bso#15315);(bsc#1209481). * ldb wildcard matching makes excessive allocations; (bso#15331). * large_ldap test is inefficient; (bso#15332). - Update to 4.18.0 * SMB server performance improvements * More succinct samba-tool error messages * Color output with samba-tool --color The NO_COLOR environment variable will disable colour output * New samba-tool dsacl subcommand for deleting ACEs * New wbinfo option --change-secret-at * Net option to change the NT ACL default location * Azure AD / Office365 synchronization improvements- Fix DFS not working with widelinks enabled; (bsc#1213607); (bso#15435);- Move libcluster-samba4.so from samba-libs to samba-client-libs; (bsc#1213940);- net ads lookup with unspecified realm fails; (bso#15384); (bsc#1213826);- secure channel faulty since Windows 10/11 update 07/2023; (bso#15418); (bsc#1213384).- CVE-2022-2127: lm_resp_len not checked properly in winbindd_pam_auth_crap_send; (bso#15072); (bsc#1213174). - CVE-2023-34966: Samba Spotlight mdssvc RPC Request Infinite Loop Denial-of-Service Vulnerability; (bso#15340); (bsc#1213173). - CVE-2023-34967: Samba Spotlight mdssvc RPC Request Type Confusion Denial-of-Service Vulnerability; (bso#15341); (bsc#1213172). - CVE-2023-34968: Spotlight server-side Share Path Disclosure; (bso#15388); (bsc#1213171). - CVE-2023-3347: Samba doesn't require SMB2+ signing if `server signing = mandatory` is set; (bso#15397); (bsc#1213170).- Update to 4.17.9 * Backport --pidl-developer fixes; (bso#15404). * smbd_scavenger crashes when service smbd is stopped; (bso#15275). * vfs_fruit might cause a failing open for delete; (bso#15378). * named crashes on DLZ zone update; (bso#14030). * winbind recurses into itself via rpcd_lsad; (bso#15361). * cli_list loops 100% CPU against pre-lanman2 servers; (bso#15382). * smbclient leaks fds with showacls; (bso#15391). * aes256 smb3 encryption algorithms are not allowed in smb3_sid_parse(); (bso#15374). * winbindd gets stuck on NT_STATUS_RPC_SEC_PKG_ERROR; (bso#15413). * smbget memory leak if failed to download files recursively; (bso#15403).- Update to 4.17.8 * log flood: smbd_calculate_access_mask_fsp: Access denied: message level should be lower; (bso#15302). * Floating point exception (FPE) via cli_pull_send at source3/libsmb/clireadwrite.c; (bso#15306). * test_tstream_more_tcp_user_timeout_spin fails intermittently on Rackspace GitLab runners; (bso#15328). * Reduce flapping of ridalloc test; (bso#15329). * large_ldap test is unreliable; (bso#15351). * New filename parser doesn't check veto files smb.conf parameter; (bso#15143). * mdssvc may crash when initializing; (bso#15354). * Large directory optimization broken for non-lcomp path elements; (bso#15313). * streams_depot fails to create streams; (bso#15357). * shadow_copy2 and streams_depot don't play well together; (bso#15358). * wbinfo -u fails on ad dc with >1000 users; (bso#15366). * winbindd idmap child contacts the domain controller without a need; (bso#15317). * idmap_autorid may fail to map sids of trusted domains for the first time; (bso#15318). * idmap_hash doesn't use ID_TYPE_BOTH for reverse mappings; (bso#15319). * net ads search -P doesn't work against servers in other domains; (bso#15323). * DS ACEs might be inherited to unrelated object classes; (bso#15338). * Temporary smbXsrv_tcon_global.tdb can't be parsed; (bso#15353). * Setting veto files = /.*/ break listing directories; (bso#15360); (bsc#1212375). * CVE-2020-25720 [SECURITY] Create Child permission should not allow full write to all attributes (additional changes); (bso#14810). * dsgetdcname: assumes local system uses IPv4; (bso#15325).- Update to 4.17.7 * CVE-2023-0922: Samba AD DC admin tool samba-tool sends passwords in cleartext; (bso#15315); (bsc#1209481). * CVE-2023-0225: Samba AD DC "dnsHostname" attribute can be deleted by unprivileged authenticated users; (bso#15276); (bsc#1209483). * CVE-2023-0614: samba: Access controlled AD LDAP attributes can be discovered; (bso#15270); (bsc#1209485). * large_ldap test is inefficient; (bso#15332). * CVE-2020-25720 [SECURITY] Create Child permission should not allow full write to all attributes (additional changes); (bso#14810). - Update to 4.17.6 * streams_xattr is creating unexpected locks on folders; (bso#15314). * Use of the Azure AD Connect cloud sync tool is now supported for password hash synchronisation, allowing Samba AD Domains to synchronise passwords with this popular cloud environment; (bso#10635). * Spotlight doesn't work with latest macOS Ventura; (bso#15299). * New samba-dcerpc architecture does not scale gracefully; (bso#15310). * vfs_ceph incorrectly uses fsp_get_io_fd() instead of fsp_get_pathref_fd() in close and fstat; (bso#15307). * With clustering enabled samba-bgqd can core dump due to use after free; (bso#15293). * fd_load() function implicitly closes the fd where it should not; (bso#15311). - Update to 4.17.5 * smbc_getxattr() return value is incorrect; (bso#14808). * Compound SMB2 FLUSH+CLOSE requests from MacOSX are not handled correctly; (bso#15172). * synthetic_pathref AFP_AfpInfo failed errors; (bso#15210). * samba-tool gpo listall fails IPv6 only - finddcs() fails to find DC when there is only an AAAA record for the DC in DNS; (bso#15226). * smbd crashes if an FSCTL request is done on a stream handle; (bso#15236). * DFS links don't work anymore on Mac clients since 4.17; (bso#15277). * vfs_virusfilter segfault on access, directory edgecase (accessing NULL value); (bso#15283). * CVE-2022-38023 [SECURITY] Samba should refuse RC4 (aka md5) based SChannel on NETLOGON (additional changes); (bso#15240). * %U for include directive doesn't work for share listing (netshareenum); (bso#15243). * Shares missing from netshareenum response in samba 4.17.4; (bso#15266). * ctdb: use-after-free in run_proc; (bso#15269). * irpc_destructor may crash during shutdown; (bso#15280). * auth3_generate_session_info_pac leaks wbcAuthUserInfo; (bso#15286). * smbclient segfaults with use after free on an optimized build; (bso#15268). * smbstatus leaking files in msg.sock and msg.lock; (bso#15282). * Leak in wbcCtxPingDc2; (bso#15164). * Access based share enum does not work in Samba 4.16+; (bso#15265). * Crash during share enumeration; (bso#15267). * rep_listxattr on FreeBSD does not properly check for reads off end of returned buffer; (bso#15271). * Avoid relying on C89 features in a few places; (bso#15281).- Make (32bit) samba-libs conflict with old samba-ad-dc-libs package to satisfy installcheck.- Make samba-libs conflict with old samba-ad-dc-libs package to satisfy installcheck.- Remove non functioning ifup/ifdown samba-winbindd scripts; (bsc#1207414).- libdsdb-module-samba4 should be packaged as part of samba-libs and not samba-ad-dc-libs. Additionally no need for it to be removed conditionally.- Clean up logic for PAM migration settings in spec file.- Change with_dc default to 0 (for non TW builds), ADDC feature is deprecated and will no longer be included in >= SLE15-SP5; (jsc#PED-1122).- Update to 4.17.4 * CVE-2022-44640 Upstream Heimdal free of user-controlled pointer in FAST; (bsc#14929); * CVE-2021-20251 Bad password count not incremented atomically; (bsc#14611); * CVE-2022-42898 krb5_pac_parse() buffer parsing vulnerability; (bsc#15203); * CVE-2022-37966 rc4-hmac Kerberos session keys issued to modern servers; (bso#15237); * CVE-2022-37967 Kerberos constrained delegation ticket forgery possible against Samba AD DC; (bso#15231); * CVE-2022-38023 RC4/HMAC-MD5 NetLogon Secure Channel is weak and should be avoided; (bso#15240); * pam_winbind uses time_t and pointers assuming they are of the same size; (bso#15224); * Heimdal session key selection in AS-REQ examines wrong entry; (bso#15219); * filter-subunit is inefficient with large numbers of knownfails; (bso#15258); * smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories; (bso#15252); * The KDC logic arround msDs-supportedEncryptionTypes differs from Windows; (bso#13135); * libnet: change_password() doesn't work with dcerpc_samr_ChangePasswordUser4(); (bso#15206); * Heimdal session key selection in AS-REQ examines wrong entry; (bso#15219); * Memory leak in snprintf replacement functions; (bso#15230); * RODC doesn't reset badPwdCount reliable via an RWDC (CVE-2021-20251 regression); (bso#15253); * Prevent EBADF errors with vfs_glusterfs; (bso#15198); * %U for include directive doesn't work for share listing (netshareenum); (bso#15243); * Stack smashing in net offlinejoin requestodj; (bso#15257); * Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue; (bso#15197); * Heimdal session key selection in AS-REQ examines wrong entry; (bso#15219); - Remove deprecated if-{down,up} scripts; (bsc#1206444); - Adjust the systemd drop-in file for named service; (bsc#1201689); * Paths are additive so do not repeat paths from named.service * Prefix the samba DLZ directory with "-" to ignore this path if it does not exists- Introduce without-smb1-server spec flag; (bsc#1205104); - Update to 4.17.3 * CVE-2022-42898: Samba buffer overflow vulnerabilities on 32-bit systems; (bsc#1205126); (bso#15203); - Replace obsolete python-gpgme with python-gpg * Upstream replaced it in v4.9.5 -- bso#13728 - Update to 4.17.2 * CVE-2022-3592 [SECURITY] samba: Wide links protection broken; (bso#15207); (bsc#1204499). * CVE-2022-3437 [SECURITY] samba: Buffer overflow in Heimdal unwrap_des3();(bso#15134); (bsc#1204254). - Update to 4.17.1 * CVE-2021-20251 [SECURITY] Bad password count not incremented atomically; (bso#14611). * smbXsrv_connection_shutdown_send result leaked; (bso#15174). * Flush on a named stream never completes; (bso#15182). * Permission denied calling SMBC_getatr when file not exists; (bso#15195). * Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC; (bso#15189). * pytest: add file removal helpers for TestCaseInTempDir; (bso#15191). * CVE-2021-20251 [SECURITY] Bad password count not incremented atomically; (bso#14611). * Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC; (bso#15189). * Flush on a named stream never completes; (bso#15182). * vfs_gpfs silently garbles timestamps > year 2106; (bso#15151). * CVE-2021-20251 [SECURITY] Bad password count not incremented atomically; (bso#14611). * multi-channel socket passing may hit a race if one of the involved processes already existed; (bso#15200). * memory leak on temporary of struct imessaging_post_state and struct tevent_immediate on struct imessaging_context (in rpcd_spoolss and maybe others); (bso#15201). * Since popt1.19 various use after free errors using result of poptGetArg are now exposed; (bso#15205); (boo#1204279). * Remove special case for O_CREAT in SMB_VFS_OPENAT from vfs_glusterfs; (bso#15192). * GETPWSID in memory cache grows indefinetly with each NTLM auth; (bso#15169). * CVE-2021-20251 [SECURITY] Bad password count not incremented atomically; (bso#14611). - Install a systemd drop-in file for named service to allow read/write access to the DLZ directory; (bsc#1201689); - Fix use after free errors resulting from using return of poptGetArg exposed since popt-1.19; (boo#1204279); (bso#15205). - s3: smbd: Fix memory leak in smbd_server_connection_terminate_done(); (bso#15174). - Disable SMB1 for tumbleweed builds. - Update to 4.17.0 * acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr; (bso#15126). * Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1; (bso#15153). * assert failed: !is_named_stream(smb_fname)") at ../../lib/util/fault.c:197; (bso#15161). * acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr; (bso#15126). * assert failed: !is_named_stream(smb_fname)") at ../../lib/util/fault.c:197; (bso#15161). * Cross-node multi-channel reconnects result in SMB2 Negotiate returning NT_STATUS_NOT_SUPPORTED; (bso#15159). * winbind at info level debug can coredump when processing wb_lookupusergroups; (bso#15160). * Make use of glfs_*at() API calls in vfs_glusterfs; (bso#15157). * Possible use after free of connection_struct when iterating smbd_server_connection->connections; (bso#15128). * `net usershare add` fails with flag works with --long but fails with -l; (bso#15145). * acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr; (bso#15126). * Performance regression on contended path based operations; (bso#15125). * Missing READ_LEASE break could cause data corruption; (bso#15148). * libsamba-errors uses a wrong version number; (bso#15141). * SMB1 negotiation can fail to handle connection errors; (bso#15152). * New filename parser doesn't check veto files smb.conf parameter; (bso#15143). * 4.17.rc1 still uses symlink-race prone unix_convert(); (bso#15144). * Backport fileserver related changed to 4.17.0rc2; (bso#15146). * Manpage for smbstatus json is missing; (bso#15147). * Backport fileserver related changed to 4.17.0rc2; (bso#15146). * Performance regression on contended path based operations; (bso#15125). * Backport fileserver related changed to 4.17.0rc2; (bso#15146). * Fix issues found by coverity in smbstatus json code; (bso#15140). * Backport fileserver related changed to 4.17.0rc2; (bso#15146). - Migration to /usr/etc: Saving user changed configuration files in /etc and restoring them while an RPM update. - Update to 4.16.4 * CVE-2022-2031: Samba AD users can bypass certain restrictions associated with changing passwords; (bsc#1201495); (bso#15047); * CVE-2022-32744: Samba AD users can forge password change requests for any user; (bsc#1201493); (bso#15074); * CVE-2022-32745: Samba AD users can crash the server process with an LDAP add or modify request; (bsc#1201492); (bso#15008); * CVE-2022-32746: Samba AD users can induce a use-after-free in the server process with an LDAP add or modify request; (bsc#1201490); (bso#15009); * CVE-2022-32742: Server memory information leak via SMB1; (bsc#1201496); (bso#15085); - Update to 4.16.3 * Using vfs_streams_xattr and deleting a file causes a panic; (bso#15099); * Add support for bind 9.18; (bso#14986); * logging dsdb audit to specific files does not work; (bso#15076); * Problem when winbind renews Kerberos; (bso#14979); (bsc#1196224); * Samba with new lorikeet-heimdal fails to build on gcc 12.1 in developer mode; (bso#15095); * Crash in streams_xattr because fsp->base_fsp->fsp_name is NULL; (bso#15105); * Crash in rpcd_classic - NULL pointer deference in mangle_is_mangled(); (bso#15118); * smbclient commands del & deltree fail with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556); * Fix check for chown when processing NFSv4 ACL; (bso#15120); * The pcap background queue process should not be stopped; (bso#15082); * testparm: Fix typo in idmap rangesize check; (bso#15097); * net ads info returns LDAP server and LDAP server name as null; (bso#15106); * ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link; (bso#15108); * CTDB child process logging does not work as expected; (bso#15090); - Update spec file to fix the optional Heimdal DC build - Fix external trusts with MIT Kerberos 1.20 - Add missing samba-client requirement to samba-winbind package; (bsc#1198255); - Move pdb backends from package samba-libs to package samba-client-libs and remove samba-libs requirement from samba-winbind; (bsc#1200964); (bsc#1198255); - Add sysuser-shadow requirement for packages using systemd-sysusers - Use the canonical realm name to refresh the Kerberos tickets; (bsc#1196224); (bso#14979); - Moved logrotate files from user specific directory /etc/logrotate.d to vendor specific directory /usr/etc/logrotate.d. - Update to 4.16.2 * Use pathref fd instead of io fd in vfs_default_durable_cookie; (bso#15042); * vfs_gpfs with vfs_shadowcopy2 fail to restore file if original file had been deleted; (bso#15069); * Reintroduce netgroups support; (bso#15087); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); * Update from 4.15 to 4.16 breaks discovery of [homes] on standalone server from Win and IOS; (bso#15062); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * smbclient -E doesn't work as advertised; (bso#15075); * The samba background daemon doesn't refresh the printcap cache on startup; (bso#15081); * Out-by-4 error in smbd read reply max_send clamp; (bso#14443); - Fix samba4.blackbox.net_ads_dns_async test with bind9 >= 9.17.7 - Support building with MIT Kerberos 1.20 - Bronze bit and S4U support with MIT Kerberos 1.20 for Samba AD DC; (CVE-2020-17049); - Resource Based Constrained Delegation (RBCD) for Samba AD DC - Support building with gcc 12.1 - Use requires_eq macro to require the libldb2 version available at samba-dsdb-modules build time; (bsc#1199362); - Update to 4.16.1 * Share and server swapped in smbget password prompt; (bso#14831); * Durable handles won't reconnect if the leased file is written to; (bso#15022); * rmdir silently fails if directory contains unreadable files and hide unreadable is yes; (bso#15023); * SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on renamed file handle; (bso#15038); * Need to describe --builtin-libraries= better (compare with - -bundled-libraries); (bso#8731); * vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback; (bso#14957); * shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes; (bso#15035); * PAM Kerberos authentication incorrectly fails with a clock skew error; (bso#15046); * Username map - samba erroneously applies unix group memberships to user account entries; (bso#15041); * KVNO off by 100000; (bso#14951); * Uninitialized litemask in variable in vfs_gpfs module; (bso#15027); * vfs_gpfs recalls=no option prevents listing files; (bso#15055); * smbd doesn't handle UPNs for looking up names; (bso#15054); - Update update-apparmor-samba-profile script, replace non-printable delimiter with more human readable separator as sed can accept separators that can appear in the input data. - Fix update-apparmor-samba-profile script, sed doesn't like multibyte separators; (bsc#1198309). - Update to 4.16.0 * New samba-dcerpcd binary to provide DCERPC in the member server setup * Certificate Auto Enrollment * Ability to add ports to dns forwarder addresses in internal DNS backend * No longer using Linux mandatory locks for sharemodes * SMB1 protocol has been deprecated, particularly older dialects * SMB1 protocol SMBCopy command removed * SMB1 server-side wildcard expansion removed - Add python3-dnspython to samba-ad-dc recommens; (bsc#1187101); - Use systemd-sysusers to create system users; (bsc#1182847);- Install a systemd drop-in file for named service to allow read/write access to the DLZ directory; (bsc#1201689);- Update to 4.15.12 * CVE-2022-42898: samba: heimdal: Samba buffer overflow vulnerabilities on 32-bit systems; (bso#15203); (bsc#1205126). - Update to 4.15.11 * Allow rebuild of Centos 8 images after move to vault for Samba 4.15; (bso#15193). * CVE-2022-3437: samba: Buffer overflow in Heimdal unwrap_des3(); (bso#15134); (bsc#1204254)- Update to 4.15.10 * Possible use after free of connection_struct when iterating smbd_server_connection->connections; (bso#15128); (bsc#1200102). * smbXsrv_connection_shutdown_send result leaked; (bso#15174). * Spotlight RPC service returns wrong response when Spotlight is disabled on a share; (bso#15086). * acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr; (bso#15126). * Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1; (bso#15153). * assert failed: !is_named_stream(smb_fname)") at ../../lib/util/fault.c:197; (bso#15161). * Missing READ_LEASE break could cause data corruption; (bso#15148). * rpcclient can crash using setuserinfo(2); (bso#15124). * Samba fails to build with glibc 2.36 caused by including in libreplace; (bso#15132). * SMB1 negotiation can fail to handle connection errors; (bso#15152). * samba-tool domain join segfault when joining a samba ad domain; (bso#15078). - Update to 4.15.9 * CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). * CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). * CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); * CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). * CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); * CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- CVE-2022-1615: Do not ignore errors in random number generation; (bso#15103); (bsc#1202976); - CVE-2022-32743: Implement validated dnsHostName write rights; (bso#14833); (bsc#1202803);- Fix Use after free when iterating smbd_server_connection->connections after tree disconnect failure; (bso#15128); (bsc#1200102).- CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). - CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). - CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); - CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). - CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- Update to 4.15.8 * Use pathref fd instead of io fd in vfs_default_durable_cookie; (bso#15042); * Setting fruit:resource = stream in vfs_fruit causes a panic; (bso#15099); * Add support for bind 9.18; (bso#14986); * logging dsdb audit to specific files does not work; (bso#15076); * vfs_gpfs with vfs_shadowcopy2 fail to restore file if original file had been deleted; (bso#15069); * netgroups support removed; (bso#15087); (bsc#1199247); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); (bsc#1199734); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * smbclient commands del & deltree fail with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556); * vfs_gpfs recalls=no option prevents listing files; (bso#15055); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * Compile error in source3/utils/regedit_hexedit.c; (bso#15091); * ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link; (bso#15108); * smbd doesn't handle UPNs for looking up names; (bso#15054); * Out-by-4 error in smbd read reply max_send clamp; (bso#14443); - Move pdb backends from package samba-libs to package samba-client-libs and remove samba-libs requirement from samba-winbind; (bsc#1200964); (bsc#1198255); - Use the canonical realm name to refresh the Kerberos tickets; (bsc#1196224); (bso#14979);- Fix smbclient commands del & deltree failing with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556).- Revert NIS support removal; (bsc#1199247);- Use requires_eq macro to require the libldb2 version available at samba-dsdb-modules build time; (bsc#1199362);- Add missing samba-client requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.7 * Share and server swapped in smbget password prompt; (bso#14831); * Durable handles won't reconnect if the leased file is written to; (bso#15022); * rmdir silently fails if directory contains unreadable files and hide unreadable is yes; (bso#15023); * SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on renamed file handle; (bso#15038); * vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback; (bso#14957); * shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes; (bso#15035); * PAM Kerberos authentication incorrectly fails with a clock skew error; (bso#15046); * username map - samba erroneously applies unix group memberships to user account entries; (bso#15041); * NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES in SMBC_server_internal; (bso#14983); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Crash of winbind on RODC; (bso#14641); * uncached logon on RODC always fails once; (bso#14865); * KVNO off by 100000; (bso#14951); * LDAP simple binds should honour "old password allowed period"; (bso#15001); * wbinfo -a doesn't work reliable with upn names; (bso#15003); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Uninitialized litemask in variable in vfs_gpfs module; (bso#15027); * Regression: create krb5 conf = yes doesn't work with a single KDC; (bso#15016);- Add provides to samba-client-libs package to fix upgrades from previous versions; (bsc#1197995);- Add missing samba-libs requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.6 * Renaming file on DFS root fails with NT_STATUS_OBJECT_PATH_NOT_FOUND; (bso#14169); * Samba does not response STATUS_INVALID_PARAMETER when opening 2 objects with same lease key; (bso#14737); * NT error code is not set when overwriting a file during rename in libsmbclient; (bso#14938); * Fix ldap simple bind with TLS auditing; (bso#14996); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); * Problem when winbind renews Kerberos; (bso#14979); (bsc#1196224); * pam_winbind will not allow gdm login if password about to expire; (bso#8691); * virusfilter_vfs_openat: Not scanned: Directory or special file; (bso#14971); * DFS fix for AIX broken; (bso#13631); * Solaris and AIX acl modules: wrong function arguments; (bso#14974); * Function aixacl_sys_acl_get_file not declared / coredump; (bso#7239); * Regression: Samba 4.15.2 on macOS segfaults intermittently during strcpy in tdbsam_getsampwnam; (bso#14900); * Fix a use-after-free in SMB1 server; (bso#14989); * smb2_signing_decrypt_pdu() may not decrypt with gnutls_aead_cipher_decrypt() from gnutls before 3.5.2; (bso#14968); * Changing the machine password against an RODC likely destroys the domain join; (bso#14984); * authsam_make_user_info_dc() steals memory from its struct ldb_message *msg argument; (bso#14993); * Use Heimdal 8.0 (pre) rather than an earlier snapshot; (bso#14995); * Samba autorid fails to map AD users if id rangesize fits in the id range only once; (bso#14967);- Fix mismatched version of libldb2; (bsc#1196788). - Drop obsolete SuSEfirewall2 service files.- Drop obsolete Samba fsrvp v0->v1 state upgrade functionality; (bsc#1080338).- Fix ntlm authentications with "winbind use default domain = yes"; (bso#13126); (bsc#1173429); (bsc#1196308).- Fix samba-ad-dc status warning notification message by disabling systemd notifications in bgqd; (bsc#1195896); (bso#14947).- libldb version mismatch in Samba dsdb component; (bsc#1118508);- Update to 4.15.5 * CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target of a symlink exists; (bso#14911); (bsc#1193690). * CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module; (bso#14914); (bsc#1194859). * CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks; bso#14950); (bsc#1195048).- CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share; (bso#14911); (bsc#1193690); - CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution; (bso#14914); (bsc#1194859); - CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services; (bso#14950); (bsc#1195048);- Update to 4.15.4 * Duplicate SMB file_ids leading to Windows client cache poisoning; (bso#14928); * Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error - NT_STATUS_BUFFER_TOO_SMALL; (bso#14932); * kill_tcp_connections does not work; (bso#14934); * Can't connect to Windows shares not requiring authentication using KDE/Gnome; (bso#14935); * smbclient -L doesn't set "client max protocol" to NT1 before calling the "Reconnecting with SMB1 for workgroup listing" path; (bso#14939); * Cross device copy of the crossrename module always fails; (bso#14940); * symlinkat function from VFS cap module always fails with an error; (bso#14941); * Fix possible fsp pointer deference; (bso#14942); * Missing pop_sec_ctx() in error path inside close_directory(); (bso#14944); * "smbd --build-options" no longer works without an smb.conf file; (bso#14945);- Use pkgconfig(krb5) as dependency for the -devel package: allow OBS to pick the right flavor of krb5-devel (full vs mini). - Do not require the 'krb5' symbol by samba-client-libs: this package has an automatic dependency due to linkage on libgssapi_krb5.so.2. Automatic deps are always better. - Do not require the 'krb5' symbol from samba-libs: samba-libs requires samba-client-libs, which in turn requires krb5 libraries. Samba-libs itself has no need for krb5 (but get it indirectly anyway).- Reorganize libs packages. Split samba-libs into samba-client-libs, samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba public libraries depending on internal samba libraries into these packages as there were dependency problems everytime one of these public libraries changed its version (bsc#1192684). The devel packages are merged into samba-devel. - Rename package samba-core-devel to samba-devel - Add python-rpm-macros to build requirements - Update the symlink create by samba-dsdb-modules to private samba ldb modules following libldb2 changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba- Update to 4.15.3 * Recursive directory delete with veto files is broken in 4.15.0; (bso#14878); * A directory containing dangling symlinks cannot be deleted by SMB2 alone when they are the only entry in the directory; (bso#14879); * SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used uninitialized in rmdir_internals(); (bso#14892); * MaxQueryDuration not honoured in Samba AD DC LDAP; (bso#14694); * The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token; (bso#14901); (bsc#1192849); * User with multiple spaces (eg FredNurk) become un-deletable; (bso#14902); * Avoid storing NTTIME_THAW (-2) as value on disk; (bso#14127); * smbXsrv_client_global record validation leads to crash if existing record points at non-existing process; (bso#14882); * Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call; (bso#14890); * Samba process doesn't log to logfile; (bso#14897); * set_ea_dos_attribute() fallback calling get_file_handle_for_metadata() triggers locking.tdb assert; (bso#14907); * Kerberos authentication on standalone server in MIT realm broken; (bso#14922); * Segmentation fault when joining the domain; (bso#14923); * Support for ROLE_IPA_DC is incomplete; (bso#14903); * rpcclient cannot connect to ncacn_ip_tcp services anymore; (bso#14767); * winexe crashes since 4.15.0 after popt parsing; (bso#14893); * net ads status -P broken in a clustered environment; (bso#14908); * Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before smbd_smb2_ioctl_send; (bso#14788); * winbindd doesn't start when "allow trusted domains" is off; (bso#14899); * smbclient login without password using '-N' fails with NT_STATUS_INVALID_PARAMETER on Samba AD DC; (bso#14883); * A schannel client incorrectly detects a downgrade connecting to an AES only server; (bso#14912); * Possible null pointer dereference in winbind; (bso#14921); * Fix -k legacy option for client tools like smbclient, rpcclient, net, etc.; (bso#14846); * Add Debian 11 CI bootstrap support; (bso#14872); * Crash in recycle_unlink_internal(); (bso#14888);- Fix dependency problem upgrading from libndr0 to libndr2 and from libsamba-credentials0 to libsamba-credentials1; (bsc#1192684);- Fix regression introduced by CVE-2020-25717 patches, winbindd does not start when 'allow trusted domains' is off; (bso#14899); - Update to 4.15.2 * CVE-2016-2124: SMB1 client connections can be downgraded to plaintext authentication; (bso#12444); (bsc#1014440); * CVE-2020-25717: A user on the domain can become root on domain members; (bso#14556); (bsc#1192284); * CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued by an RODC; (bso#14558); (bsc#1192246); * CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets; (bso#14561); (bsc#1192247); * CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers (eg objectSid); (bso#14557); (bsc#1192505); * CVE-2020-25722: Samba AD DC did not do suffienct access and conformance checking of data stored; (bso#14564); (bsc#1192283); * CVE-2021-3738: Use after free in Samba AD DC RPC server; (bso#14468); (bsc#1192215); * CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability; (bso#14875); (bsc#1192214); - Update to 4.15.1 * vfs_shadow_copy2: core dump in make_relative_path; (bso#14682); * Log clutter from filename_convert_internal; (bso#14685); * MacOSX compilation fixes; (bso#14862); * rodc_rwdc test flaps; (bso#14868); * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal; (bso#14642); * Python ldb.msg_diff() memory handling failure; (bso#14836); * "in" operator on ldb.Message is case sensitive; (bso#14845); * Release LDB 2.4.1 for Samba 4.15.1; (bso#14848); * samldb_krbtgtnumber_available() looks for incorrect string; (bso#14854); * Fix Samba support for UF_NO_AUTH_DATA_REQUIRED; (bso#14871); * Allow special chars like "@" in samAccountName when generating the salt; (bso#14874); * Correctly ignore comments in CTDB public addresses file; (bso#14826); * Fix transit path validation; (bso#12998); * Fix that child winbindd logs to log.winbindd instead of log.wb-; (bso#14852); * SMB3 cancel requests should only include the MID together with AsyncID when AES-128-GMAC is used; (bso#14855); * Prepare to operate with MIT krb5 >= 1.20; (bso#14870); * Heimdal prefers RC4 over AES for machine accounts; (bso#14864);- Enable samba-tool without ad dc.- Adjust spec to use pam macros; (bsc#1191046).- Adjust spec for size * allow some Recommends instead Requires to be configured for cifs-utils, samba-libs-python3 & samba-gpupdate; (bsc#1182847). * remove fam, undocumented and unneeded.- Add missing build dependency on bison when building with the embedded Heimdal Kerberos- Update to 4.15.0 * Removed SMB development dialects SMB2_22, SMB2_24 and SMB3_10 * VFS layer modernized. * Add the ability to set allow/deny lists for zone transfer clients in Bind DLZ plugin * Server multi-channel support no longer experimental * Improved command line user experience, unifying the options in different commands * Winbindd no longer scans trusted domains on startup and will use enterprise principals by default. * The net utility is now able to support the offline domain join feature * New options for 'samba-tool dns zoneoptions' for aging control and to mark old records as static or dynamic * DNS tombstones are now deleted as appropriate and use a consistent timestamp format * The 'samba-tool dns update' command validates and rejects now malformed IPv4 and IPv6 addresses * The 'samba-tool domain backup' command correctly takes out locks against concurrent modification during backup when using the LMDB backend * TruACL support has been removed * NIS support has been removed- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2./sbin/ldconfig/sbin/ldconfigs390zp37 1752585133 4.19.8+git.430.a10fe64854c-150600.3.18.24.19.8+git.430.a10fe64854c-150600.3.18.2gentestlocktestmasktestmdsearchndrdumpsmbtorturegentest.1.gzlocktest.1.gzmasktest.1.gzmdsearch.1.gzndrdump.1.gzsmbtorture.1.gztraffic_learner.7.gztraffic_replay.7.gz/usr/bin//usr/share/man/man1//usr/share/man/man7/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:39674/SUSE_SLE-15-SP6_Update/aeeab13b449b36a000127e6292fbe0fc-samba.SUSE_SLE-15-SP6_Updatedrpmxz5s390x-suse-linuxELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, interpreter /lib/ld64.so.1, for GNU/Linux 4.3.0, BuildID[sha1]=5ac747b7381cc02bdaa32af8127863c70e335d10, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, interpreter /lib/ld64.so.1, for GNU/Linux 4.3.0, BuildID[sha1]=4cb47a4b9695266f6c96fd2c14bc517276dcd1dc, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, interpreter /lib/ld64.so.1, for GNU/Linux 4.3.0, BuildID[sha1]=37efbafebad97512bcb01633bac29c9705e404dd, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, interpreter /lib/ld64.so.1, for GNU/Linux 4.3.0, BuildID[sha1]=328d95e56414b219708a757be6ae02af00b9861d, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, interpreter /lib/ld64.so.1, for GNU/Linux 4.3.0, BuildID[sha1]=6605b6693a5da10888ad1371a3dcf7377780acc5, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, interpreter /lib/ld64.so.1, for GNU/Linux 4.3.0, BuildID[sha1]=90dba9ec7fe0f94b852776b8fdb9c529ae6ba670, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)troff or preprocessor input, ASCII text, with very long lines (gzip compressed data, max compression, from Unix)5g523,RIR(R*R$RRRRtRR RRlRGRRRRRRRRRRRRRCR0RRRsRBR)RkRRRR/RRR'RRRHRRRRRFR#RRRRRIR(R*R$RRRRtRR RRlRRRRRRRRRRRRRCR0RRsRBR)RkRRRR/RRR'RRRHRRRRR#RRRRRIR(R*R$RRRRtRR RRlRRRRRRRRRRRRRRCR0RRsRBR)RkRRRR/RRR'RRRHRRRRR#RRRRRyRtRRRRRnRhR7RfRR.RRRRRRRRRRRR0R-RgRR6ReRR/RmRRsRRRRRRRRRRRRRRRpRtRRRRRRRRRR0RsR/RoRRRRRRRRRRRRSRRR,RR3RR RRGRRARRRWRRRRRRR~RR|R R"RR$RhR?RROR RdRRRRR=RCRRnR*RQRR(RRjR0RRRRRRRRbRRERRlRRR^R]R\R[RYRZRURR5R R&RRRRRRRRRRRRRRRRRRRpRRRRRIRfRLRMRKR`RRRrRRzRxRwRuRyRvRtRR;RRRRRRRRRRRRRRR9R7RsR@RR4RRR/R:RRRRRR_R RRRRR#R}R RRgR{RRHRRRRR6RRRmRVRRRRRRiR)RRBRRkRRRPRRoR8RRRR!ReRaRFR2RRRDRRRNRqRcRRRR+RRXRRTRRR1RRRRJRR"Lrqг@%Dutf-8d3d9234883bb5491ff4778487145715d3613491541c4dc10accab58b575bee4c?7zXZ !t/A]"k%2_fR6mH> >H {_;g,0 r UH:% rt@;}L7mEg&!XK|a6~d+}D#ajTNm xG6VZ=gL<%|5HYVd}#J}Wu- JӨQGL%fq TN0nj?_5ojW!|K͂9k;WUMAc[0ynv[?5\lyLC=$9ԢZgTMy~4? 0Ep.#-4)<$H?QHҧhv> 4݇+mJ57w6Fr˖{ZUXn6tDE}1Ĩh{* 5A8 ncth~l^ 'lm5^Zп0q*hSd}3^8{ g)vT/-xsE~4OđtoLJ߶=;'^ٹ(F~=0;-,+D H ?PkPp1;L+1%gx+GӅ> =}5eT 0(uo=A*$`C@/ uT. 'EN8D,fYPǦ\;|#-9sZC²b21:W#npRЮz[#s6bѧBP$&[S)Vv_- 1?nHμ)/O5)GLl!wG*D?*l .l[,^׹̆m\zRGT5Z *8ASON;L|'*bm1*$ͩ;w+)ᖅC[uFw4dJ6 9@u$+1ⅢPt^.&zWlķMhׅl_ҮhxfE\:<Ӈp"e!mθ&]eγj& %wwdϑF$5s$9FZ-|/+EsLA!&>-m' @u1;=㡳Z5ckeJC2 &,4-:̎,c> ѐ`2RCE_+`~%2J~)XcoZT A;*:D>~}JcNL##giJE#f}|$C3xXޱTD7F}ʄ}"wq֬64=JbM޸i oޗ-G| <]=q`6 &d`ϵ:rt,>(·/$IoiO(sܘo@o4mjA w$ [Y5|<x{ ZĄפfOMME$R @sXyʙ{ji4lQ)Mb]De|Sz $ӗeC}Z-#ғeRwB V@H({n(=C/3 g2_1H{`! @:[wfZS?[cor4GwDbX61rh$tzT$$oՂH"~=U$]Ӻڰ%fV.Z8TXG;5te|iVOIr՜_S7S{TTaX2d"ҏо$OtDw~[VtSW&E{]NڴHɡ~4/f9ER!q 5(_XD\R*&ŜYInq*q(;Vbw4#AX K#5u kf Y_iעe_LȒn%#yr*p[QmĜ*v·GUo]ht ~8Wvklp^)=TikXB)```DGAюjq"K#͌-cm[ÐլU~ A?bԪ u<3`HYtpC 4*ZYh3y%K ~[C( 8}lshN-ي](<{O!/A7>Z*CObǺ$sG(oWUޠ&=EqSw+ozq WoEc|h6@tX>!Bmk[)YX`絡Ү ,ba') F|TQj@'0. M sV³MxJԢX˝jiJHK}^G1yUyUK2kIX԰:n)4K栛7=7|v 5]ѐtN9(퍿oniUuOFg̹VͱYU GxD3wť֚D4$788If-2/hfV;@R}ު!]O#zASp2M6 ߸aiE_.pp7WЫ,%\~S6X6\&hs~D8\+vW`Hx1#g\ 5-ЎG8@jbZagznK8v:wrPHUY*Xw%Qi Tf K O^Ob[ԟPaIL(16f.j/T)0#܈,B-O/vj-hQwcqW^,bz~E0YHdt5u9FZA}k=u^ٳ2xGZq$2@MZ:]iǼ&c|˨ r2:zA;gkCjtjmU PZ΀hdW XIs?46#dyY}3_h|>6P_ i|akpKeb4h glLx!(֙~WSjHm La;4,.ZסRbH{۵$EN[1Dod˸&+. `zC ӱSn6JJq[=}ɸb/`fÔ [ҀOA1<8cনq4k[HA/ėJIWS;tx"Սx{JPDDU9o̰tG\޳yݠP}KQzl"ҐeDmRig~%겢& YXaEAsHv.?j~mvZGmH|8=-aȡ@X(˛wŏzW.jsLEG 9q*\HnoHRp fpOPLWʧ >b\Nj[BmZh[4$<[cƐ,BvhV;P,hE}`]89[C+/*;Vb|ND'w|k+]xA4 :~ =mS$}qU*{| V'QRQ4RC +@ЌNZJ%oQ&S;5We)M-<H M; E' k-B*^)A`q{@t8 ap02ԼMTmHtb#h \9|qIBeJ^]<>WܔplSˠGiΎƞR(Y,ZeA,/qsmgH86Ƞ da{Yx<MhJhNKƥQkվܖ;(TO . !ѩ* A8F!M-y@lU@W&1kxmmpt+iN轀pd~61XtTJ~eHY:% $"_j:[ ӓDLE^ǙTy~t[vf47D;i. Bu|,0U,8ci" qF+jvE'C5~)~x7欜pczh*ñ}L DjSYZۏ Z1Mu$>b/MYi,iQDc1q} i9U`cryV"%◬6Bb. + Yb\s_ֈD|9 ]H*&mbo& yi~LCBhOV&6F˜a[@V34DY/G#G.v(W=bث<6bi+%Tf9GdWh`m4LZK~[Vyc ](Bͽsg2sxR?f*+ma@odQw-k}lNlu|7:ؐ_"a{/XF2lاJF΢u1oB'rx|ۈc9(k"won Btsl{˱HEb?\WMO띥#ڕknXIEթUuI(G 0rq7^(2xiKXՄW{lV4ԝ&!KB.bWGpzEQcxj2")"LQR: b`'~fxy{$_SeĔk\B-fd6SH5Z4G]LmM>lJWسcirUԔةoK:P)&7d:`H ``Bd{zKK-{0m] F 8O5q&/`!:{$(/432C/^FY۩=!vG(LfQ%twInwV.uT|(P:XMהuw6O SX Sq[DnM>u%k)/x"1Au3E842ټҺTtͤ1VVm@7Fp9n1S,g oΜ< ph~=^2}~hshU?>x)m4 q g&r۽⢁Fsɇ!dO¬}ܚ<[#Pwh+%,3y gUzwo(p[dCU0.$ ^"4]%J :v[Ad$ǭmqL> o7:nj4'u^Τd'?5c:kGԯ}ˬŁB8{5I AAE޹ \v3oon_a#Oe%RIA-ȶ⑘*Apu/ EQrB9eg_,A_O+xMOGw>|4Ej+P7G*zAqݏه"%֙y,|Z/iuPz^C|{<{z]3zXOH 5l\oZg*ZȝQuRؚ2WXt\Q֕q@X& (0ރ(s{ (\z&4~5I]3oB_p2ŴgE Μ6/tMIPKlf qjJZhCd3Bޱqn=7fR6eOf{gY͇9;!Ia'E A&Em=;Q%"Zfda[ "`K0Hft:z0dl}£3Ҍ0E~zo1r!Q#,rS]@ӥ\t\>A @5@'@L ?ErҘzѻ>5*SqSj=i]-oWͩ&KlJasl.޽sE24W Xe壳$j v 0<:cacVgԢX#[L/[E+wW/e ֈGh~"c0 ̶) kIe^|ó<W%5wY'&3.&3x* }a ^s8nz8AJg&&Dqtu, =HKd\껮s MR}'#:"tH,ڢI~RtyKӼmi:FZ6=5߶e-P,l抱vV`P 6ЂT`bږyތNW~pG@)0Pk! l/tDz@fc3>eyuwpa,@8ɬ#؏ɌX(4(SH|m MtѻoF+w'B}JfĞ#w1[9z"P,{TM кNcT 8 7# ܱKVҹo5S0DE5)%TƑݕ10C/ }\I_,zա{ K /yE>ɸ1(5Gcٍte]T">B .}C=yWl=<ۚ'1/ {|#wo 5=SIa5n(XG`=h`Lj /<ӏH ®bہְ ^dOfץ#aS F5-=f"@Ϲl= 73Œ/T1<d [LfԤȃmSsS_BmOc>A10飐=ňAtgKˑ;q4KNTlT9p*ɿU{vD;q&Bb}' l4BW Ӹz2wy%lH"' 'J%ڐe.F>r6@ /rƚJ!F]]4rfAWCcATdLݶfbf'Hâd[aR0(g?%%GqawFKECXRFXdp!k,&H/Nm*)y͍ IY@|#A8^ői>(_aů[SS<MR捽ŽB8q:F3\MBrM0dSit -duw+h#*ڶ N>^h/F($ֱ9D85kl.4VJ쵍lw&1z?tv`RȄμ1 ncT߱@b]Nn6S=79*Q"! 2W)`E2Ͼ۞|\yQ2T|@V`ϩ8!!5WN]]O艣4.|S%sR:F[stnNwj!%!x;z8[C& V[dI>5X5, YYMI dD%Ĩa_$%wspy+$ ={:[O2QgZj*6%t( at?s^,[*HV[ZGs6~\t~:QzĆyFęQ„\ˉ#TfA)JQC!G5u M~|3h\!34p0+v>~vo]j\g"7ПP_/C&x*XTzF4K53iC]F vy:^bR,?o*C87]#3<=Byj,W& 0e0Iºz`0mFTwh)jgi[ŭef¬גGqZ#ḿiߣWl?=lZ'ѱrHb̎P8=AưMrKO4yIe\cm^ȘH ŴU\fbB]'ºtxsrMoLtKz#D덮SON,Vv#)+KPT29\9j 2K9 F exOG)L>Ys ^ތttXQ`a,*A7M˚AB=³mwa\Ty6GL,޻c`^;D W>5Q]l/n:!EZP8.Oi)OC tA#D{AYO2_ZIT(fiVr+yf5U4S΢ɋp =4y}Ò˴sXB{%pe%@^Aؙa=G؁9aUejLؠ B>BYqGVn{x^Oqc.DќlX6؇xL;D(cb3"ڪ_{&B;}^o*`qLՂۃϐٜ?-{}:4/cq>;/.VU#)nًM~e[~l'&JkdHHI*`W['0_R(FHgC5&%C""6ʭ^,iyYO |::MJZ!A#CoŠG!Z2z>Zh3} Id%#LJyw(7".ʤ 9U]*zK jg"ryQjUmyxc$Ca6C^)Ya.lh ~I'hYaP@@#T9Sɛ˗]lURZ5ōRb9y+g?"@tbdś[l921]mb1' bj> L.m֍\z/5V&OGְ9s@tfq&\@+檉{:jym8@s)0 # ;mL,ڳZ [̕9J KV!8ZQerH;D+&ojT̻w i) 3Ko# <* %j6m>X+M؍zsr~bܰ B2ӓ넇+b4jķ7ٮK2NZѾ a =ma~no6#PޒOK,m{VIsL8}˝$IoyLdO-xsVvh :R |Q}P1s,=Y+)tBr"\_03 Fu[٘p *w3,_0*%2ڙT>a;(JHA<"uC]s-Njnn HX;S7$|Y4ر 63ɱ@A#ax`R@S\6cD/+cz1q(/2FŠb_u,oXt.d{GsaGLX;tLatpx E@_܉V0V|k.2Znɶ8j?)/zjJ֖ȗ ee =:Mm;rqJ]wlwڷoiW y@buٴ~`D:4i t4:*z |SSh%ӵ7!{w@Q#T!aH oAH Z>7=3n1 gM9Re>~|Wpd[@Wc߾0H-+wVMaɍ2Pa%UhYLLW6Gه'1c LC*!R2=+HP-aݢ1CWJ\sn(4~釆WK7VڕG# S[jQWWi^YLF, QS>NаDg.%oKHƈb]fPYPS?f=%j:b_&r?٣ .]T[J2VFlq a}2C[>"7-L@&*837W:`#J lIg{f7Q8^6 )@d<8ai`EҦ!d L\++bï/Sq;[sWC9;Reʂe݁5"ʊC9$ (B 9),ҖL?@kAgfi8 PԺw[&vIVnG|;ZWf'af4?]c~zvq5 ђ`]N Zmvl\ 鸛ڭaP J퉼Y1J66;(7yd=KX(K.T۴̌C QQ!Qf{R˩%A${q9^%e$*keE2l߮30a8[@O<]6@DDffOỹJGRn6 aYF:a6WW- ymfxQ~#R|),+XY^¥guױоě>DOZqׯ;!%["4؉jSE_S 3VrH>;`*YZ'g4IZRoͷRvWPIdkE/̙P*<o;4lzܻ-}{AVUgNv`ī*dZUmsLm-2c4eS;jQ,Fh;Et&Fjb:fc(P(7i!NJ+}#^.?*SJ^"D9^/TՎw:nL]u=ùHteU~(ԣɑ?ěF :DAW1PA"" ʙqWB)uS%7Hibn :E&&$!-Lxkj_#T䆌V3!8 I3ҕs,Yˉ*+õ#uGz.nPX=ȑϱ3Ĵ9+.4Z?3CvdLD46&(PiyŁ C(U; =Lk4wR LMB-D S5~u@/ᓃi'l'h[%C*60%Ӱn89L? ^Ie*`~Z?P <i(6va\V. *{X Xv$0b!rW!ƐMlتe^>\ؠ-VHMޢxØ08A' ৅rMud6`W^$B8S&C4F֤7I(MU:$Pp.UzT ~hw#Ϛ r<5 = ꁓ:0Ec4c?Gf8~5\p57vֵZiE,X̧hᛍy*&e5aȇu\~m~ͮ*]Ã%d?囯6IOb?>*xcWBS0qt^!审26k~o5[K5&lo*}vm$M ?l:sOMԀqfN+>:{S|^WuŜd$!% ƃ+Ε\$k8d:X>^ =& tX謁|(af (>[ WnwV5ݕ%rQDVBLՔcK[Oӫd3~s4B& n B~Cj:h24G"ƽO`Uh.K9 d qXrYyhp&j7{>.^vkOO(_-{zM6\ 7Q0Q[焬p{п_~ M:rsqte;w^,1ZZ˂t5~ i)цA4hB2 -ȵw@UA ?<!5Ape8ʡ(Ol%O1B僼 D._sYs(N:m$s&Xdޢ &rhsѹ4oKMMqŊm?ޅ<[) yc:G4޴ՍDEhK;oh޾+NV*Zci8hgfVr]N !BMe]߳! a/4$K淑Wcş^QLw!RS˅s5 Fq՛໬e#lw+Cd=^wR2nB&g0P,Vo*Uw߆-Y}ؒU{tLoM:đBMDSwqwhid'rHOʨ=PR3hUw Da_b,Ş_2b7HRd5/t7/J7=,ЖR~u/$Ed^rD 6$O0zW"ʁy3A >{GTǍN ÔЙ&ɻKeU 037&A8`Zm g'K6CgIP*KJ,GRS\v}ͽ(U5Z&*KY/:?/ !ђJKE +9ߒCTU<H~V=2[GXsQIRAτsDi}HTd]pb?˳ d!ChQ"Q.!#xA7d T q9dM步ovwkw6gPX?ż S .kB LwITi+9_=/?8wbi[1!?3 [7ϊF >"UlQyr fʱ뗑j"";zOR/3f`KHĨ؀)Ȉ PMFO}{(":bT6@}4cŕ@{wdƮlqfta~ ضP*Y j ;2M=ZrukM&.Q@xil -Un?)Ȓ!{v \;y]hc ׉ $=nIg>HVZ}E*~"̭yOEb:836,7+q1@F +)#)]:ՈM| -y Gt,7^T@͢ .RSBpLgoI֬!̟Z&[nB& PKijdl^-@ʒ*/4X Կ";s4|4]iU] j5sr%4j3*y@Ֆ8[O?>3f;|gNZ̄BD=3Ϛ`M|!+y=R#bʍ6A_WS|G@0H~pn4ws+'cA"4xPUYvrx-c9rqt~'g p;Zzk'JQ+,ʔÜ0!xvkrP6 '~$UDlE!*]1RoIEf o1Y gUY"V ?,o.{2:sGcL.9?=@MBȹ#$J \[:/4. PyEzXKqihB!ˆ򶃏tRBj?ʥderkuve֋ 7~KZ|Swd=HȘtf;ln:(x,~^S!Q)LH1S8R,GQܝXDۦNGǛHE]x (Bq(*={{zjud"E>TLz.=Nr!0{cKOu<|\Q8Xm T, ;ο;&ME'PO(@,o8^;0?K ;QU d ԑq#JƤ=\YF{{i:-Gxy79r0 &{Lhۭ5$ dg(.K=9PdJ.bRKED^@V`gun(&"i͖mZRHQqI9]/u8&E䋣8?<n>p._BTCK#2t#qpZ*`z \Qe5'йTu0o1HG@kvA_}Ll#v2NqA.ݝϵ'̱:'$UbFB{"0e|WJ *#=4Ƴ=~?qGLo|?3$ _{t'Ƌi7cdk e125 2W -3X VF4# v QYڃ7k{nI`d|;;mi6*zC4g0k=A<^.Oe{Xк`'汇A_[Pk=Fe!M$(Tg!; #{B.M/]fgwAnaMk* AdQk&k N#̒:kb_&];Yb pQˌ Kr @4hL7T‰AiN: qDQ͒mV#$n{vyۤ ޼rd]gb9 58+!H !LjlS`KW>̯0l*F(wu56";>b &mS("7ROpn$ƨ{0D[6Kу)8s'.G)ҷ6+⋩1Ž)7I<Âܧ(c[PƵ S:nHG3Z\{#U拘Yڰo1^=GČR56ʧ - A84J2)ʶxA \lK{U HG{2q&Fҹ6 dѦ f?ghM=˄[jXRuެcI[_f'ʃl' ֛X]k j\ؠ^79;=W_<SYMPIgD7+[59xAl3VĿ]һWa\m`Xs˴xCI nn/o"Lkpӭa"/̏r8k&oZzna[h;k},H+8Eߡ(U.1J2l C=E)CʜXY*RW[Ԣ,Zjk|#@f3CD4E7Q! &siw* 0޸gr*"[@#شrZarmw;c]P*7lqN= `>gD =3 akͩ (~u9MQ6 09!~eq-Wnk,J"czp ic?S/m6RE+Q)d 9]e(ZmLM q@7==bc9vlF֠sn52+_)ė//df #-V.YY߈Go}t%/Nl[ i,A¶WDgʄlqV1)@0=I\̄R^xKO)UzhqYKɠ3|WkxOL~s4Z;fO!|̤gM29r)櫺pS .lH*LxݔgW ee|5fnT Ā;m W4Fa%V|.=.sKr[#(`5 ].WۑcQiyUb=XfcdWpUN-\sݬY#44+BAsŶO1ڼOr` vh-'̝|W$(:q(p)`r Fm jψFeÍmg9*o>tFN|FqrrpSyHi@vwiˈ$"`K,Yr=0~Ob']kNMq#,A*|>dnOp>>~vJ&qٹG)C e4|ONGwIloljW=nѳò d:el'>/`X=W j$XhѨ#0w9^_z\-$ѯtO:r_ >6cP};yl}6o`(64u֜3%UceNH 4%?zhCS/`yU|kNFL$u`~Oά6=V)Z~㓫gTH@VM*1!f"ҔsW 5l_o[= .fF +)KIdM&=ͽ臷.F_RȌ`7Ho.~$vAXp>7UT=#b<IDXUL2ǁw&쯀 N!C\fKoRCp)`Ϫ B֎[0Qx U= UHT?ZFÉD=EX\Ϲ_+%HO"g /@>$I5bӨ)o7V.4H_y[ڭd]>;ǿ>q- HƈUKw;S'R/L㼂 ~GWͮ< DDSj \YT>BJ tPSќ쯡籡_"7?S{$BTl*~!(^Z eG}̥ 3(¾aR>ܧ`oD<a)ٖnXaQ:n onw~ t0__ۼ|ym U)Vqq>vasLj? *_uD<3ǘNyV\OҖuOSfpUHLJmk={ZXOtR[Ng|mHKYѾ;E51B^u0a M 7eO)OtApeEvC8a-݄ɵpUq R5[,d]7ן=Eչ &.K)(&[l>9\됕.f<,G=0Xm#ܣ⫠M;lG)eS20go|(LN 11,"t"s,N b*#PYl.-MíOCjeNLhĪ{E,ķ0_] ID~#@3GGmql]Nz.md{ܖzZ(RZ9p܆eju 6+.((Az[ @`N^ !oQ|LKKU%N,NWh4 zX*d u-K؍ha IC&泝ᤜPL\NmX*&Tw990e4H_ `L١li &+&/{e ӕ@Ur2PD BOlr'=.} U0q_\YءV\b1Xf. E1:N|\rÜ, Fo !MĊx9Ui =nسB)H 0❗%+5YEAw4 `=(ZFIN82 wfTE4%F,LǂT!ARì-GReNIX;`7Vw{%BUW] y?E`jhJU.G崑ĢmGq$%+ߩ7\^kjx=SFz]نb\fo16d0Kl q Ի9吢W+Uf w4sq,w64abIkMuTQVjfT4$]ʏ;'MkNBwk+?|Waygv%=3Si_s+y,Hr|E16,V r̈́3M#T1J\c)U0CRpi/9Zp9%b[+Ԡ0Qe|-0!7'x24͜PW շ3Tee@<-bZ7[aqajXNSQ3浻Ce3BØ@u&<5T):<:1LzBAF@L\#ǑJ |1H<[<>\u:aV,g A#-QA 9lؘMTtX\mQd,DjnG1$AL6f5cy (f6 e] 4/EM QFl^fݩ\jqkMy6{BPʏdQ wi\D@Ӻ qaXZ@Iᵷ4E"qS{R);X6Y%;O#6wA\P-8G*']2?b4E!EX Œ&j {I_=zyfWGmV^G?dς|J]^`y[8w<ښ}ƃ~W^`3|fAHԟ:_58P^{K2uvvvtO'r2ΎTS;(2)ػPF(%!oێޫ( Q 0*z5"Vg(F?Nf9( *ASä "Y[SW5REE.|D/h;kle.F xPOu\#Mfq3Ev+Wn9Oʓ7NZ,‚TQ͉4_UWo#7@"ڕG=/ Fk!b9C*ԾY4;7$xL  eJ!̵I>|y;&azߥKŚ2 3@VZs-?4g%3,ghox{H>$aQ(_pfիRKTr a>bl@1Y0`Gyz] &9]0gU˔hQ wKXx{Fu D˖~q9k|5/'LV]j^/ }G$i(V;d kf#3Y|\-_" ?ܾF,RytGYx& x}|1DŽI7SUD( w;IҼտ$ޘhW&JJiϞ֒}L뱩GhȫekMFTm;`p%^}*ssSkIL<1x6tiIWI"}9Z/J06MRr L;l]cmbf/|ғ4tH o)}UY4;̼k$^;2%;çRlھSt듹 t]Qq9gcSեjsY_`(n0TSW8<"NF$ѽM&h̾9m$m%.1D / V֞ͅ ݋t(]҇J9+|3꼬7!0<͇;G,cIh\#]$ d77?\DG"b~+=5|5KO285e\˜˗/[`BsC/K,fɂX߼VbԸces28yfq~7MbHaAvG_ buU]!vVaAG/Fpb5J88Z b߹{>}dP.k"@0 r%39~_7*s/K*X`;%Nszh"[tP " ?~)g~J*En"+;b:Rhh(bP8}'ÂSnwx-)ԣ W#!Gu.1tDȭ-,;ɘgNaǁYX:ݤ#X#pVZtT>N ؖ-0R]RC :n Fc㴢¬c8%܋C=:1w իn(FؓN=-6DƗi+NޟS~mѱ4s&=ιNqwL=DA|vΘ`o)OϋrNֽh>Y-5lcLcU=׏"w@+ |ap#e}VY,Fwfcs>dAu~찘3nOd00XZl*zZZ,uU}hj3stVʻB3߅TSy%ۋz>v :MHd| u4"ϧcc\2bƀfq9/@Z:;%f'E?7e{@nWǽ #+^u1L(޿ݮ0mMgE^V`^,;9U%.Ph CValm [y8̚!4gUz{;#ɜ9r J`VD璪ԛz[A0[!nainƌ7J[i(Q(ס)_P=*(lt#YC:*C,Ý>; &ԟrexy'p]Ջ sBaL|%aoJďع'Uxlo">r1!;={a&~]<<(^:s:LqXT _o5\AC9(puw=&sYэ{Dwz7cfg8Z1n4 9/m{>?8D;x L,xN٬La5cOJNGSvB]<|m㯦i]~ӃL@p;ڴEjm⩸8 w6ى~j ,\iH)"FGIn/]3a=.EyM9ͺ6R )6樍0巿'DְY<iΰX pIXi| =UEa |'Ƙu^wyҳG'9e'WC>̨GLՙ|qQŊtA2V Ѿ:ʆX[eq m!zprӥ9F*{ha C\J_w$&*ӧE5F~$ ʷm5R kkX|iݺ/o.OUr8H yɈpo#wC.U9O+O6Mꯀ5hŕҏ"#7;]IqUρCilXH%lo݀{a'w&`;&u[2.TS7<-3n輼^S/Ճd/}vyӃľ sQri{~M W?*T$}%b5EB5WQ~pbgi<Ǔ[d FL. Z?L ވn30!m,%cw*Z̩rgz~gi`.D jn,Aeb {0reVΧcl 4-:).,k[.^B[豅 t 5L8zsd׍)un|3_?m`b0٪1icmywhY\]T_u02cQwi+,qSjDr^?  [B&Kل@~&XUV seܖ;*[,/=|BĻؤ pcW,xKRK;FEX(Qj V'40#@,On1V/!Up9\IuI@l3bVNP3 I!m粻V J ]\w52WWtbiOk"D^a^c#VȪ|- p_zn#Wľ"{Ӧs;afW}{&te(l &]EPtMzuR0j98|}2rUbbqD ) Uہ;K/7=}3 Uؕ8ɇ܃"Qʔ]YbACMβ ._L'f&{nl ǠǦı/uXo zVre- e |aB֜! }*ch) xj.>~x\FJqe볋@G]ev:/BFwml`A@.T'RK3(y@x=Λbx|JgG6 uVZ05j љQ8YZ=R6w6϶ӿ"#2AjɏK(%۵gW0.&mAyT.-\'CADf{_pMuh(dgA,#ĥQ3n᥏3qպcϥٽz[4EymMv&M.'5C8ׂҹVPR%LԼ"Bʯ ަSk\h-]cYrEm-@xɪK7V82%w/,@F 8d;cx}!*7ob?yӅ-[oXe yoj7PBCIZN^al2 7N4Hw(Ь?{[r."7Șjz((LŠOVqx3tעZWkςvo)Ncxh`vf=;ϕvAV, Wݛ tRڞE.eY8rUbgZ9ECD*r:䂦cB:MyZ+z Vъ:Qe/Eǧ}:~a֏Ľ71?ΐй,Ney Fw p$kHrwt{\ )Au|kxr"FIM{v | x3DZh .XٻdfE%_h A{ jG\&634R+ogYX/O}hܣml-THL)ߥ~;=:xJ߁&!tN}c~38ɾҎu|эO0ւV'Bc^.:t_Gxu {e]=H*Q铒atJJ'ioG+JG/#؃D/M mÛ a-WxlYYQRI^CE]%3T.fH\_VN7`VOns^KuV+q((hk+٣`ΐC6:Qh2P/OGW-Z%U..-E-$h]WY*"V}eM2`e%W"&鸆)ь.]=Ot(%rF/q:WTe|)pC핸__mǛgp9al~ژ< Ű?tsőIYe`p_FM(tg䵕새20vfrqPJ+0h]5rÄИ5Y|~ } VS[mC9pT%zU8%@m SMT[{urȅ Fq:QH<\X엻tiދJ uHIbd`.m)sKp39f3~9Ҡ\yi`(߱SsXU5 nq!|H0gOCi3_t0Ee;wI4!{@{SZQGa %XpeH9NJCE-Q. 渷LCNZˋ>2pD.d18JIKt\OsUQoA"exOBZIKRA!%MJMnkלpQ63XȾ5( ?1PC1 M dLSʡ# '\qrA- |ٮ't Uw{<%gCUKEs X9w\. 9Hf[oZvCw#VRr4󊜓0\XEgk?xA-v\0eA`^:a['-g~Д=Eln1 I1z,YN#7ض?x.'atb_HKZ9~ԧ]&ZW^?~'\>L6B.z1QjE6ZIM!,5.EL9-w"OW80t! *;/0$CK=['C]?$ʨ4#VuDū~Lo\;Yւ.ը: >@CEj wK Pc :fM-6ŜA6篔.RGlpdsA⁂۫ފVGn/Tbx la=U?i2AÉ Hv W1<_s?٧FGmL:)I,̰ADi&KlD4Xp%6AwKemIIcp_܊1YGI/oO#R^X%C)lH!\_$` I". bTBOӼb'1 alp!<E+i}LOo6* ~B nNҤJzZqֿmUY0s+b u2nC?_[b;IDc2+:̶زBiZRsRCYR9Q=+'um8DzRQsHdl@aȎ+hT%L*PC>^Jo"bԅa~B0O̅u"bo&_]FZr; w9~K ܶi&Jm2N23vY*ZIGLL_ f٤V3c5( Z|>P9{) `=1M <am߳E5)Ǭ|4HgYT"PGd+{Jխ]!kF[?+Rv?~@(4)qq+/ZY:d}Rt.32IeVwr&2q(Nn(\W)1X>tcb횳4yHaܫ'!&iQ1""ak<ņs(eؙ}XOp{෉]?fz,9WKž^ɘx7@:U-ZO ~iP,PKN"NbMfIt(_#4WpKМ-UvUd s6j}3sXa◠ ~l_'D" [L玪ӹLI 啺{1cx؃NVҊ^u=شmnFzw68![8% ̪+-uƌ\ $]W$%mMqSB VMQ|< KZJ'l}XD yg+c/]&7"g%p~d/5GIQFުp0fEn$j$9HƔXi_[_mߧ6^{$a+hudkQCn0hW`dž,kRU*Ŀ$TFFգ'P8`(r& ^׆a7f RNh+OUMlrf!3*ZW=!8.wFuBӍsZƲU"I3VK͈t墄{:F6Ѿ6FHHp}tLm :r[G<0iuY s,Ԉ'6ޛA&O3)9lq%z&:cZ*u*%Krtuޜ4j7;lUx ى} ZTX\P( )t*Q&IAIvhr9[A'CS~&nL״t+$HsP4Vãtu驖?gFƃ }cHk]@*p q~#&gܜmv,.C0Mr?o3 ? BT+%26.*b|_;cmdM] u:l/Svm| ke&:7 F9 &9,kVQZaЀ߬N $@aal{%e#Wnt&"i{Lj:Q^jq"tNqYdo+Tber)9QeB{'Sh xW%`H a^VwrF yd=|3`.Mn>H4պLrX H!.DΠlrf)rQ: 9j&>d}H>0iؤIpzqEj IT@2]W!T~:3N~`M,H `| M H^;sv'gU8-†œL#&#.Ћdo훰rU.XmD"! Tzq~ 2yfDK 6?d& z¹rԓg2̋|8o(PPKKw;l|n//ux0(z7I:.:O0jÊY*;7Ex'I=,u> (R=l6 ۂ+|Y C͐& 2g>9z4Gma0>bA#\ecA'2KKs=@DKOǑ :/@:~B TB),U$g_Fc{VW !<+$|uH&{.t yM! irE\Eubf?EbBDI0c nhc:O$>pӄ.+`:fPҏoJqGtgBW~9UÐ麇Tέ*^KHf"ĭHXZJ.Uk=ھQdx 4'h^HmTd@PKj[xU RtEаz,-$@I.L:4aN`mmՆ\m~+7QYA{=Fڋ݀W4Z(})W+pi#iG5MbNݽ̨;Lj't,?AZ_jX/4[]wVSpu2Ź2z+39oxd{WhZ5G嗕=;NAu[zϱ [lĸZsoW(-hܱS'&TZQg>x,m]Ąwpq%whvu'ӃǍDZGBAʷ`U өt{K u^uW <.o/"՝2V=܂{!'l CT\0mW-mu~+ &BxFS#︧v|SH-kԢxҀqww<6w3As*G= >I/ 3rD :>DMM\G5܌sTs̾i%ݗ;".6ܐwަzqmtHYx"H$WEiPDRP`׭ni]NʩŃ-ső|K#Ik^Z5!3|^e/—En~RnVE*ɢ^PNzQދ$pS}5.+XaIpVPO*ԉ$ #OOj@Ԭ`IQ*Gin4^mlJ\w(0oKms\y& :3=h4x+X "y-&EP*WPZh9XliMXvH$d/̻Wد lQ .ʙ5y'ƌ&zhO 9^==Ht&rao mı0]242#Y;A80^gTCCɈ"XT28}iN=@CWGu)l KfX(+@?ă!t=%j3B_i8ӏ@'!j؎K1su!hmZ 0?"m /Gk Yq]R/IMcP)Oi%9J,)Rȣ7ۖXwMP;bYQ|߂McO*́K-,+nI:=]է+c&GkMRqC%'"{!^n|!n͠lV+x{j  p)Y+GC`Rsn(?)mivĩ㯰A;aI%8 yo1p]\UVM6T0T˶(Ǻ4CTxv=p^4-s]Q_@9uiJ eWlj4]BA~`okEsS0# Qo^/2QPߪ|U>_jL^E17 -e΁ Z+,PZ}3 ;\8v 9?Uա0jx b+9jQ# Xa"C|%7:ԅw(qگ'ᩲ0Fi[L+=:7|a6o\*;6*)Sգ`Wx? s6\ˏU2XCz Pb&A?@zC!Wy˜}<)QX<8@M ^T\k=F4~M ="TPXo)dt'2-H.:W#gn/b bϓ;dS)3ؕWhvyԦiCrU `{!ҟڦ^KDk7#Kym\g%~U3pYxYVLm\iYu~RKZД}ɛjvCW$x| Ab>zZb g{[|cfGA-D ^S@+܀h(&),P6"ja}ğ1L{|Huzv\d<O%䥕 3 $OP~al)ը 3IꭨccpkAjtSl.fQ#31A9I},~RIƯ̩dFI1<ØAY?qQmEYV򯘂6WDj7V.nBĹ;]9K@B:(A/y+) 7 79!l^ HפJgkX$5 m^hI|4 (v3SAXvgrt/0Ꝁa1l豠ٜq}+`g{$ZD9d)'ԪhzL)V<0WUKJHGHn- B7 aD8~v 0&Vxu){uS5ryӖ-kEMieˆ71]}K 'kVÿg3*XZ:ۼs`|sԖ692|6!QB!bSd[@S^6Dqq .7}j hZ/MR_s:Nb jJU-+#%]j*!SurP Kd"GmAaLjNn-R^Y'Чu/L2<&ͷ;J#kaA-+K\k5c\S‡"쐋,HDY_mNb}!Ms桌Gztu(UQc&Z=N<e_flzg9 -Qx w6F5Y=,%QziK2::PF+>qĤ@X @ {,)HEd5UgEa{dz.FՖʱpG8xȼ/^]ڽKKFNs{WjLޅly=Ï[Շ?}Ago r/+| W5򵈐!Q51NgvH<@+DX0&Ħp#!W%:5o_zna5En(ߩi8Z- Z=[ Cʲ6K @!-,"sEe* ~)+~2FvI<7xiK3urQvCfV.!ВKmi)(1F6N9qPf[뫦XZt XwOnW}4?"bhyS]B] l SvV9(sńD >!lHA&$ҴhR6_@ilV!q6hFsEzGQ:ԅM<#ڵD4}Z*rT#\wx9F$w;7?|UR(뗆RLT7@&7&E0  OVnjsX͓߽HPe!vUq hFFȦf 8! D/B_l] wit \+5:X 3JJEXQf<Cq Q _^ojG6Xm+AS2ֺ"Bj:}V8;W<4gi}K#'nY21 'dmeꬆ#TH_ r"[kܯ} &fϼKŲEDKJɅ,)zUkZt1cٓs1,4V~M&)#qnN'42.}خm[$r=cF3sA^q`Q tѱ I?C8bni: K| ү̟M ˪i$1 UwYֵ˟q"cuB@(LӘ۟97]sJKs1/Ǥhk%8< kiHQsZ1 Di2ySf8~\sBblQ*4rɫ kK,>"bsS$`ENeMBV@pZ(An/ nyHAWE҆raQxT,`C%u(z!{C@$˕ٝ\OM}mJbZhMuϼHI%<{`xLD#i!F˻@⎎o#WܾYǢ`,otGbwХdCVJO`@Z͖Ȍ <ˊшgG/rNQ̡0L1/Ohj]}"mvaD V|v)E o[*//~3Y8&bM(@7p|D Yf=K{}U\D00wq9@ǝT8x0}Yxrߓ4f_vo0wR'Sh9[}2TqC=e N0b p0q f|>C.p:2C ؿ{xkdmLo-(&E=T/c6 Nj^MFWoa&hۚ7bR j^x߯G$xJ{rs`S*`_̇iW2lI ,a&= /$~-Yp?t;I Dl 8w` 8N ˀUmشD.~cMj*,.OB̩^ kSA{= Cة㻟 [a]sh;ν'p_*RnXƍڶ5!OLn8^bw@?pe&3xd[8B!f:9rߊ(7 <4]I]6!+$XY95)իS\zߋ,//N6hh*jSig{TQ8 B~#'˨=qsdϴvؕ%AM8(4Մfd^W~= ]tEA9ڰ&@2%{"J?`5a;SNF.C,\ˍF)5:A QR^ۄfv[-<3e0#'"B#{k%0KC^9,C8p,Q»ӄ @qanje"{0NڡcAyŚ 6."AZA1S3Iի䭦=rYK3{;4r?,A>hzO}nk䕨"R e?GҬIV0@i}8Xbhs7I-eF?(v *0l^/[f+}@"3^ANV U W<[p<*XSwykAٴbRz}a:m_whד:^LdoyaDyk|[c% Q ^^N=ME9ʭ[uw U;%,jp:KG&bYVKN$[̗Saq}Fqm8P]wHWRSϳB%" H:_ mPUsȚ/c*'4?w%ONXDuOIBWWI׵KF׳v~ZH;$gvde/;0v,nq: 8O(?BCؼ06$3Mޝu`KLTϖRAS!O"ͬRVJP=Ƨ!<lf: Iټu~kU Ž}{QҋEk-Z)ZKqz5>*>ؚ6C_{ĉpʸ@8,;5NQ=綶HôXOio |ܝSysy(!L']Ns]E˱G9OȏP#[aze]-U52OlB>S\p㖽֩7wg c :!:T|v'UJܲ沬O c zJu;JNYv]警y%FK |yW-  r$3S8{{s#™Z~Do[*"iкyܻ+C2~|l>G\Ow:h $ Z67J$m /ܬlм‹Çݱ^]ڢ4݇}A[4F**sjz-hgj6͠]}*-h#:3ZsVX]E]\9ςqtQ]lBZJEOH=nFu[H=S#Q݂M-s *"}mluLC+QR-\oSiY@F 1.9hiЇ$\Js!cȟ fvN7JD%tt+;+P(d}^ f)O#Qީt+~Y Ӑ@33]ee&zQ}Ko Uq(ov! &}{`0 !H}1 ̆Xz}R'0$.<0<*cDUPp"7yb[ a)7%cW{-Ag,z)g^}/^ d*CY*mIwW2RkkMI\VX(AJ'T]y\B& UPNa< DDKAC 2 i.ILn!l@Z\{'ٺFx&ڮ= 6Z6BƲŴek )sJm rw ǎO(~[px=<`Pc D0v:(ːfwf٠FjS\yOT `8Ǔ '!H2n"dK""6x:EOۍ;Rf,*H$e ZmR9t=>8S̩WD<ލSfj; %cKOiXpQ] :@~q"ծ(}Yԭ1J_"NZxR*'tA^qS6W8CLڣw˘ܭ{{j1kZ,#` Ngn{<] hm Ag1AU\+}[H㖯,#}]7i20Gz Ơ]}v< eg0_¨evOX)I]YjvpsqdJnV?9!-G1ߨqu|#1|PZ'@j@I$+{{vCTU^@GSXNM(߽,$@*6QkNOM$g #]2vGȬ[nFg'/% 툅c]5Ozd„:j^ %߬@ylM}A G.@mi_VJ]-h؀{&ȫby$84/'Dl:$Uhֈ}e7LȄt?GQ`v~.6m"Ts P6]XOP:I~RvOe0_db 7S)8a99\߆!P"r-X<"y0=<^~>C)"g[ƒI<ޣ,BVz=TX#8OB}B0LMf$ŭRs&[79=t݁;2Ʊ ^.vNł:Шōt}'^-d-96\E:+K47GN\k4@OPAyJQyw`Xdʋ߰yG4ܚ|"ygʳA@y3^ʛ̾γ/7_:U1Qd\pVf!A "I:ϕO8<[!ẙi*JC,z89pH|aK]uoev\s.^5rnS6Ꮽ6PD3h3zD.;C{zA;37$9$WbC9-."_Y±WiĶ6A`ۃ ~H:x>[CrY̔Aq|7us%kp}R2|>,ھ6 6< iAF3)Pݘw|YJ(UxPQYi`^1v)030tG%f- j41?{Kt`LK\ mC@.Ѱ8eGF;C>5 :vp==f@㚲Ik,6pЪݮҍQ oJ8L&b(?c-)A(lP PNqA'/xGy(Oͧ{z\P!@WYj[ҕHjxm7J\/XK)ܪWklɰ`S[s&77S?/r1Gfule(„t/Gm=_EmOpi;TuHp#-d rWfggn~^U%QXY@ijz͡#ݿt. A}h~uWT aG[FчL(}Gj))#Ҫ1Mck>ۑtkj_k_Dv7TP϶;4~=ѱ&?^vTN1$P 3?WKa{}?a }fs}M}3.SQ%B!>=E~I y̦ȈV9uB7-@6y6Ie`cG֞TU$r1a1Z8NؑGQjd<ΐ9=ڥ%Үs bH '*hPuh/?POu]\b(_6X%frp :mBeBkYD5gX _@%$ l/,y}멸N&.f#VE|U8慹_i62[s3#X3<,sBL&Vh=Dim=m%r[ƚ.УƆ&ÔZܚo2;eQY^i4VMޱO,8 7+a% [tqqd;q?MhբX]%/ 1IGZp>n(Yn/E$`V=Ae)\|нpiNZjgnmr-1{=™|Tc)|9:bXXf,*!Y|325*S lڸK[ӻ/bAv]b'԰J#|&-5NoMe|nt& =TӮo]8*+:-.TvAնCNc6qE & ~HoC`dJ@8!l25ƇR7HՕ8//C-Wz&9˗|ɡ_84&@',3Sc{M\μˀ??n =2A=;l0eȃ/USS +꽹oy5_~i2 ` e .Tg|r$em!'v.u$=;\IL{tg-Baڝ* ͞-l!ƺ;<!NRtU!9:?̩J(QTm n <:g  [MŽ Ѫ͆Sۇ–,W$lXC%4iC+3X0:e" h8E/M9nY$H)K8S+cKnJM)WM+;Yjwd T1cE[ ُru@14A*)eXހD^ <#T~NwqaJ` U@5MN`VK&.t>ufkyD7# 5!Y,Q$#o5)BFxgXwT@ /01\"wV@ϋ!<&ǔ[51 dTBM$ +3 =A&8H Suyk=Yz okwG,ٯؑ8g9&[}U~.{wL+J oD`OZB& 륄_%}u4#_'R o@lwvPV^4W2}P8nXP&]}ߐiR/d>P DORP%#h+gh}*o(/*wL~L@9[UꫭhnPml~"I&N"5~bZn̾ZZݬG})qmؒ1PZaybiRʭ=ћ* wa}Da3VHoH.^<ЊPX4ȧM:.6Zi};OGXF0Buqs!y֖ķ2NWS4;htb bT:]QOn7Չ{':n+ҥSyf6?AafE4H OaxB=~(lŢff1H+@RA.oS +9}R#˱dc&u]7 8}V,?C|*c&;nLf5#g(vQڵrld;yl7OoGNE̱ԗv.@lblnA{ޫCϹ"N͞K&3t_FE>4H8Ǜ;7Zu ,\$CbX=}Ve)uzT[If/Aic +g#..۹EH9=/U]<)T$:oZV@!2΀, "AF=?T5W<0pП.4‡z'bejb:r#4qR.$,ơ`Rޛ7i/Aqv^4бV-fI[72@Sц́ë1-º 1ϾV R. 3ѭR~<_/ϸyS7M\5Uff^dM +*fR~hA pq߷jU~2ZIOM Gool~PobZum5F٫ox&y3Ay@V+sԤS&޸w)z]a;p| 7|1H~F4crE&ǰÑa#r&F]jٿ>/L>_i^5z( 'G=ll&kA}݅;GHb@xbKq)'^ɧwQ$䌸SxAIb&DJp7{+?Jd5o9kv.'Lb,j{[tHQ͛(o辣w20¯nE׎XeXwF=~ڢ>'B+&{rKG%#M 465Xq,/\rc4<39ټ0qkn؞#?YD`=kN"A~/YO[`o<ĤBEk]J$]vH)!vjDC'oa&Rj*wN%+srPx!FX=ث=lM9]7gCҡȚ#:elyG1Jz1A~ ݄xmnMp|CYٔiql00;ΩMNbam]tjbz#<rɗSx}$"&'1H UfmV$a1nY㬴@ɍ[Ŝ><>b5%f3q5[y+XѫCKl}0vkd<dMao}ޫw/)$,XKnXe Lt{ p\暲vџEnLGe-tU WϚKQڝvMЖ] ӴӪf@މ4Lt-M=TOh~ !T-\SS -<(Bd!D6Dxb4C+Ҫ˄EBWipOD5{hO D㭻#-EN[&=GǡrZ;Akے` j1wW,(=&G1'Z ,A4EFbacY|P5ה駆Ir]i~wg@5w~?+а}rV>m@ ~gѦ<#J%e=Tmm  (~\a@R wL e(lY2 eANj[/'7cf8N `lZkڈUw*gm?1Mˆ7,(\R\qz3Y^c"MWRCl;% 'KMw=_hmㅰLn&V'%񦙐*0)&2zqşI'Svz9`͜bQut˻H)/Jcx']À*/fJ8[dQK@EyuFG/ [_OZV jHߜa>n^wwlpY-s#b+~֌hdTjI+^5 "/$pYLwI(<-BGՇRs[@8GT1rF5݋5\rKxo7{MŤȂd_)($ @IϺZ]8B0Dzj4v@˗7\94?H7vJ['(uJTiM&vmR|\FI E vj4׶x:h >tnwÁ#K(82+;vD5.J;F Uۨv>CQm"$-P+zh*_V 0>j;^㼰)[7JxQlwBBז5z;W{;#Cl3,~'#4\LY+^{تGv"g \23̗"]5U ϻU_1c<śKd\MF=Kеd/Sa Iף3ޤWg "z6iI[uo2^SzSj^v$è q|Т ! r>7}Zr*4-FOmQu/>eJsBǙDhjîX?`q2kax i#7g^LN7NP+7Aش(jcD^kz9JM*bO$*ұPp>Gnח9sU.N*Am4zHB,;MfVCpY" ,psdJ lvMc8{DMnjH ZȈWYHf+"K0XI=!rJ%+P2aԠGۗ]} 0nnÈQQbIxlA+ÂvBЦt"~oPrH`HE*xȥ-&ha7^N)Y٥-7:^IIFSpvvG V0BO,h SSqq# .K0%6eXя Ύnq.R[Cs%V*%?m:J݁|eAoez &`u"Ǖ\COԯ%Nu/,TӇY1)GM7esǙI HK+2~!>|38?s=t\6 w_m0SI}Z6}vi-_I>ST$؛f-@O%ȒILku_Ηv_jN}nyKU<_jIO`\ ^7GNhT : ?U!+TG_RElB P0&YsvyQa{#C(;A( iKS' ͉-40+R=f :d"Q{D*{8mm/p.6'+ VbyP=BʹS18LdjhL˘O͒9wiSׁ/=ixC].ڞHuScC:rx#Ua<47&"L@?HjL"hSe%ơ7T==ڮM`C<1][]H{E].D[jE>X 'EodV`b[m$Rv~>y_Rr $XSxh8rjLa>S˿=7:PX?҅ qBM(g敖w @]Tk͚pfCͲ=4`O X(Y6>2ίR{ -Fq$ӷ` +vhu /sNLk[},v?0%0ܮoFv JdebX&->pQsMqxXtnLi[$Y€Ma!bXsrif.ʪ:!^ٯwZ* 2v[GӿRԶZW?FQ)߀mQ:ԆpKI!yFZ6IK}= GFUuz$Fu1  j. 'zB quP._oaSHd0&c$S$S]`gx%`:7СڪzSUG:wm Vq{XCTq v/[(Sr@QTXtwP YfۇK x@040q]RKLvX"o1І"ݓ:HI3m0V/) 0sQ]8zRvMYtS ! B,fe\ (^6ăV0sLT< 8_ mEfCoZ\g0q ծViUh9# 6ޑ]ӟ^[r+`ΘGG D#e@?Eyj4Gxn&M>kzt>SWiInDrq8yd{h.6fW:&smmj^q B5#eLe9.PEi!)1)n9fp мhx@w;sVۺբlήTtRZY/_ړ ,D 2'L;&/b\؜`UNR~"o}O3W;% [8(SA4^<)H6v Y{ٕN H qo*Ńhm>w"^Can';`:9ʽ %6OA1m0QepC}Y@@1Q; lek}=0=o=7l4lTqW3f, RNt#Xis'Z"LgCC]o15aiѾ.FNbukH)F_3%Ԣ!?Ӟ_UMk7ZT'"S֑&_~=Ya&;T\T3g4}fq Y83y-eO,s,ג=2H"BW;Į|>:曂 ( %WTY{U(5F4U*+تQhEj*5F4V62fbŲmDk",ӫ?5;WɮD?>;D~aUBA B\~*~.=ol :?'!V?leX:eoˊąXt &Ru{o&#~I잤2ŀ1dL3vE\]3\epN}4$ⴲ{jCנ')j0nu4ʤw CU[7T# U/u^T"ϵqՋ~ƱS☃A'2"2!pG)/uOX\=HYhCP)ce@  4 BI!HM H c؅hn8ukw/]B~]!}_o*_ßGEoqUDNFFH3P sH⭪`2F84Vd3dy $ h*HkEi%Kh=7pvF^[=x^EG^{2ZRǬ)jפ }DXP65%"x~8>VQ:7eΕKU^ʺi" aZ֗“}$[%I(&(^Wo<\nxܹz:ެBG )ڲi k'Vjp֜+/&'5})fs 3%\ωFo虍BxO I6 v(w*U' NuU ΫWDzLYۘ%$6ևr]dK˙A%J "R}RI7tyǿOe]zO,6/!A!O62*_LuHY9/вvfwy響8.| ``gLL1h̵&J2)&@xFAMr`# je_v# kivuldKAv֪I5j lxwߩ;jx wNH|{wBEf2fm;_0Q޿'sn3Ј+~ X qanf(!Ĭm%zàq_n9fGk;,lhx0%1Ȉ&Fպ4\^#`Hz(uՀT0@؂01>0Q ENZ+)#IOhcy=+~_[SW5 ߝK;4NT?c ՐMŽ^ħ') J D75;+Mxk.]FL$e߱V&AA+~#!YI+R)Nf|cAP6@9'`TBCiAO0z֎/cg_(5ߗgrC,ܮVAa.eg82:+BgC([>N*+aco~kk}3Ï|;+G9^"pS8#4YQ'" , ;D]aQշxaeY0q9vj 8 DF r1j&k-|~}ְfb; {B+q%Rr kA ߱MJ\%* )*Z{ΝgRm8;%H)7_#ml_;nϕ~%HNra Te5"V~aDF@gz,Q͒)۪YQa E+(~niy^'hyTJw@ZTV֠}LkScCŭm_y4<@Fڿ)2Ahиhұt@liB`+d%k[ޘ&kM[ˠ@?FƷM  EiD*aX;F 3,u ̃;_v5 <)~ⳋJE@D/F3>S)K]r%Zm;ݫhCÇ N8 +&W[Tkf"_NZ jY_?ڞgۡ/z Λ}uA$cbh^Rdx1KCP{LIGFppBw14ĕ˼ n2pc_L]Ӣ"$#;t7kL_ź7>w{mzN{UN]YT.ĺcaPYL76KEhcT&6#&1W.$EJKԟ޾/t\à 4Ei~3Y)!c_ AIRBzgyhLYt>#>O֨1O}_wT*$y?{xFmS[]dWվP5w_b^GE+V$(+:OCFG1c=!q, $3aO6o wt VDW7&ƹ.ڷ=ץKu@cG{뮸 Dgc X@|WTFA KKD1WךVs|3:+oso􌬃.g^iM[T@# e%&V(ZKd%*Э&tynݰn ox1ʮ~ iK6J~@ @P-6ɒ*@d"V1[ohs^O#ME!`+Bvѿ DA'kА%GWA}'9blIP&;p%d+}]i;Rcm/.¥㋏dSaPA~^$X9"0'6 UB!WW8+M;M1upݴRnJ&c4> VZj11pH$%m*sĸßڹByD(Eb $fj5L"1hȁ߈T(m;xeSmYPUABUB"zڸe=u}<_w[36B;aB*q`HG r=M3M`֐'{k@F@W7oO%6ӕt`5!;)՛v "kВKQB*F\IPyQc9^%so\]jɻ{iH=p/z˽oU]u(Q)~8 C ƄFA߯؋ ow67 09aFWhz8?!L޳ PmY[KO\]$]anDFbps1 -oLJL`2"aJ@ћ*/%j{>ڢBT)T43K OtKVM݊ZU, 1$11$ ,D!$͊D,D5 L FQ/S~lד׬("FdFCm3 HR d,@312>ϳI3w]2B3` )EI&DX L S3 f{'DQVab c сJE8ʴT`J=ח<z.ncSS?AQm;j S]]Me}4+U+:ͬ[,qI3)fIIbXbw=wݫvaT99 sb9(]疽f.#Ov ڰ( D$R?QG sTivV|^>WWbq?:h|/ç &Q\$9%8cHr}?ՖvX-c;1SA1(Pߐ.^ć^O hb^c҃WO =o/;~ȞJ= _qz)?&sM47$)̩Pj!y_UQ=c6(G`g@ I 8I$31Ѹf7$Y~߮c_^;?]:Zޒ]+G ICF (#qp同rzTU2gI1Įʌrmpc%>P 0~%kWwKKTlr~vU@ǀ<~ux=]` ƹw?bH)/>_O=&u7/MF4jHж `Ғ(l њE(j+"ʤfa)3/;K-$jF,LEKd,2hhb+5eh (I(D W HwȾyUrMsݰ}vV;7EB%N5Kwe̬&"Wjew[_>]ra=Cؕu2rP"+h!jYQ H#F )1T9fJnHj;}\MX'Wϓ5cZ6ض5khE_+ub6Tk-4RFE[-Tljc-eg{=F$Q*#iŠo '"bcFclbK((YInk7^26wVsnM4VH AQ#1V1M,կ_/^d*Ki+)RM2F A ;r=JXUi\E\1I@ )\pY!_ޣҲB߾훵Lb8891 4#we{<25Y<)GeX&es˴87)u&GpQD:旌N V .oqF)(x4y3S~NU*\Q (-t`d1r$hflmiR6k5JH1&Z*UƊ6*Fmoy_S\-X7/M XfUJД~I"vjk*dY6n4KSYj46g|+c"f̶6|FZ)RA?0Ê8Lʬ("hi^4T*=62C$T^-w>,} "#2#f/~a M-C-_EEc+Y^+{'?; $ As@_z+3(၇Ioo[IjlN`b F :}ux%t+6Uml$$-pxX[r\TEY?īź?¯Vf:? ȨzɽѤfk߾XĘPV%ewv^zU5L~>O-6K3}r P7Cd$I r>| >qZϐ$)7;ؽ]k践?T;\vw-BCv(z_)^o4X=(,tKz@QFD ]~I7?&de*Yl$,9ªT"ش $[征㹅3{n F~UzqkAW/pFt]X: :ɘx#]ΞZ$A s8%ϤQMc~_d>uE0Z(ZlaKUDR6&%T2>Kzʜo^\ʗk cM3U 1dbч|9Ǯ睔$RgpdJj\ݵܞɺplwo^nԤZy^5$vFCʻiT%qE6F6Rnm=]6&K$זRvͲhˠl1 U# 0 Q UDj,1bmHb#̴*fU Kr"IL C1wb*R$^WO2orbh X^amFZlymmȿLօ;C8TRa>N SLgo#x &J #sNǤcj4HR(sN]":uwwfMF{, 8#ɐ{:{q\ X2AF  11ȤuU2˔7%N9)MxYt)ƔS:Db1H.ګ*QwwV6ԕpgɜ@)QyYxiZl4aI<2ƔUTB:[(c(Nvzku~2gCn2EbUkɰ3Zv5{\:\lY-w:ά (cZƘ\OCv-*&R*gFp5&-׾ ?~>ɜd~/G(l3£8EKLh)~CĨ{_[I Z/z{)Ձh밢5TA'+I}[ZÖUh(ڮ`Ein[oNNd'?-Ԕ$l‘AktM$XF"A-=>-FW$H/᫉7 =dB}~sUԿ[RĶ;/|UR (,cXV*({܀g U5}]WZKf2R+KdXMU~?M/rL}ʳRh i&3ilt۞ ‫S0XNjjLFUyR"0_*1L;WAA&$2($|j5)i{cE,jQmeI[,V)>oM^ &F$dbz8 "={ ɔmUUQ0ojU)}*Gq4?V}3)&Ep#<ے^.|uJf9vDynr~;vw/MpKK`" Q/,,v=tAB UHO)|0|{&\[P̈ɃtK8g VcK+` A \lӋĔ@oOX2@=R`sqb?H(!#QسAoK [NC4xY/W! &@E#32d]t ,&eb}>9*OBPA;kwr*)86vuikau Hۥ n;jj?aߵe? zxf$TN(?7msAC~1C5*CUa2eGpR6OԌa)Q?UxOUb5j.!VMTȵ+:A˄$}r8Փ/*>m.!0EY  [?wMGH:`_ JU$(<29\>#ѕU o;LA'>wϏY#_03S;FA`2"G8 F"J򺪔2i3|J?zPzfV(yW0 ⓼RB\1S a.o?~qnZ[81 T-af5lbL Άk>XW2m a{V} R!owda (:˯y~nxZȚfalMiY\Ϋ ׆=7amZaZ,WSK@psۓ H"pr|%&4yв 3+0-jB/ʳx(1)m1T6k1uW u9;J:ȫ?t0* ^])Q_XIB D oz?Rb;#HIފj9NujTT50<";pWjfp;~~f.3b=+zsSn(_\"Wf"\" jDX:g@"a+6e >կ׷g a!G# ]LI{-3K_d U[T%I|=}&=7o\w:qVE 24"a)"f*6(EQehc(%,O|Ms`EYI}^ADYV@Up=h(*2 iD1R%-FMF"KZ̡BYδwLiAIeg#]:}[z:tݢy0AQ NGUJ:y?^n<9f_LNr(%~+[WH ' ]GޱXzF&{ G{]Gɯ[Cw6%[vxm2E0?V#c>\;yFWx x#Ny VOXD4*ᤤ~3n[QbK?@vj';]GÝK=и`17Ֆ <=?# 5m/Vrs/a`Y'Rڲ-N$@keNUX82QWՇ.ly_MCرWԾ" )ԦrJ"ymj\~WghĉbkVjDy{Eu2t}g-O~AAlTğ}vdWz ׮#&(TKK2p8ʯƗu$JdbnTk8hlv>NYoaMaXYaV׾Tg(9Ⱥu B0rиNV"ƴ- Q`D Nj܍~t沏lChb3 ~] ŲD"&#($¨)L:2EQ`} AocOI6 Or׊ xCPI0۔|;|:ܻ{,!bj/g*^WrܒG;u NcoO#+/k @9 sMhteIXELu]}<6mguy}zN"9(˜'4}HƆ#;G|hkeS31ƾ~vxKբa  {Kewosh T $(prJXzN[(`uJ?KF Z _aWj¥2v7C +*o #1b\;sV*Y: Ϫc$*Wsp@@V10IӬR ʽ=&"]mı3 DF3"9 ؎`# տzFNIZJI4=|a|tϙ{Tc 1pΏ',V!Rbf7M]׋dƆMY $L!׀T[R22JFS!^I7û& 4L)2ayޯ;zu{HT5yۉD[fI%U׷S$aI`4UDdX5jHbQPhDTBi JLȶ3H4Y(A(IBL4)31LJHh!(LCSdj(ZJRʲJ+5FfVJ"eXeѤ4l$jiMDb2#I2TH5"fi6(dia%d1`A B`6HR H1$LlDL$be#1Ia1AJ2hBTTLx艘I҆KBl1 (F)CûWT0Fm܂DL44/Wb +=zтaHKdIhJhL#PF Ʉ1"e cLHU`لCMɌ&cI2mXɢ1 dd-HZ*RJj*Mal[Kj&$j5QJ&lKfJfeY $b1aBL0 E4TLF؃DAbI2$,J4j*2)$I60BDFJ40iDPC"HA2D)fE%lHfJZ!%`&A Dm.W",%&4l"EMDf1M%Wut!,ŦP0 FJBi 4$hبd$))lBhvd;f$)D",f)o?;"PTb1Eb(-RH)eVIƄ,1L+f)LM @@b1Z4YLX4*{WE"h$ы"̚fbILZiPΕ5$3F"O>P۳˚ ddA4@E$a A10l$a4BbŘFe f2Fd"bĤh$4hljAQELRL!z]tȒ"șKtR #(lERd6"!35QI&61XHS "f4(M M1&HIL$E)w(4D!,QY#hibI& %ȱ7w vJi}$т)͖e6$TS%i3L؂J4 d#b4̆F"lJf&1I2h*2ABI`M0H0L(R32"&`bŔ0L@!@TĤd&%JLIaA,H BfffD3,f6YJ2ELDhY JXM2&J% bfHF14 #F(D4$QILI)1 fRRH̘DQ4$ -54E"dQ0&i E ee)E*IAI "%2 X! VI "6XEH̀1M3)M͚c34,ł4`DM$e^^F$ɤ$( ɊZI2тYԓ0Lb`,"CL $Hf2fMiZfJ`l)c 4,1mK%H0MfF3J +47uss,BGWb"M0P4FѬQd]#D($ŋxD܂ HD4Y $)Ҕ ,1!LT(E! n2P IPZcd1)FɍI 1 DLSDd_<Ǿ"sHH);:|݄J(kv$ c210a#2j1B e&@SRڊh(MS4 0@ńhHD,#R$f4T҈f `D#(L!lQDf@ 4H3,P H&c#fCSJ`!#7;QDC"M#SbhEL2d$&f0SLl0d2$̊S)`P)BQ2Ȧ["Y "FZ2!I$JL1! 02f `2(Hٙ3aH&$ɛ&5B J$ 02z^v]Ra>hPdG]R@#wL`#1,_u2wEHC`d #[DS4 mLh︣H4hAH0$kLUڶmLi LL%QF̓i CFC("20(HB&e !_?˸6ђ,4™e&)wW D %`i47hKkMyḪN˹cJu%,Ɂ2% (R)FB0I`Y S1dcRJ]5#WK$ %&*cvdw u/R)i1`VcHQ-ƓFeATmEgH0ӤhƤQ(K#"Ha,H$CHS$DK#b ̂dcA##͔ѭ%4ZZd LdJ5"B2M,H}Ond!e!3$JH 4I4BŦVd1yyBPgϗ| ֻt̴(B$i^WקH e"CA\QИY Wc$2%z֝!/K2bɖK4LdJLHfiDӼRR(dh@""$_+ӯ Ly痁~oFf4h"d Bbe,!#0ɒ 0Ea"PTQBL0"RH1c$,DI2%&Fi&K0b2Je"IBbhI^~_<^Fw$=uy)uJ6I (>=ֽJϲn!(yq&1 2L$l2 FIHBc)d[6*5ӥs ` lB)##E I1iRdbjhWןcמ $z4Lcr=z=$A0d0h%%$`<7yYzwW0%6xѶi»L/;m2;"lcOG$M.lc{fzԵ5&4c=i,O)ѹFP.ڥRJ!mꤶ"!-u_+`l4ANd_b |²)\x`j$g c[W>  YȀyRTF3ug7DcZ[O F> ~gd/=U&u eDcqQAj ja0X[ ;Sj./u2`64Ғcb b0ց 4,u`n} }C{"/˵~oxu 4h~i1EAZJDDUE)b:L'kO[|{}{糣o-oyb|߭kzhQej(-X<p)tw7A0prK ¥ۊ:#$4w;oB\;=*U,Ek1+G߇g8@1}WTkI^W&?j`vrii/( T,3:fkPdit^2x{9(N@s$4Wřy C^QhiQ~߅‰V Fg딼 b1 $A(תYT!V='F/d:k9wp,8K ^:GXlRSi+w[ b,SE'}ϴmX3Ɂ uVyޕZ7Kx @Bjh`dr&nC޷];' S!aTi 朳"Dy1_?iKqƨs*`Z0u&82YtʔTFat_D QeZyaQ"p=Mks晡2e!d!9[028[+o|u?'o"<@ uiXnMڏUqzE(Lq??tߛ-XpDd1IΈZJ^6OBRd䳩o;H_ m/魎|Qbc(39jr306D9;)GUYdž+Xg]?턯ϸ?0<,a0r谫b$.yB'"+8=mYg0}/b׷a[37[ p TQ/{5DZ"aP@2d*$ϟgd {$;)UT²LKPxEA!2%^YgЈ^!Z~[ݏo_' F}ׅ(eϻ8-ck%IvFJ)*?.5wϹ3O3# D|yI%>}t)MRkt02$EE =k5YdUWqcF(3! T*+XbCk'*s+mqJޤA(%6zK?/ &(}V| qgɁl`U"1$@`{|oTZebr2D }AR,l(є- Y MM(ДQ(PIWMfW~ϼ`CQe#.\dLHb0LHcF\4ŒI7?a5( !@l M25(I-xݭ%b#QC ),͌(HTEE &e]|uۛC`Ѡ2MjC6Ɋ~clj-MݱbѢE@mRnM:Ub +Iߞc2O(( 3{5$R4zpO9m0EKEEkN'>yK-@DLȰџy<4v5':>?urPOW8H WT4!Ӧ UI#U[ iTW]O#^۶{I i}=yDF5W7-μEDXIUdY -BTE5Qsͮ ^Yi,bH 'R1vlQB|uD`4zuma bVam]):x=;1X4.zx2!$ ҊG۽ b)v( 6B p ֦Wj8WI H*[=r1p/ZJ]sQϛ̏M_Z*,T:#~-ƏWѱHJ # K~_Dz 23~{QohVծq‘[PXC#^eɉ\2~eRcUHQOާr￝lxsUFFF2")g", H ?  yۢfBƚ661A_=YHb/~Nܞ{[~;>;`6>,r/+D(U=9OY'>eJXQJQ<k\Ԧ0}U*ĦTXMZ/[#;|4mKDEtMZTAbr= +jsX%BЈn]y}ϋ.DOK[2"1Pmi?~"'Gu*os{+}YUuA$#u+~(1U"oT1TDJGE[֏-C1e(2" D|u2P~/_ݦLq:~z?9,QJcl(mS"l"*"n.w?b~*w !9˧ PXXp-6. X2$b Trӝy{9e_^qNtX_ә9xam%3 RmF{4F".(U _ϳ& \wܜ$ @'XF %0cq+8^)Cmִa2oV'*l-uzjxqpJf.؋q*LzBO5VX2$ekSs-\6v)¥n7@EQ-z @9Xu~'qW]Xl(LNnyL39FgB9\)*CZ,FL?+j#{MC"04F b=GuT>|@ pgF a0),R TV"Jë9Rstt\,Ky8uwzc79pg`BLY;dJ,SעQ4t3:NVxD&P}.?ISƟa Pa',GyFC.X4!3jܜBs$@u`}&jIi£'eLLX{u3!`TVEQ1𛻮HhdZƊ002 Lj"$X)"5u(XXM3Jk^`(yw&RJ`1I) c/ߗ;5=-ڍc KR)TAaQ$%f5&,џk/$dlVCԌ(CQ`h4(cMHIRcA!Rľ~xF Y"#01FBL D鿋~O ?32H2Jha^Hر 0) 4bQDE[n;F5`oUtR+(+C۬dn*ȉi>e{[nIA΍? ޶q% lt|K9&*28 _g j\7SK+ѩ49_rd$By4JP(!<>;ֺ:5Geu-|0I_V 5^O-z"UĴl(C- HD4lRO?vH 0H5x9_{(}V2sL ;T^xHf}/r*Rrf ;9))¨CW7^W1HҸnh=ۮ÷-ˍ#SUbxplS7ݎ v<{\wj3~VfZ޿[ˢG$z<*W|˯HlnCl疲jHDD&$)2@ "|\np H&8q`5wˢnXXm&z ׀_is@(H)?u?WH|;70+1 חM<s$'ꋸ^Ӝ|/n\7҆3D&JKQM% LDm%2]1h*1 $a4Lh &1I C&!?u&w۹r]cG>*E0AADm3LZmIb͋M_zQCIb~Qa N<3,E?o뽶V3E1fec5 c?#u˧n9+ClO|0d"]:3J )- 6ѩh҂͵-03o~_b^wz]LozŢ8]\kk57ܢo#T1`YwG(wsww(]ӗn κNN]:ۺ뮜]ۻ.]"ۻB7v˸ uɜwu1v]NsGwsϨ^V&3hd.: ^I?Z`C}_5ߪ hŴ!B,b1HxP>GgwFr5bzY67X5udK`]KۃiR,ZF* Ygyo6ה ?, h?@Ŵ=gE Y/HKD F% %%W [DIN iΨK]rOw#!-9ٵ#-A.ܶ)Vʌ@m6B95Z0Kjzw>= L ʢ !^/cѻ͋E[6Cׄp,ɳpɷFvoᐴVP"6+n~<5\U*B8~QLhꁌ*&@S(EQD]zP{j?uНа=g ,6;L ^FvKe"̷Aa15R/)?춂CBQT_0P?ңqDsgQ 3]*4R$̆RPNDP{i`: -pYOUH3 "X~cӴNP88k+}PWJsS#e:Մz:3-ϪATEK-d/ol?>[bπ3d_ד 10m,ƓJʃ` L؊I~'t!H0QV()<{ZoݖkÄx-ڭ[C[9 rCd; qFJn8d5 z6Qx\ v;=0bceFfLji2Q%hj4TjMn/~G%$ ._ݞVӾ/g=c,  F6[WV1i"IBTEAI tv?Y߫7Җe5NKynղ*~%e ~@eij\Ɠo {ywt|-ޚ (mm_WPfA Fs7\fBO@1 [1a+12ÍE4qUiT\j G?wwW(' AJU4R%5BSUGw;n;ۄۻvߜxwsr9ܮgtw.]ӸN u7b뻻ɹsw.Bwrq7wB"swnw\].s;d;gv ] SprƅwwdF.\ܛS;\$h%5]9t]ېMwkw]rGLe].twiۗswnd:]wY]wpREIsg:AnNNvwwww9r Fww].NW+r뻤]s:"]q.cȝc2\ww$pٹw]2bwKw!sww;EKpnstP븺kΝ].twu:G;wuݝ]'wNrgWsKNv)9q:;+s~ouu]#wwYq.w]']s"]8AI\R;ہΒ.sWv'up]wK\tt9ӮIu]rӢw+ۮDFD)˙\ܤa.]Ԓ$tprܸ2;r;DDAc֬*9w-j/.1Į׊U[J/TĺHm7Rz0=F¨dE 'v&BLFk*X^2a[ykhӸ/46ovW\$Ͷl~ YWٖؓL07P+#Y%,9D!k#\gQ9F)ĘVP3ZwTw"BmiP 5 }\ů_ѕ"^ f>~EpOփwMh׫=X=.cZIGV vexx[4mσqjPj!'~wʒ%dBpz&֡<TߩaueKfT $z.|2{}u<<]}~v?&(qyTe_4P}n01>onԕ|5[/8UpdT•S21XJDMۛRǀ., JS ^kҸN!KuThÑGZ9foS`;3uDRg7, ȧ-/u^ιgqa$'`Lݼa6z("QSIHQѰ2dcX 56-?X2Xo-p !:M-mI8^,:XFܺ;Ѽޒ%(eh6ܭ̑Dy{zR^.7 "1B(͂’"WjZѠ-`T637ty4YM7^a(U `xژ!t9n Өŧ-`-۱$Div묚*cDʋ5)[_5#UY*z:d`bV??׃3Owv'³O'(3t~NLLUʺYZ)m| TV!l1eA9R84^զiHƒ/:{+SSTJ6Q5!I?+nlS٧]W%Qlg _Yd TA4F }WY+Dm#teԧnzOSLM>g]?G}R5$U&Mmxܪ[kMƑ")ZsYgpjUp66 1S *Te%R.(TRԿ˺Ą 6"8\Z^Wu\o?{ܯm (碜5U) R} ^v=.S0~1 4ϱtFڹ$mkwV#Ebwpcj _,pdA0 UW}X(mĠzeS<87Y]QE-QfV~IC]O8僿kXgX"r,|YN ܭrj`W"víc>ttKI$FDP^W#evUE/].%s&5:ujR!SVr.vmG"'Gm(sq߉ Qǡg1<`''P0GA`FbXWwΌoZg]G-K4~z\pϓh T21{ކ^h`Hp(_-krrt^g$sJȷND,Ƶ_5@m;mѽV7&X0 *:5o-^s0Ɵ˦|:#yg/2ՊAʮU/K҇1Y|mq^[tO%AN ÔjާeHIViuSnj|Q7]8r3`4i%xx ]$,Z c+AzaUjeu+k1{&{^l}$?Sۏ{޷D!\J3e0ƒ3_XÃ1l!3qO*]R#^#Zy>kVe_A@7Ƌ89ނXp08;λ2 tgajQoѭFipv I\_: O\2Khcwlv8 M?ʲyfs5u~\ꜧ 0O}y&t|2,J޾ѧT> {KM/m'6)xoGiwlU'cG` o3.~ !~K!_[+:*NjG$2(sb>?o.穑̞K5N?%s~Z-_OkV=X;&4?蹎ON5z\#XA9p<_\{ /Th>hnsV@o~Q9:~·ws+ ZMbSu6"ɷPh :4a쬪1u '^Ai@,0qBP~e[Rdl%4G2g8k1 K\6.lIϼlآF"" ("46-$"#2B*%^=}($3̐r9QHAQ>U^6HK_Tat?{xy6U# BrA#$t0J'2`_?rw=(J2"%!jPFZ-_]bB?;ZksfVLl(mmRqU@UNPP٘?Mf.~ V{ Ƀ)vv[iL\bF ?o&L d`IvCNk\Dbo[}NjqKWlK%KO"+!v"`Y43hQGBi@)Jbs/P,zjőR^_Wt}ݽ?TdXM-;^?J_ Ϙ*{O#8k&DyvG*ghbXI5_^G "42=Y:r"fن8֛## dmF-6Ra)U'Yu:ݛu4و@\ FU5wq-:rq<i1FRCWL[!qYZ%+j* vƊ`Ќ 60f~[6įp3iu8TMxSOR^Ά2%,].:u^./6" :Oc`@IS-IzA6!5M.js}diіc1vԵ/*> --*MGB\?Ue \@!%Ӯ>݈3SuW( *B"7u}3+0NBՂAAeBF>0 *2yIJBH@bT.Dzl8>+_z=Vx^Z,Uoe&abĐ紵ģ_$} TS|Bl#R$nX _a0͸rvGU\\ųg4UJ* ?qRc3§⛩^5ќjgkS:iHҍcCܒ{flvm~  Qno<@#$D6os#ƢCCvH>H*QGڅ' ÙGuhbPK`PTU[<9 ((M(v6VԳg0X!ⲋ!KpTmW4[١k u7 OS%we|X/e*RW}֫CB 3J) &oTaʟ-LsEr5Q%hy|o+@&Gem4ѻ P6|wƿ0^M8#LޛҤQ)ng{ZdLTƱN+ePz?rI+>vt֔*WNL%{PQm|)0 wT~e6>MrvN9 EHq%ȨwEđF ?<4$T`qێBbV*QEcikjlեQȄ[Q;pNWJTC'./{aΰ+ @ļM=g?#拇mƭ+@Pw%vN]@aMw2뼿J-诫jϬ?%.(Q5 !.(\rVۭ||xe޹l1;22D)k,PyozG`zERa` rgeB J2KO29~`y(6hXz̾[U{X0W !*QZ%s:^}Ju.\,*2c.FaR?|>~Lk̳4Zq$ѳ˘e^x:O Wujdb" DD98w#IFJs]VGa5BQ,cV4?O3o.i8p$r}/Ck8?e} N3EP|s5Wp_7+įnrn Ǿ>3C0[u=,!<6i&Ǻ Ii'F1ȡMbmo_2;?<|~SЇJJ>K|o `;eÑj R==}9O}E?b甆MiE*QB'V巿OVR5 ?BKugBܽ0H*Щ8װs(b RA3 ^GgZ3D~Rg$CaEhfn݄?fa# 5M+᫽nKpNm㴕ڛ\/ybOQyzv(XEldws4DZTR$c*FhXW-άLB~Zޗuȟ}GA"FiEL~袏{ 9vP6fF ֨ϒ.>\pY&DVz%=_V'p_N_*"W!޻"$۬±jXRĐtmLw)BqJ#+pQLm_4wꨦ1O'-_  HbĢs?ޯ Vl;3m\^sLN-$=D BM6Сcpd{C.,0S5'^ 0Ap(VİK4_ࢪVq!rGIK{Vj/qPhfdoTPCJlmBHH,Ft"׾MFN_?ֿ5n]僀D֜ٲu0ӅNg7o(08͇ gujkt LʟFR{_7N (Ko\&fHbK E Dgzh'~)0+˗*tZ*O +E**P~7O@ f"]=@CD$B) *KE9=1٤ M|9<yWK:+z}-]dBߥa6}>(yX쿇WW#cGcMh(qF|erۣҚf3o-M(x IR (}[)qxjSjb*TH\T9jj= #-hr[)aCj6'U"}_G E7{JߪٸCRFg1M4יdkZ04sqy8}'sa9uH4/&{^&%~hjVZy^A=:8ln9vg¼0[.Ys8|b2F2ނ $ Үce0FZԯcca=x݈w=MOJIqOЮ.qz Z%b/$ۦWT_힏Z'٭im z̓J͊ Yf5-w <Z@_ S04ͬ٭g bOTH6ΨNfO+1>Ѽyfï1EW#PG[<8 s@{C^ 6x=E o 'DKv?l EGZl#HrL8b`w[Cʻx EyaQGV_chU_0qLWR[հD Hy.0$kА~3;ba gԍw (ENF d)aQ]Y(׆ŷǿ&{(&]>9jRi pufxyc~32Im5K{^Ko6FPT#>wck UV|5K6b]o_0Y(/%ǻUO&:/L5s5Q0M*ܛp`mx]]_8]'L8wѦ 6XJ,FJtUf}Pr%Y־vzK8UpËűR=a#H}hq'K|綧klW,q'%H ]n¦{j߅;:)I@YBj#VRdqez֧轸޾M 2}Ԯ*b~AM բ0#ֽ {؝0f( 8Sm4ZnJ&\LI<ɐj2&͠tS1B# NBg[YWv|;t8ơH^7\8e513r(yGxIh!kvebMAG۳} 3Cf $!H/f@a%w~ 8jg_?G;E߹U(8 ^hnuwFG*Vex ֈ2J^ema־ASQ\C'P )s1L7(^ 4~j7#^U砊vx&Q3jO$`;I+LL+$ O҉_oN-}cG>cv]8xMv?>{]SSŢf~49Ot/x\%Vm3E> w-6rd:4{7溸\ݝ1畋{ګi:-y ڭJ8`V.Վ0yˮU5TZzsdΫg\ P!03o(M]'}W sYs.=TYGҟ<|m{)"juyC6օY[jׂB"$ E$bm?ggpM;8T{\36I&f@ɳՑR#!yl<F6u8|nT-\)#!/ȥo7-3fGd#gr4Z9tyRUKtHPᅱrGuӗubP.D%p>xUmс:O|:wua|SASS_ey杈[NfrB %<,# |0_t^9M$<~VZ'<{5x&(.Pb>P,ʅ1u+o?r,7 H{~EϓS@z`KXR/F03NLaXc]储ʢ^| 1:m[p6'RWl7=1˽T=>5lpOcɇ# 3Nd87[6V|JVf##dv}7iTH@wt ܢ;J6=fQED JS%:QZN[R`[D e"Ĭt86T!ѻ lM<27ܗeƣD5W.+r-4&xx,^Y $)'^?NjR^__ꄈO&wjALƋXDY=]oI e&l)J15Xz}HgX<ĹTS8&Ȉ6zjJ1HD8W U{^6/ +[$B)Xrq+U]xڠ5dV fh<;ϯ3ÜwA X`v&t9H G6ZP1{3O$lJ ##-!Y -/ށ4ҶBlMms(llG[&40Z{f,2˴y}&;zlw ;`B źbȪ4Vmp8wUIϗs9H0C9Lc#,T76sb; <1a!k(ʀM o˸'JF=I_>_Nd!3@l0"sğb\ d,Tu:`FqPI])L$$5m!>1c<# _Żo !kon3}L&oxj9jcQnjk0]H#X yߡegJlLE Y޴?O]kaPJ*Ng'=D U' ąEi7\Bg?|8zw\Kc~8JwU[AE6T-ݻmdyc =2I2QYVY$ #;MEqG5JᗩUwl2bD}֑ˌ6bw;KHo.7SkBSjoEZĸ;Е2L3 іδqNX@aa( ʷS=j6Xd\3xXyt\dF4C#:ԘʪsYeFvGIuxهI\>ġ2FO##-&]"YV?_W:X8aQ0 *ceLB e Mj tQF\sX ڠ袣|*y0:8̍@0ˆ1^:;9a:y[ R$T.42CTAf !uVP4c5KUL8M[ft*Q0/ m6uTLDbDeA5 <;.oU TNMS f[!1ȵMA#! 鱺 תʧeTGO.D\F\k\f\ScoL1r8\=1!Bdl:zy Bn*TZH9%4ˤd:;E-xގC6' X6OX(4;5vgCt2kd/UQt;dA+қ81GF!$(ezqfwŜNAZLd!AYeL4ezD$!! aؘE#f>KDj (PH)Vь0bv.p7<8l )S#UQ "#HF!jbAԕ#@([m3Ѣ >u,Cspl[1Ggx0D9Y BVd89琻[ @ K9U("&ʥ'Wd e} x7x>-.`!xN3X>)Vs}!qg&S F3aPw9YiZ څG* ib P2ϋ={Ju7_HQ |Fpdf+ (^(EYHL-[Xֈa~ar\w2sePUƪ{1e/m i -0C4e;DdU(9cIm7T0tAd(I)s:Qomܶի\I@QBZƵcKv6L'ˮ,'u7X5!W1 кhCJkJ5)Y;R((xj]- лybii3yL(a[ eNK4ʰKM:8Q{l(A[Fq߉jL|)p~o zWqwf0B -îMz_u@7)щ3jtti4:bgð7ƌ7fYE79e{t-7 n1h奜URM>tz lF%|xn4} a)'Mڦ  K^5H1PcAi@\x*eR,;qr1`Yy|]XeJM6#) TJ eGl03GMUBU6!p㣎= pwk4 iyS˞ш٩Th^/@aPQ&*$fi[nGY*/+^j kBA>O@+?CLVůZ;L~D|28j=<ӽ={8|J'iukm].|F[]W|e5C-[;AyȔ }v>\ Ps AIJk_h*m?؎KRiE-Izz)W\8U-PsCzHU@ a/WĥRWo_'#{S&1(KB^rSۭߧ=ݕ؊_+;ulMkDR3qꏉ.W|6*/?^L֚"0wA n ֔ݺrUp`:pu7_RnGQ7n2, IzD1Fx;S80p$jr#爝o=it"nQ]:mJt0mQnJ$)™|l_&^ϼ6g535ؠؒsvpz>N7ck˰8@v'sߓ:iNEADb+Y*xp;c6`0l;{GV-uỤFpк%y2 %o'892rľSR60sG!UI!C#hľ(('U(ZP o?}x]"r4&1*#XF nç9L-&vEH*ob[^竭vq'KAn0X|Uݦ{J}uq[B+]j ߊk.4^BAEůE:'(3ġEZY|oAQ`x L{bx--婗cunKqwz6a~#hўTH3AL*l !1j2*Ptr:6mЈ/iC *6֢1d4DjH G`&gm8'\ƌKt]V@$ HXh|:8Xc%g]{venJB2@ײىoE\Z8Dր2lRd-M,v@9!T@p2*./3_=ؼSnT#d|1kX/HFmoKڿkx8Yٟ":H@gbkcj;hiwPo5hfǰ+QExx?[tjG1yJPin_"m4P;Y?eu ,i!C}dC+JK]dt &Ӿe%.{*;/څNK+sZeBOXm˫uOK'ǔ2_KaN Z) ?3re Fc4a|Yd_ؽxu0hfg68[)J-9M'"PQ~zVhIU% =6IH ]tgE4š*5)]7mFΚbI ~Y,& ݪ[ !Ig+ N3<]W16}=yG5\5Rf1A.rχ6sQT;wi)ݣQȢn&鷶77ZoK{G `e b*uQw6w^m gǝ.o5A#nPwzo]价{r1ݫrwnDjAQ)߃$ե )IIh3Gnhtyf?M9z׳e\AȇCtm@3l"i׳pVzl,(H3g~`S`o%%4+q7VO/!Ͷvڛ],R$ߏ>#\j[8pb!_C1}rF' %70R P)WľOe]#Ā)*^$( Qǻ$ ;k w+ћ;;dmzx<'ŨF5DAQX,[vƾK\9:zmQyɭ~{l%^6jt hLV*DwnjȒmrrNjwݶjcn[9oKo;2.Y-y޼54\"1_hE,PFHcfP }ۺh; o 58)BA&xD33fQq#J(eSLTnJ*<0tvfF= Mc|t͂2ەֶGy"%3UE\ Z/o=&^ӭ窀cBʀArA ABZ7%T].ˏ*бQ10#1:W *[9}ZS]j eޖJܻ)z)r=S :=el~4~98CcJ;nɔ,O8 ۯ7;j@SyͫF0oG%J{(pTw#蛹:Ŧ g!oefqMva\ QQF /z2)v* eUmw$(BBG&X-AD_%̬Ve.{6 E}M.I-vXdyS|tɀp=Fv u*PDYͭ?k33eBۆg7zmۨ1 [K Gw TJ{]+}Z+AA ]VtDFJ}Ճ|DUU2Fw90t8 R *Q>1_2d3[ fbm&g9 :55׊mTu5g>;ɶ0fu]S- 2t2UDqB5BOՅvVkz߻(k!6GR#Y"u~;|/[f$˗fQy֯z(o7HwGwyTPSE"j(CW"'eP(|YM[[*AWׁRî #SxX]'Ng*d41,y`F:VrByZ Ӯ^NRm&gKhbEFh$ak'_ZjsvOF.CIJ3uMpk#{o6cxu:XHRӻ$6_t(ÀQi)uW s.\9v4FDp. 8mQz@νqŚ-hՑ<M={5"D9ComnHCZM' as@ruaBi_w|OP! Ɠ0 R F핳Xzs|n>Q%ɀ/aR`[mEVQMoi ^} %]AeR`jpI=NGֽ]ԆX'm@9(=}XE$h PIBs an; eR+\Qf•qx+P ',06 : чMkh]Fa 6S#2$vGwT궺$3MmpMC Φ17WAQSl:Zļ6nA୦C.FcIt7QHna4T8\ p B2Bb5ٶj e6FavivgݪjPE=m H!TS3 eꇌ77W"XEⱍR-vT8xXt7nG,ul f_g# 'ptF&a|i΁$PH 5Nnp+ VDa e&Ѝ<*qU+q ᷊VeAɻ!5# o}MF =:4tif,5W{S&2vc-FJ P6[##n@Oi4 0QB3no[2 eYpTۙڻS)iY$AFEFEv;)6kI*a(3x)iU 0uT*t% TDALLm7aƶ6FjeEZY ǿ}r>iBc癩j^fm^6%bceԑ(|vl| ep7Ta1*nj|vJۂShQS$Am77Y^)b]L/y D/Ř.ć`Mjer+ g"fêN%-B/VÖy;8L ©)2 V I6#5E%$f r~eZ +1/S̝*ڮިArs/ JBTC^t=l+<<ZhYՋ1 P$Q|(jn⌿#IPIcin|/ #e}qцbUZzwUqJaXs+DžB5b& !,AbGӉ_D6h{8dJ6#Su~v$)aӧCf[Mai.!Ƃ=)=8$zwyw>n W*3G;"GXnEèOkX XHjE5/w #1Z0DZ<8wypI<QtJEEz T G0¥Uݠ˔ے΁#Mh$ cz`ErQ$賨AsM.D|ZEH-g$S KtrJ@ڷ ӜZQF}z=/% g]dz\Z4|qs7s0Łn=&.V&ղo!-؅~yۙ\p8}/'8u##KHwa>,铫t@tn,DiL„ͅ"ٲ2x`/ګ:Zy$tɿcc YS+ F9i>/g=<`5'I HAΩ6ؠ5>TeRl_&|͢hB+AÕB  NdqJ u8^x݈]U^]/Ga ˌz+\c8`kDaH_RxQkujqe1&XIf-a-yjd[ .Ds䱷O Ⱥ QhGJ=_'uBar-hbRJFTK$ 3!暤=}n׈ŷZvw/'oͰ6|:>_-x%V>7|?Ggew8O{PDT#`: P"Bjr,6FnV5s2 +B;xVk g[9<3yfU7iwa`!I P*CLX QV՗:#`bb.c(JNیsW=03͢gqĽ婆l3{ՁrEJJPj WmH@vS$Mnl=<./'G(g(nH%ED5ew񩆺߅f))bTޜJ 4sW Ϻ⨊"H'pxzOrfp;Nr_jM懌^Sg P ] as%cΪqVb8jL AQn\{;BTx^mpaz7Q~fGbuƢ,딩 c 'uOSL^'-y4 קZ K$L=l19Dnuej\Tc"2AoF>N]+%6: TQs {FQZ5j='k_*=_Q$ W*"L|K[5-ɖMggZ2C`ץuoXkgKS*T:5w<Zx-{}SdPbCaĚqTȢ{B)%' aFW @T()NRIH kIxL&3W"}#yDJ#GsC׫>9婶Ycb)ܢJ`$qadIe6 0aئ8Ɋd7wzjݽG^;Y!r.(S a})|x}(.%);5%5(TF/~53R48 LY9MR '2s>b`+2UPO,!OT~/ AUhjݴ3QntłƋ*';gw8\耢@CjRը "J0\/ 1-hy&m`Q ^z)@)fSxs~7dONs:R6?6$2bI_ALt6nC]4Uq7Ty}†=_'c˔뾔RLIt|B"YϩТe 8M[ L^=%@K-3pP6- U ])Jaz:5Q{0=6_:.u"UB$V`Y#TXe%z6fG٬{xZ3+Uϻ 5<+M&I((R [U=I9&W= jiE'oT=Wr9&w)Stz6e*HdGK#UB@q_us`VNEIOß ë)Fd®;BhD|6w+߆ڞLL y@ Ap7_-v2¤*΢6d9#,f3Ë+^U{Wl]nȁŖZH2DIk86<;_"=pq`l#=XPA PpIf( 7ncoݷx7鳛Ӣ_nFhWh'80P cvFRAϼ썕2r5%'smq2${.>^6EGh\ENqYΜEHlaMbl+g4YrKl b_P䠞^|%Ցuoڈ@Ag_X(.0<MSL^(p at2 ,Rյ8`z,Ԕ,eBJʉLQ"[3Ԫj;{ZXN!ihGTd vP4i]\<*%] *Yj(A` 1ٝ[Fsݿnp0-; a"REW%ՙ|dY4!bA7c@8o\j r?XgfǦزQv6qeINm̱ 8p~&tIq ?A"Jk>|ȳn`HڮҠ͙FR=^e:H VMDP/P6-A "i_{ϯ|2/wW!>HIqn{ه]C287ͬj5fL5QT녆1[b1Dʢ9սPk`HeRvO;m׮ܞU:HE,׫z 5m<4gTl /ڈ #6v)V1U ^Ɩ 9̒,W6U4z ǐ. ݢqnsu< a4f3+l]1OhbmLmB #onv۪r%p88 [Ńs巍EףC­GSQ<4J<ʽTnptxn1v8Yȁܛ!ɲNolj]>˖a5NE֧{;!cZyl {${ U8m Tʹsh0<(*ϵx)DߓLӫ -I kmʛ_Gdp9\HPE.o1꼰$MJķzkq{kGHq83e[U!X3RCP;+O|":+80;e#|xuӂ0YM\u6{A"ƏfCDFoӳEr#5lҺzanԌ;#^?>W C(mF Z-sZ@)J Jɓ 0L::Ʃk{σkގzgUέ:)Q7(9bn2ћnÕ#\叝tm˟ EXVd^0ucnz_ҏ)cTNlیW#<,6[gwtZwaCj*:*ldi{Z(cq5V{a ‹8LQCײwh{/Iߍ>GO^k #bAm[+JYLqTMp:k`qܞρmmЅI.w,Zx˺wc w,aaȈY-D@U+,Љcwrێ*/=5 xmе /J\MυdM E郎Np79¶%iYy,Z6+zKIub ! vt4\W3v#x43 `"NvcE*fl-y4DŽRF_vѲz5c7C=sH*qzYCVJi! 3=+Za6nT@S0Mͧ+(%L=lxQ,"Ոf\\JSzNKZ5s>TF '}S4 7b3(bC8v0>Z#Ů[/A*8(Wz1a0,(0;AH3*g%u@kf۹Tn1RGn+3ߏhwR8'k#qa{Hm+dcdapQ"ǖSBC:Upgd*iO 1P־j?{޲G}qo>+/Q;% ÉWg>qx HA@k_>^:֊':b-o,xfнIl7kt-^ _f XbHͿۭ; 17ٷ7 hi9 p⽷ 8gCNo<8~A[G?Bo 9Dqgsքve{_/Y"'4`%pDeqf{8f:௒adr~aUM:J" dV5gyV=ΉCYorOfTN)C 撐q<^)bvDJQ]ygXtiNs>Af\qv<HF$ ҍVr֮+t.S$0"[ji^3@ $Y}\zv*Sf,Wڮ+zZ&nz?Mtx\4zܯM+mV5-0z49 R1c+"pѭ_"?#/?~ MDvsD:r^Cw"B{ߐ/).rTb } 74-PS8_)bZ(2du}j1b>G9:qWRim_* !Fshvb0r6b0z‡I_ɸA@P+~; E "-1tPÇ%k߹eլq# {Uɺ:OݵT4Pe"$ϛWp۟j_qD,φ WxKyblhRbDlߏu9,[  hqqO>"cݪ/gW)x+ mz#@"dS V?}9rJABc^l^XcfajAG 3,d(y hVĵy@>nz&[i;\iTxz*1,a 71P\ض\$ U?ʀ[FW[E-<)[WL0U+oQ3ս(m5RzjO"" 䌻P@REpqBw ǣ α'|,)ykP2j 3K.Cn0jio4b,BdPK%UNbd,{/B~S\@׉Epr!r+^ IQY o̓޷U~,NȮtz I N<1"<إ4).p%:IDKrNi /7HZr,{By,hBD z<>Lvogg;lnؕ%4Ʈ&[W⋬Ń2ur>Nggoߝ4MlE>W쟤^;6 1L( _[)M˜qr(z7^1 00 SC B"(:&5GN;Q0m2?XJT)X8>fxwI9GvY_J~la 8`B&C QxLp{w9+jM&ϵ{vb4G UCQ6a.>ٗ?`3ƛ]q $c8^؊n'@`8P xH:qsMy?[\qyҮndci_7NtL aGo.MZq!,NQI,Aq aNx Ous~K tFN禃zэ35PE_`'X;e&5BQݙ^&ą</UqY ɺpDF*T**nLtb#d~z| NѲ)\6Dzڱ ٦^iG7T>2+MO,?@pջYێew(r [ݕ`lLb(8Re95+0zއo?g 4G`g~ ']2HHqx]Y %D 3$B9 @GG5`!ߒW0D!C֮ }0L޽{pG/cr4)I=$!du|LYmx+iNh! { aTG֎iHv{8XsSၗD_k3:#bJ o& pQ4!b('ͺsC4vWVLA-v>U;eL_-g:r:b~vF|鹨W\.* -Ǘ̪62,\$*R^񀆪1b7kue&%;dԽ8"]v6(rqi_˜fsn^?fb2A,j`=m> (A+Xu m/} j^obHb+#H2 U5AB ~SF"Y{F$k!\z8p0;t}ݞ }:xyhm$̦}oɻH ,wEO fCv!K&- @ƞemH%LZ19UE^jnô2@ۙ]u* ϐ٢.v.S _V%9|DO/'eͻCh_;>gO3x" iKwLyƦDEAl< ݶw|ù€6av>@FA9)BYtVkx:sbe(mC p~/?cwoq *s?*92&@4$X* 'j1W> |G=35` pı30h~ &w-jAȔUѳ$ۥ(nU2*[ϸ!XǷ1@kTH=`Ǝ qlm1wHF9VXz|L߷ZByOZ.dagYg˱ UqA*_WfZ]&(4TF0Rc2KdVaTDak{JΆя<ݖhN@ p,0~R)2WⲈbqP'JDn'D}hnG7=œP 1}A9fjTF;dGBTiTr?+`_Q-jyUVuuq% ͙Q-GmU=]?޻ga0$ BP„J" Y,$(RPC16! wqF"C@M$" !C 4#BBf$LH1V(*ZunSSgz:VzۻZ0vt/]{{NN6Op 1;=j?jpFWj!gKAhj8)8I\˅F pxieU#,NC4 փٶm׫?"D*}X{X (XJU(po@. 1Po ,j+J>t.tIڻζ]ܖaa[V˄X100Dͱ4уvm1"ܹH f KBř:!mbCiæa>]WE~%Slo\'Pup.a|XWI3i7#!cP6:Y4[3L0ݱ2#s@]pء`2x =v"uJ\)7 ]]2}sȕŢaj-mP90$ }x붸`up,ʑiӔLn%2}Ȍi$6Z nu f)u <P#:Mm2x"xȊηXO coC)37~HzHt)3@=t"ΠRoJWheE]d>No3@"{x8#dvoeTSFQ#$e~qMYD^^`Vw2Dc O0Y슢ߗڅ$p_gѴ`#yx]n= *lEPTRIHvFhZELe (;O =A /$qWW:{C gO۟ TϮàE>ޔ\BwL *Iyd١!! 4}+Lg(J{ג!S['#;.92[ QɘPc@} *ŶBl΍M_ѹ(Q7=?iKL PF6pp(9ȱ)NS^gUeU ԓhU}|y2M4WzQFYE f*x)m̹(Hr0Q"e"Lm4nLTTrGʝD{]>/* e&\P5 W2y0l)X0)A?%>53ϟ SXZaw=;y={zۀ[-}llS[h-&w<=w;)_$&:zvYvڭ=Wm滥)gҞ oZ hk4=\8=u.7Nhlk@ [>\cJW;*@^v{}>Aҵo)>GwݩU(tP$>@{Q`F :o}b:@@}d:Ƞ6}>#ʠ_8v[z="y(c\䢯hzTӻ:fO{z>aFÀ:$0s׾l֮(ʫEq@=](E{ u C wq@hh@jm&jUQ] }QkhwٛT͒}n'=>Njy>U_7vݭ7Y'@a^]9 վd(}ZܻBϽDw};_o;RPPMM -]=] mx-9onݝ@ =>k_st^ٛ}۾n|5W!Q;/_w}ewkQ}޸ w<\{Ҟ{}{^Wӯbp4{VX3nc=Y] zbd{0rz7bCZv9خ&Wv=[7InP%(|U'э;O->7q5}ښ@֚:2ز7IF1 ݊wloo魳CE=wz4mKk5YoZR+v @:J}ݷr- = 4@@1a6hF )hښC Smړ2hjm ))=)P44ѡI &a=L1QH<M'S6PhM144 zHd jM=#dAd4фbddɠb0#Ёh`&!M "HAiLOA=M SbjaD2$=)憨2iijPiyO@Pfy@z5bcBF)~SjFO"?He4~4H14i 4z#S@ɦ#P ES+p Oa|& QTT2H@nz!TU1V0A RfMik%)LFRl͆Z1)12fɥ"٦LD&ڝwv鍬BDSaH;TdLuV/^MvHM/_!uPTe]#DUYFbe'׵v:sW9ɦa"55Vko0ȴW˴i\ڱ6S_syEEFb:tnmUB}"54Hf}[BY3KIDU͔3Elosnmclj,3Z7_L\q{`Q 0dd.Jmlj&2I-De0&)Ƴ1&f*4THJXB,$ukwtcWS3 KF͌o20KB3FPгx a0]yI>'Dap*rmr9z g9 s!rʍf'I48 rwnŜkLC P@ R8ׄ>u^RHjL]kiGID$ Ȉ yx-{P U 4E)E"mCl-}V嵱j[cV _oߧhbA0$c|טEc0$ɇӶ|jmQj5LT*WvzW|Edm-.2F Lv!vI9meŶ (HBZ,ƛ%M(VԦbߞ[։h!-%"l֚h)Q&Kf"IE _6{a/WGٮ1]g=C*ʼnʤmPۮ>.*ɭUIBKJ. uؒ_xE[0EbQm&ŪFڍضf ZfMJe"aVi̦34e#E6H4 2Hd~kQE}-57J63ElbiwA2h7ws & ry#9.y{]0=:J҆\i1xhD݉9wd)lI:B=9t:]HĤ h*gko  LAЊ ЄUcIjp*J # ԜɲR3# ¯,֝؁aLggwMU^G; Ȉill6,jieIJMMf ɥFdҶ6SQ-SQMERFB$ 9u5&ga(d#c"*7k9Zw餴lm\ZN!'s[rK9B ,õx5FUy JMX$41=Xb$ʧF.8(M׿\۴N<6W,1*5QZb-SjLI*2ZRY֋"XfI3B3YZeLBH4e(S@0F{ki~m{G$WW0{t.2%`9O'^5='r]9qHME.hh(`He MxFuk:j,NWBrZa=|Iaʡ8>~k5+0S\1 v6-sdSQ-2`)&HL):2(1E\†QZ4V- eH:)9^^&nIQg$p- dN26PCS -r2052]%VE_!#L/")UmI]QӻolVj5hT$TābPL)(ԓI R;8Ѹ 鸬3gxbP!X[{q+2H ,n0 bkE&kTZ[zV_֊X% TEEGӭ77@bI[x*^'É Xcom0$FEpmAz9 جdSICyuɷͱ%sJ 'De9g0@˰^\ʖ R"͒enX`ÒM61$e3oZዉE-he~#G5@ć!lqEQ[V]w뢁02% IJ0ƒZoߊhCc ԁyc dvr-0Љvd>&;rzpkEf&a0Q &#(e ihSfYJjdQjjF((mآ5ZZF(TaEM2(*VL-l-4e%EiZ2HʱQ#B"T)4RٖPm"FجE& R&ȓKh%LiDlkF,lFVJFMIeIj6R)Sf% ITQI53Hb6Ŗm&M Fэ$PR E9B@'Z= o}W_K^hfWd=~ƛK3ARhIhWor;Hu5gJܘ~T}Ÿe\tq1kOmïodX6x qU ^5@w.νK3J"H5Vu6zoHΡRd4|9Y%XFA0dF+O'Fk^Ԝ ZEDۗ^H8J!BCHԦ"#La(b"/Xz-C{dD`n܂gtJ9 {ahwG:lQ`Gc6C$ fIJ^$G>]VhD#~}6LQB$E%CT1 z2$qv+Еm }\Ъ5Uކٙ`d$ӗN 1`#DŽd ߠR, ӯ_p̻T V ik M$0@-gu h"ل.eh51+U V {QlRw4"o"hid!'-9fR 2`sGXV\݈os @29yMn#+TeꝌv0Zpᗛ@PH{0O.fbdP)2`.OTc@hܐ:$v[7%%-LUP\N)CiD H%rzӤ@SJ&0 2.XʨHM$xb ?3q5COib^>*i:6@Q>9@I먞ܸx]q},k%J !8Y#T}8s pH留3yQSnSbM*N$-awtgp~^>y2Fz2 XL;JeԾj|#|ɂ1-߱9-3<7 2) f$*'m՛LKyۻ֔I(Yc3[< S)$EHlf>v r[ (b3ӷ3ҹqn@y (":a FxѶ~sk1=+S77 ZQPKyy : B"#&:u0XT*sG*o$UvA,m-6`52h5!O+9y(Hne@z"SSp**)aTWmn)0q4[adtK""*"lΝ5 &* b𶊆92@\l"ӿc)j޸}i]81 :U$FdY``AM=DXsn;:P2yc?rpT ǻAĻY #Q*e!ҲJ7wK cf$PAK^?KA fC`B@IոQ tYa=4X2BA~"']*{>/Gpףt)(KBgoLK p1ٓ/v2u|~H$2|y...$4%R , $H]zX5u;3<ʊAL&$U5+\xaH*6Y4T$1E{F+xo[뾚w$ łp\7ڏ[ O(nD2R :z@ܩE!YBy0-  2I(Aq,鲊dA(ٍȀDL*Vs %D+4j 3)BbaYæh4rةվ]5 \񻮪7=wTʣ"(UuksQ\$ Z6W|>. 1\Q\yL*g*LYrK(`[.P2AH[ot%r1ں2a)"(^\3!SEJUDx5PY ԠU ,Rn Em6)(`Tq*)%)H6lR[)r$ ʩH(s]U\L.TR@Po埍n GFv}~ux6֥׎xH0:M0<\ ~rv`s&X*.]L9=Gڲg $ PP DRRZ.ݳ۶쨅¢B[Ը~l.&qTg>FJ sćd)HG]؏ht6AnT_R&e8BPb$C]3mkŘ6ɫ8d0fh hvf얀ʊ[W\d/U’GKλQRPY'&S) [)nTFE$p-h-aRе5-Fi 4Or0Y2IƓ&YBL )+j"QjE+Z5LQYF-JXڊm6iZ+Z5[k5M#@"ٴBMlkVMTcYKFm[UZ lJZi cQi"ATSHlڢF4 b RYR56&54ږiV**XJ6EdLJIF-&*3 efa30fѳFmJM ET$D%QXiѳJb&f0hR16LX!,Lje X*QI Q&IRKSTHKR$Iidff Eދaci&.Lr9uxf۸oX1D0ͤo*o}dKFE"#j5j+dAE SGLՆg7(8(Im2EԧrڥSoLŐ7i<3 AB$xBnuG%hd$M[QR\qT>'3eà(",~;ȇWĎ5)\+pTē5.Ѫ! ݥj됹-kj>ePu;u͞Xq6NZ<% ("#` );k߃Ƥ%tA_n^E3~RUQBk֕ GsV\ڦhޤ; CL;DdTONvٹ߶SҰ] uָԎKb+QlP IA+ͽ/ίaO4Rs;?S2CIj!F$gM脒:ubL"9jHLl=k]94,N,r)uƣi):Y8}\{h.ໄ:xM!!\T" sV2ۍDk!u/iŻ̀=ٍ_85ncκY:Ob޳9)JjZiqA՞SXu:@{tvV{sβ_00P[doIWkfYiLsbGnnݝB| 4IB>j 8 !3L՞b-?1n&9}UNm L$[zʫ Ld9AAQaHvz&f3`OG1Fړժ,v~>g3 3%ӷe7,a͂Pn9;j!RIna6`jsvXoX[adB6PZ,UVc2 zhr)!SվZ( ͈`1&-h6ц&V6!͔JY-,--EVMlmEl`Ѷ5fTIŰi*64SIjMZHҲdԶdifV5J3jY hѢehA)5%IR`ŐY F(a Μ1Y7tC;zoTYu}&*QqFqiYX>}4nͻ 7J ohT^ia!݀[ 0 HRS!P2_iZG\`HK5A y-TS9uγĈRL/?DvfkCfJkvT7iQ|Rs'(3 E&LjYPMswnmJvdo7f]P椪[EcXڋ[{[mx $80 `dYA 2 N7MZXF*eI)-d&PI6CfII!Tzѩ}7(@s ^LȲ*$STfKF0@D6a-6 #\|0IJm48N[;gXuWx?kGK\wqȏO3aa!H cߎ0HbDo68v2S28;sD3gz3$k*w,+06ͅdeF-S= 9V%B9ȔЋ !wkA !8ܹ:S9? ҧَK.30&B Ug}z cnKAlj$jJ,cmbC&X4Ccm1F 4̘ccmFX-ZhjTE"I((E-X)EmBITkڍV6֍ƬUl4QIlfճt(K<,ެӹ/̦:X k Sts&ٚ!]8,Iat s Jyi$h! YZE;̴0ʇ,fbnJl$눴{z1:̦Ykb͉˱X(y8- 6^;" I6כcWvP&g a&#<5'4U0  Q5;{X)kgLmR9T!Sd>7CӾ즓Sag!LXs'Bŭ~>;墄B!Em f֢x4pcN+<.҅=Qt_ft,f=8-xO9~`\ k|>lu$(,*x\r;<BcgL2̒;DTϮW 9,a8Si7A-sϓ/ I2Mfmsܽ(y=4miʪ"1;IOT \$' o%'SwRyxs_ӹ+6%3i1NmPkqR`qGiA:b8E1VF6:dqa++p+X{&"FVlTM+˥P% !l {MҸa Ea*ty`0*Nx)M! p]d*K]eo RÿJN_QmӠ &Z*S(ۖ"Cڛaf&MDmnL(fg^>e΃qkὁYTc \ń&m5Dn<)6f›:fY[l;= P1voa&Aש<8g}z.GS328};۩4r 9PLw8ҁ\vOVׇ68 &.[4ā\\v 拳``JJ#5fPECL.-WH;ߟw|raUBvd *qDY(eNݯ:$ oFІ!ő` A]UW1qp7EYQam^qRcNXмY|Z'{_C_"帴ѳ߼x? {xV>5J>$id@ @v' nhTcU(`lj^&D[0橺Um}+9_BHL:gwHGiBAj QAt5W"Yş8;C%xGcK+^a 6[֑DO.px,2e Y(p5/!DKD-fWf(ktA_Pn 5[ѯ4+<8w5/5hP)}bUA#C_q "AMl&cKZ|(MP"L28Ejh Z(-DVUԆ3i%ڡX ayiw;&@FHzcj$ڵͪ(M+cQl=ΓY ~F$dn ~<̈Bķ EC;M&vA|~ŴEͱFHM>yz60F,6ƊŢH"0 *"sdBO_oA g<7AX) xm\XѵTj5agˇIx og~ṱak -a4:JksjpǷƎ30Td"Y1k*^=gmFZ` *^Rb+/n6zyu {e/U Ŀ`o[4qOupX覐n![яv^y}񈤬)^L)OLsd8XP \Ӽ_Tg+MM^f6Vcrmvj/h *ͷ{o$+ȌNI_a8=vl7&Đ 7zqgI6ϜN|HXLӺ-.ޒݍٌb0/'X$i;h.zӊ4&|M#IYmd`hgժ]E k$R6k9X `ϤuҍR"Q؍8Κ8NȒbp:+PZɳT' 4IM0F,Q3cUШ\VS#LXobrg8){1lFwN p);qecJDxJY9%`"u-x;3qmBI-L$ŏj`:X{sg'ʏ]uzVK X ZZCp ,6 IJJLp֒l2@Rb@$@鉻NQ$JvQxRB#żNt}"S kֹ$]g@ uIL jۈCvh2C\rjG|H M܈&\U8.f95Dژ5 G\$蔝HAB$&1A]PKD*cW"X!iJXilE8{o:2wߎG"$q6 KʸwY" |0MRTq83 @|ol|ecƼ8c8qh^a !3{@0ھrpꄒ_4*<:cKq@B P]s ?OleI;$2G[.J.ػZ."憊 1Yh.{Ɍܞ5f38_I9GV2K5e8k>g~([Nr|s6^w!bZnR$["ˎ^0o ly>~чY׽i=_o׮7ߣk 5*ьV-Z wd3@ton ?y^+;=)n^-}WM^;AUq.cJ͞aj;'F>‚wۣ`_Hʋ1m>^)0]*h|y;'2i4J08OІɸaHb3s1ʚ\g_uv?3W98Vkz1:yL;K@KoM,Læ4[.Ob@u=&CR1ǘmř'مhDgr뫵E7&71*k,3U,C6d,~PQ6nq8Dͣw{vaVw{w\05P 6>n5?Zv.f@L{$ϒ@*A^k6;O]ͮ1`UaC 0ن̲мcX^2c6mvRoccaB@칸0}O|F8sj=M5eƚvpUO|05s)ī̼8뗵Z_9#Y8Q*j[(DcMcb?WsQ6|tmκv|VqE]NkIseq D;h9I{> eת& G'>CǙݼD)'gMKzy&-c'$t\D3Y[Onm/88\Vm2@@I:H5I*~:sE~5L 6|~v)"sl)! 09R:cŬ{l WCUAT=$ vޑ׭sin:ϸ5<~vܙ2c=l/_]nQyv8C&'Ё&+|\Q9eҤ6] sok(d 2Lyvk&#15Ï^)Ȁx#xMVU,h{Z׭ctWßK0ޒ)WDj~:ebfx=+i Mlg21|~fhZ vF?j($vs'5ay`bEnկk8ezw rOl7O+غq=s|[2rzLP⌌cdj4vShN3\xa!"LC[ 0&믨؋U:fhp_]A1KiafycxSCؽxhIPFP?lG'HɓrhA)cp_-.<<*&L(2jߌbUn:l8KAiDf9 {~z-p|ϑy0]M14%>+miυrwZgzoU/v =izaǔIy>mX|"!Hna Ͼ.o%7gS2u n#|{/[9V.f[Z@G4f,i1Ѽl 3Mݾa؆;K`wGj=;ۄzJSe3z],"pa 0/'v>tt WOJfmIDvW.)|JQК04kȏ,^C)f_{QPVW| p3|no|<4-3M{0&vY_:jUƻGI|Ak=Žxo%zfgG'>/"NXjC`w@wa⻠dl]k;ePNbE>Q]-*54^3h˺d~1!t5Qziubf'؊TMrys7Ǔ\y4yDz ewD#)"vsSQ+,ֺFA~mg7[7+r"K7pĘ_o~b94 ppFGEx ]4%}(Fx K@GaC :L$uܻs_.LJ"BD4 <۽tnbG,Ů:3k6Äǃ4uM&^v鹈*& X OHf:6ss~:oV/g xæێjoX9 j՝?Zt;mGO89oyt <#Mnh\ RO}5\L2ZxG.y+L0T07! IYܤДC{{s.E_}ϑY'P9\;- 21 BoszLw^oz;ON:h>Cq>retz8mzvVEiXY=,< n Q[q^*tL"dF`dk6C cHdHY]K*AGᐽW APv}]n ]4Mưi7|Q \̓S:.ަDUuxB\=.%Wc~m>5$Oq@E jfiqӨTzB|I[㤇]]faJ1a0"&eoo 0l<־#&S^+2˶d!$43wy1W̗߀wѯ"}|o';afOXW"ɖz~.n/w:V[3c~7QSM%HxS㼼Y5U%_ݢ{ _R'X)(Ϯd>y0R4pLFoke5>ׯ,mڦxT*sj} t&v{FeTy'` Z-ku!~k_s3ˎЀ^5$!՜v%$v si\r4v˹nuV~U.EZ.Wi8-DzY$ʊxyG'>^L?e︊szOkwr; jLh^u_{d`x92/~ιm3FTr̡Mߗm Y[hud&(`K '>৉;d"BoH9m~ 0?>q}^cK Fp||o?c2o7^vٰ}G!Ppz_ 箷li̠?3c]m}q-VБ q|q6L88t4_3DRg/$NE]sa F 5kEDa)M]3@Տ ُD?|yJzAġpsqw gvOu5-541eXhǙ-dj,UeyXIǴP襉ą!'d'6! P%߅,̜j&u:8FmN-s0}|nu }@yc.S1En$/fMR|sδ)|aBʽ䖻Qɦ̛m7{Kʞ;iq;-Boq{S1g؞,JZ#\B Kmp2LV:e`e罠3}0U,z)Iּ)!ݳh93p=ͣjq7DC츃 ЋcO4>8CG'"ݽQ1yc\'6­0\#4G.@̄d}q'}wѸeN]Mq{)ϮY0sQ,,oA9,fYaNv"KK-c޲,SC No^8ܩGJ#ˡ~[矟J++~bwa=gp1dhGӏZ! MtǬ $NT|精맖$~[-gi<#C҃<汸Ӝ\kQHl^UScA|;NݗCxŭl!E1bȺwW  U=RkBA#'1=E Q85\mhYnhȠChbc_N\7њH?G,AW5u~O^o{Q QRK[1 h`RQ'aX^N/v^Eda;HЂQa30\=$&(3<'+RMM"a-v=V3gG ,2Vey;bj9M!.5(ooX2Z5ge5\ㆶ7<4`(LY2L&L# :ktDqFGa%ۓ$ⴵp(S=euFYt ">gޭ{;~n.cj,h>f 槟:kx|֪%gks6Rr#X{"M_fEx1/"ŐɒVBpW%th8,ynbM:.C.j!1nOS}=_lbњZ8M<,@ysŻX Zv80>T \H@:Z$Â#>יcmp앋bN31]#x30s$묜b7kae4rMkٵܰ{KvO9eTI ƷzrviS0V2Zb.EܭeU)Vv3`qqr(L |J|])u]޺ͮ0m UrNk|.:P9[?4wY0jБ)qr<76>ff93kW.]3dc7[K3LIq?4ݻ'sG> U=F}/027>YC:/oӧӌFqAg9M^K^  :[ rgGWӧ0C{#nFX%(9 JyݞzV~5/%⑇hbȶ Ox̵#ǾáEߘ~nYN5b~};τ#U>Ŝ_wnq#:<^I17@1kjNx*ZkAmӯwFp=]I> I8}ݞu-bm,> ;]Ά)utk\SK,˰ZO5o̘u4ksblu[v}}yO)?^'.u;uz9ϋ 9k|,,_ >zX! m5s}߮-D3Imzמ7rq0Yi|gVx`2ֻ|?حڨ- uncdA$,Uݱ¢l.9,wV{峿O"Q}b7ܯJ#󡝥ڜ9n7eYJm߈+6ܹ6yzb߂.e1Z>q/̤J:,=<Ҿ7xs\UdEf%2 /p(ov֖p}Aχ("OJEmz_Ux͏vGSj5eLf";enMMM+?ۛ9Kxf|Ƌy}n|'gq]rDbyv*;Iyxw1Z[X23fŲ:MYQMZn[g7Q0u8=A,2쎭Y{"e{л sV)unmQϗN=k9%ĴmJvVLD{64"F88Jqk=W/p{ۜkMf _0u9^X6;ݠC% [9]i3#ch5_ko⯏Li}c뼝p)#v_3Z+duۣG9660&+;m ,(wv_Cbim&T[ݬBE󝢩 =a^?7X&߹%l%w4r|l݋O2V&onqn6:o=|kz1d\Tc^sa =>G8li3|3EiHVzjŠ^nֺ܈"bb&Pg)jN:xBwlx˓i5G7|]K3ώ ;wc\p縟XGM־}mߛEym&tx/vjqͅ`5]#=#mMQBᣎ{!5 |Wʹz*(tbכ5wz(c`<ՒjwV\~K})RqSǁ=]U%Ż;skד]AY'+-zl{Jo;[]_~+-gfle'Qs"S'P^pR_<񪼨)N/bLlrsy9AG~XftT>$̢wX,ׅIhǡιYQ#J}޲l6-Φ RF~ms;ejAb_1ë~[ҾWWw273OKnьEeb#mr&$doncu^X랫#1>Ňu=Swƹxv'+2ϋ6|KaO70ʏj|^W*OKOM˥=cq xx^E$qw߯oxP|U*s[3+c~FKOY3Гk6 -c^m*q(5w_Qʁ}_>:HcuKCm\GGV9+`fcެ|.rGF u=V fbʨMcoE4ӕ|@y|ߏ+w^1W.WnYk0:7 pC EV#NʍbLw%-67-ǬfUQcs5=w+!7%ES2H\T()EHnZs;uvuRA(d@Ph 9@DEPQseDd$`c+VM-IQV6K;~⻝hdM<ȒuN:PyRϫ va"1 kT9<: P}H< |A}!|ȈΧ٭VfbU H _kO?˃̒!H$>xu9=ż$PJ{Vqhǂ^S̪=HT$??M=)>o{ί?; D=Fk0$#:Aw;]Ջ=i?y;gSqH(eE#aģgxJSu~^/z@<.@ 9BU<~/cMO8ۘGޞYGܒP""@rz`ϯ^&?qgτ@D:]8B*+325_Ρ֞~˛)ZG{e~F]^=k\rȀ´`E~a;GtazM35}|kpv(8 [Q[n۝B2oM@m^9ZmќpT=_N.jZr'8Lnfp(iSV+uI}/&y>?'f򻏧rOm: ځIV3Yojoص>HDBkU./Nji QܐUWe)"rRd24kW9bU=ER5"$b.LMջ(mbEr**`Ȭ !&lp y$8xcl;gpplUE1-)ۡu̵1q)&""N-`RAgyWN(Wr7'wֽzצZ52,Q6)2Z"s)bm0Gfe`*" D*TzqG\la)eY(ࢅ|M"r7.8&eO f7@IJ"/O{ .8. `$m̵p"q{`I|8i qt79T{D8DAHz3=sz-:s TLDtXH\ֺq(Q$֘EWm'w2H$$nxty9!T535QEu&MxEcg^vZŮUbmhx6ys]#厛fgwb9g,A|1Edyoq {*V(f2"r[jML!3a\Q@q+)&TbL)B$d!*%1CIil" E@,r(f. *YZصT Ӈά2` &`$ɜMI=9þ&9 ˉrXAeƘԒyW)z'NX͊{+tD&黤F"؜Ent`!\&!qv=`"A̩2xV/K#8[c`̎\$$ndgv^֯M^FUuΒr\`.D `2G)HrEh`(nC q SGЙS\N!ɕ6޼>U`xHӮcsH>þ7F̦ʩaO*axcԻxۤ×J3V`rq74pKtvS(J$l3Il#nғ3S b8ܘZwfkAGHέ:ιbu12I˞wH*qr_Gرea^9+/TFvzubnp%, q¸rcyb,ى&W=XlD$ #5]ЦDܴU|',u 6.Ba'-kعe\d#,k BaHW[\2F!φlC\:٘@6hYT}EhGRlw0ͳ7apʊ8!( %e 0H3$ͅq$06m25ALDM1ÔG&F&"u)c%EXICDJUt:IY,;!yeʕa"2D#=e"u8qLBH#)# &I M$[l0O1P$4qq} 2ELm8HBm52%hH;M٫yhPP:bq&$l*Hm#m5Dk:x=\"q( ek շ[|%(ѴŸ3Y\#W.hI#$ m3rBaٍ$-227.K+BL(8,|}eIV8̧7<~ q{TcB (s:*d/{ G~⽕yuÃx|zHw:fyY{@O)„֖oy%Va=UY7Y!8>q힭 "ff7ho~<7<~>Ow>oC/_}h^i?&gS}ߚɧEѿ"DZ>͜N?,6Lpmm6&pI)[TD 3) ONnFGe8(X]ŵ\2KH*>.n܅.^+q_ga0erth1\JG4 6h3u+%±g8T ` C>. :dFP)tM.; F+J.SL7n i} 5a·:xLr> ?8_q@7:i8],IvRYR8R^m銯~YUG]k'SH6OEC=C0kp~:'ʧW?w~PR=}#WNIdBc1b I%Ϸ|Nq޵wT{/}!7W5~hňjX|xo_"]x$fbT/,YPe5.s@J 8 •M|kt8MT3/x(?i$$&ڦ~-< mn(lu1GhNinG otj^FMNxHzqMu+l+Ɖ,f@]yk|n\dcpP#ω9yd<&7D ;N|9]8aϹ"Y=ue׾p؍kah6cm,Qbھs mc^sl_^E+T+a,e6`lQQݱsW6Ѵޕ/ocX$Yڊo̯Rtq4=?<551s2g^R\(G*MAQ\y[LʹPm7 "(Խbr;eItJ2d_VaKT*h`+'ईq:G?6ew+a.d昇"1Sȭ?Az,tEdy TEg.&WF U׫+E*J78c{1ԴTd)1B &đ !Lq[J%@oDUdc PU:q[P ĝA17b G8cFǁ*uVՔl``<.YNA<%#*T?մθڑ8eq7NAFHQRTw4J9p+ƠwCK{SHH4R52w/7[T;;6ƵT_ӥ0X 5 @.u<"V;^Xqw3`wuqļ(.$*)S?Swru&< xVr3aEgSq0+ ,L3T&8v7(t(t,w|itYMmJ-,,ig.`BLe9ctT|fȌb^28aq6pknBF%?rp?";77rqΑ͚9pS!}7ьDƪDzVuNPٴ*upo,@ޟWgq'FfIddHio ^6Š{黵$`Dr`3QEk!(|:SȭƲ'98H1rV̮g9~U"9H1p.'/}-z s[=YcUI3dd|ܶvBvrv,̀?rnjg%l#xJ&GM:@}Pia%sڷQZT߭7V=߶WoE=TN_‡мas;jH|}:D^'l:d:?oR`m۽afGl/*6(%W$^Y\/c-ѽ6Ju,as@OP 9G/Pyu^ !PUy]w3n̜$H^0϶O5/j9nFZM~ Tmxh[.(a(;g3봁9o|M<)z{=Pa " =ЩD0ϛfSa}["{:o)}X~ w{< Lز0\"Yi˲xeᄡgVٷwXF^<uL1ae ʡD1"dzr<飭P v K"rMF;;/UW֩i^wZ 6MO{~D`~Dl1DC62PdSA-7\$Z M||)QC(R:Ys74A!M,x2XmmXlEG񔩔I}gEG!{`mq^cUT|x)AJZ*'E㟜tb|u! $d=$si{>/ZZl9eg<45l^7Ka4rø©k,=sdAإ'6ƺb c"1M%ɖL Dz’8GK(7Pqɉ(LL&<]Y.èG^P1W_q 6{mKݸ }(~ިkGUѫ<ʩ R TEbN54ދ !g>⩶ {nhBl۽PËϽu|vxzZ$+zrS_e#o)϶`ȲVX *3ʏ“ 0(qLj!TgƟʳ+WEBxq S&*H^r( u0((QpW*X8 D/Y t~VP: ;'twf7brIw G7m5 @RS/-U 5EA1%8a:q3==z$D"{\;vm"[<]A!\>T20)*D +*~j>S=Ts6^PITKJYPTCU_]PWk *wz^TA)0l.#) "~ $H:fQjR5ڌg׶-KFU3lZB61jP[DO ǣrZݱQ4(}k6^yX~M8JWtL[f)ד$vv4o}>6KuUçz߯gOo&#rXFK@ADAJqI @",QMyV•~g2fJ;A2;8)B@i2AH/?1+ӕc0"ҧ6BesCq`*p>( z&Irna ~L:k Ng g>Y!X2﵁Bvgccٌ7Q'f`)eUB!t)+fyL:J?+JV ?CZ";3y9ift:D!=Wֲ6<0} 7i o*v C8,F-7~#=>U2QM)bş*oQO*[Z JiL+-t&k1 z2cҀƊʲ4.@bcqկ;qW A_ dMo7,71 V|  ab#%;`?\U5=$"!~-f36q'?0F#i+:$\!WT ^Z)@j*_+nG`6+aQ*Ngʠm΋ uOv5z:X*.M!`y F"C%; ZWs/uJ9!H4GoIdB[uGa&De<܆W݊XO4H4/g*u3H}Ru:Q89W+@Q.,aV5*76ODMP{@ظ,{ub*Xۣ]l|ǩ=|w)JRRl/n{xq=Udux8x*ecNVRIF]n-Z$B46.IuW2шoɻPtd]^tѬ@QʴAnQRHoʉgYJn]i*<4-[Bv_ 9@x4nQRh]yWmw󇖗PlPy;3ȴ쪄!ȳf0D w6  ߾M\@IelrфEKp oP<G2ꎜ-l&΍W-lOŎK?g3ȄGrgN#6JiowL.+xjS&6WӶs3 tEAe2Y=|g_g=Vi9UK] pݳ~C1%l'噮UY#gQ,S):0䳓GBan4TZ^ e5}_v&\!P?5GWI}nM0 $mezG͵=52 Qƶ HfIoRt鴙Q0F#l™\/2 dM !,m~W^ػ(Q JpR-P+bW (PHL٦(oCʧ6A0,sp:7x2E(c"ᣑ q#T/艠;SG0<70Rz$9[e}ػ,TM4U6e9lj_5+3cz8?p?"~,J~LMmg7 )1`qt&SGQŵU8A(-s#kfA0E .x;x0.Ho݅xZ&S~sA]xSkO^{RP"$ൔ@q~ `)F<.O|S (ڪ+ NRhq ?KVg5?'ۍZqϏEo=6~7nVM< Q%pfy7#Q Eby= =ec 4a;nEτi~GBgC8"\.EB:vIY} ġE({j.-ѪƫA G9!طyKNl HEwrl^mя>>WE}_Co0Ǥ3m<5V(JifGLMN| <ٛ VቪΝI3I&lSWtDŽ 1&b0z a!0en+9a1v:D+I'f:}}T2T<=W]fb̌32WVj&,LԵ;6 >c?%M&6[{w}@&.i9f1*!xڱNWtc*ypqKq2*Vr1U↶SɇfԔddֵQ_PK?b$shg8Tj UٶnmDf M!3*W'b?ʹq˭'m:8*'?Ƣ6c$%,iH}߹gZehL! i"lSuZ(PymԉQ,YdXwp|ͼk\٦n.vFlfڷm/npL&pةq%Wϵ )X(=OOl?~Y~1ўlٿ,{sUy~dA 5=̂]~CtK`Wnm?մVp@FS mn|?f*EVTL6A -i\aov C. "pHLLU"xj|1Z< !3MH`wt$ԇSL5fZeZibL+M tFBU6B9h@ Z]7z&ٵ50soqi d(~[.ǣ.smߍ<Ih 3k^/]CVM:ĐU/?(M w3v~s2?d{A˧3dpPv~Au*zp P+1BGcċY[)>.qA\F9{ݯի#vl=K#],ᡮ:ݏ~\8v}vDIH1+(1[pYp 6$7ʾYҰCm{;u%ьiPd@Z"쿏ȣ`x ub-M3prg ׉=P>&#bzO3V(7}\d Ln5cSDA͚4| *]lfՕqEF{LQg* =fNݒ"9TL`خ=oˈ'!#ڡ3U3ɿ,m{i7iڱzIzQ@$,5VZQf3ު39 o* "IMkطڿ/֏}cDuEgTH5*x;""pf5 "7y4C8Ex(˫EO,(hTI&Fz6Z׷b}!0codZڧM2 )uprdAͪX:1PƔUaG): ,[&1>X[ŧ>1҉YLr2 G6|~>xӏɋGJ; ; _E61znZ!d*!$TՉ!8bz_]͜=V|Yn]nSo14M:c0O_̈́>z7K6C ݫ^4?)őpv>CBJQvs*EO}gR$e8x&IS"K`?:,A}=4)#b9>~sr]AWC1>d!E" hT:'?LY3@+ci U(E+.QG*! Q@'\E<~>ÀmXJ*!:y>&GF;V)hUL"ٕăj~;@}c I>ΨKחr:{⠯vD!3egXX,Nf3~NĪkER<+&RJQa%Q-8ܴvV3Jq̃k]+!R$T~?˻Oh>zbR/럗,AOǣe3Ɗ_ѣt{h*;M6K$E•D^lobBM~;v}a)O_=~beS暗{vQEcQTp9sicnHWrAGUG"G3Xr8ލ~>Ҡ:Q@x*1Fөɒ[w 0tA~APD=8!֘@Q@|n EKAK~} #^;5[j+Ҩ Ͼ I4c.` MBg8Np$r2>qWn?*R6RTj?ZO_Y75E9pBȈk w$nʵZT0 ()QDYDۛ_5Ymۡ_)@|"9&w5g, <|inV%Hv{}ϸӞ8]. u"'W^aHȒCpXG Ow8p g[! C`Xha<,d!4Td2rX&)p̢i˾IK^,+m65)-fPmRkFŢETX(QFѤQj6Uƣfm*FY?QXѨыd*`QW樣FbF"S2R(2I4hI^W+ŬlVĚ*ƒ56$6QъmW*4VZ[-bXj5FŠ6ɱ|4x D 5ZܶXѼ*^խƱlm61lZ5j+EQ1Zf#bFEh4c%cbklj,bc4Ql62b56bEj-jU+5JzUmӍjFE5Tkb&6+cTj6*V*1X E|y-^hkEhj ZܮhPkFɬhmhW5ѱvzZűUnH[M 6d Xzm׊ק5޼qr,om(4ZW"5b-5uXܶ* 4j5bۛQWmzj^l`%eaJ~ RjMOtm\ !GDWCL)ݔ"ᐸ&.8e!HL%QF*H,B (loD(CBnorxhEh"(M%lk*ƢV֣FQV6Z4mEƨ&ZbbQ[ƴ, x›j Љx͹mh{W Q E00!hTd a| ZMͱh(ڊTmnjLmIY]W>PzUR*[5C#d3?N/V92A0Ei6QIr ΫP⫛hlmznZ*禋` dF%K#ңAbͱkmWm[C^ab;, W#ǯ+`6E 9pIbJ!  2!I2?}v$mXa=r"<"a$0E$=-V%a@T[p!rA& 0* CԓG6 rtVZɵ5E׋_-{mEj o״V-rTZsjJXѬlUXb i6Qmڈbdkfl[DjMlTm\* E-FkZMkڹ_ku "po`I2E"XrJI 3Iճ.ɵ (>jԕE$Q:)޻k̡L9- :0*-V~[ڨ۵(kwuTb5Qj4Ej5Elj}h? !;gi9|w DH ZXm d{06e)cd"FVRE ,vHR $X@ߊ!hOzZP:UXQdYt P‘d5L EBАIFlj5}\E [)%Z4D,%f)3 qpcF,XCjafȤ&ݘ(uh-գgu@X p( f._BHyAxDB+,{|2 GRnu-xnP=eP$tw (&>$n<] 4c:vu;oxrI}JJHA$O9pmXEDr03,"$AJtt2(BV@O_y][ #߆^m2y`O̪o3PDN4EO8bV=>Y﹮"o8?:q6<3 #M6Q #3!eZgz|Yg[,-s5j{ J]M F"*rzd*99n`Hr;*w0dEs`2ῗpeGтrv{nvs:h>JYdyg\Dr3 @(!OvyZ7ߵZUV+.A @҄KvR?"# EhhTi5c,AbEXcF5F5V آŢclbѵImPJcC#d[F[EATV1mZ61T`مlZƍYV6hQZ6Y6,Aj(U66Jcch#5,F(XQhFѪh3i"jŴkFѨ([F#E%hѣj5EF-DlDmT`UVQY6*+ƣb,b֍j(5ch[`Mcmj6ђlEmTkŨڢ1k#KEEh-ڍ6R[F)5cEEI6mkERZhhыEAblAEQEDbح%cDmh؍Ih[,X(d5*-REQ**Q̣Qb cj5Ei*1TbT,Fƨj#jcUFVJ6BY4kFэlZ-F+5IQ6TVQjFQi1QmFQi(֍kMlfbBX,bPlkQKElZ*6Ilj(ŴmQF F4hjجmKFj05bbōEQd֊Xڊ#EbTZ5EcEhMV-PPd [ET&5`Ŵj űkFQCZثcEcK,-ELRbƐ)-i6),L"cBX0%Ehcb*Hb6"lh*e%mF(cDcE4 (Xʼn*6ŤĘ,TcŢRY1PX&6(֢эcPcEت1(حFhXPU+- XѣlS-EQji4m1lh#lci6561Y4 hcF5%FA -X*5XĚ5bF4QUIV+lTT"mPmFXjE-4,FmFbcjIAъ؋cQcXѶlj&lUƢZ ыF[F*,Z4FlQEcY(#FFԖb hFTkch"؂#Ih(ڈ-cRQъQF(j36 65%4mQhQCF6Cm"&ՊhՊš*5"UɴUţAhb5j QX؍h+X*FTTh(6جjMAlV-EhZ-QF4FUKThZ5QlhhŨTj+ `ƌbIkF[Ƣ6k-+X6E5V Ehѵ%L#b5!5ƱEcb DbElQƍX#h64U Eb6TF!QF%FƱQbX؃Q[MZ6MFѨX-TXclm5Fň,iDVѱlh,FQh F4-F6J#PXXRh5`֒*-6IkFěE &ɍ5Iƈ%%6DTV"jɫ-hU6hƋEcIZ1آ61T2փhcDb̴5fƱc BFԖERQ`cTE16mljVR(")"i U"m6-bddFƍh+I6ERj6-`شj (5$cAT-f,TDY Fdhjj6 QEڂأh*ƋFHhڋhcm&h(شl(d EllZ-bV4Q%&bhV5iUE#b#F(ر5&ڣIE-`(QX6%mccj"UQb5d[[FZ4Vƪ66KAPZ"%cHj6J* HP%H#5IEF#F6*--IŰhJ)*F-!ƋmbkQ jƩ6M(5`mlTX`bjQLQTj6 QQD-AQ11ͭdLZ-Fl-X5-2VhJdV([Ʃ(1j+h,Z بlT1DZŠ֍lbIQE Xڤ+$a h-LbѢQ51Vk&#j-edmZKQZ,!h6Ea m-* Ej(ѱX1EcѴTj(*5MD#5cmchX-QFXUыlm# bTZD@%dFQ** dD5TF`F1hFɦb6*J%FɈcTZŬljJTXQ*MbLmbH bԖ,TcS1DjTi-2lhAFڍ,h1jldEF*Q-3Z+RQFZ5i4lQc%a#&6hƌ[XD`ՂMQd53I`QZ5$Q K4m%5di$F)( Ƣ k h4j6d4cRYXՈL`j)$؍AQ[ȆQV5S6-ZJQIX&V,bhhERlIѦUTm42Z(+b̲-j+UcXFF64lSldlTbDIƴi-TkFmXF Fh،mAFY5S b-VMF4UFi1* Q-ԄTX6TQƊ(*MUkh֋ImɣՍC`QmF ZZ**TՋbփXbZ FڊX(*k% Q-š(KIF[bj5TV*+EE 6* Rb3!j*mlZņ*"6%%Am4FTFlX(h5#kV Z,EEcFm4TPVMb#э1&1j EbXI,bIhcZ6KAX֍6IbE6MFh1j-XFƌEFhت hƱjPQRٛ#EQlhֱ1bűcBEQh*H5A1mUTU``mRKF6E6V*[XZ54V(jZ1k UQQA5Dm`6HkQ4j1TQ[EѦk Tm&ƱmŨՈ!hZƣj5jfIQٕ ɂCd 6EE6-%II*(5kbQ1bب J k4j5F"1cL*(ȟV+JTѣTlƋ5F6*0TUQFk&1K1Q`F-&Qh lh+%%bF*(łQS,PcTZQF65ƋFb5DTj65cb+EdllIQj2hkTm#cTmETj1lcPmbaQEFAf-IRjƍ1FkQ64F E1E0X FlU%Qkb6(ŌEQZbѬV5*LZ(5FmbبQFKbE14Y4UbkTX(c`51cElmmclcljFصبX#VMZ6Mf%FD۾ ҝksd8^v9I`9߲:}kV~\ɊYDCE:UFA;؊{t ~G@#X $Fxҩ3?ji@`xtenjxdj`76C+n'xhB_lxthx4U'͔ Ӧ=I#ˬL*1HJ;+ٗ_'* ]&<$)@Muuqjy12&S" w/O  UL"e0OQɡy1M=/o&b׍'DԐS(Q) !q.cf:*kRB}Vͼ~'dTZ)\}+ ۵On=z B.!0_zDy&hFcXh`?0`5-QVLUV&7;C$A\wdrh<Olɂ &XjY3ޛ,}^f-O_ss0KwK,ϸ snu-"a[f=̦~z>3/,Oӎ-SřzN[%#̕N&8O pzH㬮Sx)0ucQPQ4PwJ @DwA&-sT`r<^/tp EBbDJqǟ&3RԎ4ole<3"KA%;0ePV. J n@\Px={ hu=#,߇-M&䌻py1I j#("7wyEb-4Y*5$&Bh+ݼln;^yH^Q$%I*9̮ChC$Y; P@v4  X)Cst]]=W$b% *h;lc.hxS72cUh6ۧT-X2 XuNU"uC arLŌGTSs^T#.du ~5?2hLkHcV-8 SswDZ])"$&?.0~vfrZ>O Zm%)YʝvLOBkVQ,E 0oCW"p{O'bjk P_6!=PŝLl/Yxȳyx,š'%RBT[kz YY? «x|y;ay?_aϚƋDNr1:b;oyx)8 aUk{gEF>\ LWr,UlfS5&P*ϼs95O}(0ç¯=L{!"iGgʣ=ٮ,wpSTR-"aK)1_u ,D?̳&45=`11!ruP>p?UK ەKw2$#'T#>I(R%0yukYwx"Xuw~K)YRzS4) 񯳷{~~W=_ B񬣽/5kk܁P-? N<Þ_.J=rl׈ȝ(*qD 4^pn {u4ze׶"@*VʢHD.xz{ljtEx8}N"H> 8O{?t"MlHV[c"5^ذTwL~҃,cGPԹjmX¢bǎQ&|,B= °QH?95lZMW.-קuWӖֵY4b D?ñ&3,S$6. ݈1=\nu!PVSJYV"*!|W EppRQn?K~:ݧ-8[>ۺG }ѻGHPU`y^ߓϡy?Dcw;xb'톗 * wFrx=#&X͒=;I"r+! u~/tKvm%}yn $H\*Kf6oWR7qW)krE(YO|9zj4/IKyBMݹdڧ"r|) 1|p? KB?Nq/7jw=<)YÖf`xGeX*$UۮiȲ``c2ZWC&n`o?1z[J*mhDj{;Kr!lز@ AmШ$*G#膦0S1p\)%\}6xDTrQ2hJǖF̧]I^/:B~̇Dn9&vઠ#LJJYqVn‘# bGnE%C܅1TAp]A{\yni |;CǮ\[-FT`1"LD OGn՚q!B\\0Yr\\,R)- J+Dm"744fg]7k2$+L)d lTRͮx u5-VdbdBR4L'9ic#k#edȠpA\|t**TrV7Qvs\(9k 6lYcMqaŊeL1ھ[2N~f\*C-~6(̍(̆UI)Qi5A?.jDA  ܴ"U "(đûT1=-^w'ϗ5ePLe&eh_]i.3NQ8DgϛQa7bQ˿O8UsI^ !F?=KDe/73)h15%Wbĕ.B 둘bSҼ OVktah ;r7wQ1 ݻRIFHzZ71u L=^o $w 1Cb%+\+jfhiq5qXxQdOϰ¬8/.?uB;O|!'}I5:7̈́)3͔{,}]>}coB1 "Qٕ|_s^fAv( WhC ҦuxW(B" `I,hA^ϗ`e,15_Γz)~nw˽W!.+!__=:>.uӉ\EWe\Ql%'b M837yWO~]%* TS>ʘSBЦ;r}pEuJiRogziHv$+y,e,Če j"l/M""H|&H*~<<G(<l>'C)䞈dX3H]5!hs]-lj U=s:W}Yot0U~t"muȃ8K=u!4 Xy\" B=$^Nl Po>:4%r\X^y58nR*nJ'lp~K9+sEwP)]iٺfQ~W7ŰȾԿo+Չ1GMVs$-Ʊ`Ke]","Y1"2<TIߤWH"nLqǗ*j1vE>H R-V {[/z}3GSo"s%^Jꏟ~AS^Nd2iSfjSr*!0kpTq#ӯ>B7D&ff5ycñ Ed?~)u;w?}ۄ'MBL U0;&p`/>f`G~ߘTYY}<_= n+иLQnrM|m膀˼2 YI $&CqkqD}2Hr˙Fɑ͑JF4R.yVs Zo2gh)[drpB$\E֖/naDFٶQ Ep0? OG?T+Pƪ[#18".V.pL片g{k3X9s?>Ⴂ(͒:=˜z^6?g8H' >< )1Anxp~d?b4ux~MoVY&(%3BwxVƵJ*1T%,H(( O2`{(^"cYP YPR2nOllsqMp둹:8D.-{ĩ$ $rA3+s/.ݼ+f? r1b "1}vDъ`2E8`W/W3ӈ}[XTd$L~lqA*#o o"ZOݟkNCO$ߟsWI4l?yvlڄk7PO՞~bJQm|e"[]Rɢ*,/>^ҹ{na ,}En[(A.bG}/6t*p!1#_DOz*є|w{#]Om5FDH8ƙ$qC=TKfبQ$aEہ AX AFqzCl']2^mݸC1No qANaD*Yz5Q& g"FW3"ba5#3w~􆀄pQFqd˔Г,P%ν};3Bz&pTn7+!A]ԡ\ r m!&R^L *'&nfQT;ywfȦk9BF O.8gȻ\فCC(P&ْl0* FL4 (LMjȀ(HL 2dQ$gKVRĕ0LS6GFK.b&) P&!EDr9٢W:I"H.~::v <) !$BH7˿=x.̱d&ˆˀL¸.EģŸR \)\q,"jVN-wr,sakGZZc)p\&A=L3SdC B,"E Bw=#1_}%!+RQf]S7Y}V᧞]MGc&K*)v\#1˸aIXˋswO&$ Y2Fd{UҽDȒB#`A 7lH 챷u6mԄ뀃F* )dI̒$*$b2BI).aany30S.nrn99wyLCIsmţܷ0$Er.ay[[ѮmQ*TlLETXjH)0qd2s90¸PW) ,Zɉ$p0^-6]!E9Gݎ+OB1E+!7P&7p.RfER& . TF2[Ym҅EΜ|8^W1sQѲ"t۬JeG{7O dG IT"TʒDW4jWr V Za9=hR$#Xd0hQ%:M 5n즐J`'pmʍW]m{UkuTLìV s'R T#"DA[hѐ&z1v*~s\̨AKѤtaP2k?חg߼y}X>m%F*+HG]2s$%AΜ`._^yq˥Dfe*0A#$[d!#H&N[O߆}pTF""'9ԧ0ak&7 p?3Paʢs_}zpyxumƤP.q?r sDJ^ Hn{~!U%S=3،IExzdOJ!ܢ ryUkgo|rAʏ@8vvcYTd,bހ,47\Of߫5l'D.o4(5;T?DUSEEeRF^{ O`oL4 ;NYY! ,yrING;C\-Rb|\:r/_{킽ȯÀiPE/^/:^(I,"ؼ."=7V9:Iѱ^Sv4[G99v>+|usZ-S#s0ރIVO&C"Xs.h we#c"ᔊ1ty/]/v߮hWq!"0&zl??{JέEv gcOvo~Wۙ>h*^~YsU:bs5˵9aQ?Ytkݩ#cEMugWɼyR<Ͽ:{{M?[aHbki/*_ 򟵫EE.H<b!+ьQpP¨YPCghKA(1Gܷ~y4ǽՆ(GzJ_gʽ,EV'ӫuŠ*QQ)S'ޑ9JW2f}ؚ&éx2(Ľ1EwW7Ymz*."{h#ePUW5) D~ UE#0'<S8XEAOM 61E-^.fAL8ٚ#LWxҽs`迹nN}y!6D&B%1qW]u4aDD-nIn8!.!!_>=烇Km$If<wYwҿ|ö $3^z Ǧv;+I mQ\]r|1=,쥛ۨI776vspu:޺!Ϻz^rJ$9Z^n,9!>~n&L,]Î%fǶOE>>ugntyPE\>䫾:Bu}>(5DU?lUTP[C~sb8~-љC ]W!H$ \"Q$  E0}PqQ Bٗ,HHsiB ?y"$|M4fK5:fd{4/Ye5jRơ$&8B_3Y$`Y-'0cXPlȊ6LH x :m˯rO9TJf1i\đ@ h>Mbu-^.W-\?X%P@o쥁5,Fźp5wЧ_gj{~\EoASOgırnmsM(iW⚦@3>uMqЈUt|u N ۑhD$`2 ~v |߫K 2ƽx?R$PqИ'h|s_*(QaT"t 7v砞V76DVY_=S .yHG QUUTDYM_UbjINpi)!꿏US._J^E{v94p7RtuК S kf }rvD|/+NOywwّDރ#ϱZA+9QW]'pA%vm_V9toIl0c) >/ù}|֜0a"~AٮU&uf"b8w#!uxxde!fjŕ H?ͥ|=w|RJYfD[Њ)mJ*!U HOP:\Pu^WϺ9G(=| 9T9mrNε5u T?ˊQ=JT勜bCTϗ~Z41'*߬~UW݇e9!Dv U0>H$*>I 36D*UΑTѣB㢇6(3|2 ?QWshp5!Ȏq 9'&νo10u>Wb[6/a0zx F'sQk_7um_77bG.L72$d B1E?3eSrk$ TʯGÐFs J_#(>'(fz.M 4oZ&O_B L2k>?oym]5"+{a$cBNR o78q`"],sySrW:)$v*D=?_PQ3el A!P>_*4f}_1qIy `k6G! @@0I3XmB4 '+*ry_g@؈TJvn% 4OpvFm1&%pS9~߫5%ݤR* _ꠈ&⡭MPuo[4Lְ4o4lѢuXGRMݳmJjaVrnWUcmvE퍜"Sm$YϞmsz:7jD59yiI=bZ4h,-3X$,1"j=Ooؘ78L[:+ 0S5FÜmwv]ĖLB9h?랹ӽ47$)~=ŵqO;kkt;" n)y`)VmAB]8TPEDyuv޽Lb^H8?z{ek#1M LjAb'B̎Bpd!i؈ $:L~Yha4T3@Fޏً-F}cmYrW( ς%gP/bFp*ýcD8 ,Ri?*{: !|d̹U5K2/>f*"I߃y\PU>-% "z]:%p8R=u 1;;m%HI̓;4ƽ"MR](O v D\O$ߨ(GD r?.f٩+b(t$5#;QN]ϳn" U9&q$"L8w34bA[yt".2`"eђ0d.elx/՘1JsY(MAa|aVUɜWg XErs:ٱfGg|]X|`UC1W]x"ญ7N UU 6/CDkքB s*K`Pϝ Xa` kog5fP**Du %eMCOjmg= tu96WưW:ν4m[ux|cmbP+9Ԅ.5Nʬ]fDH,HMbfd  SQ5wR-U1OIY ʊ u=s=oSÄ'ϙ(E+#pe΄I ߩϦ__{}l]Ymk xcU!L!m R)/y(Ɗ*xd*$Q? ?J>^aۨAsnচ-c8RF2*1E$:s7;WXF*.no>n+wG# aDD"UL^tT\9<6 ¸w Rv=$s#ԙ]=g4i_omB""Džֈu|2mW%5Sߙߟ0*gKJT"ϧokf@#_>>泸EINxNlS XZ6]8 Gμ:޶Qċ_f䦭?9a{k1SݘiΪb3w lf"lR$)QLO҂%A, `1 a fJ9ˁG a5U[k*t3=x kӌ ?n5ӭ ᩣBȨX ^Y_\fʥ=:" 1R*p^lOQ޺|~32S'ƅ}ق?-k9: 8 z%}-'Sĉ>3JIY̿ FB*G_%57&(lsJ4Ѩ(#$rLRE)YնEE [ ΪDNsUA %ޔQاx붎7>)FL';M;2AY2A;&er쀢}Ns9Rsv ]:/)>`ud ghڕ?;_“0UtU[ڷ\I$ V`ԁ耐\9x4QYw !P)$IC)B,[m#~:K\aLuyY5=*N? fϮ(fBH:=s{?.?rժ׹ڽh&(uI5jr_l?„!,$mKÄgv?[|7~ \2j.qBPhгqCkMrc5*_(-{d0B*"Y:^ߒC8! BA(J#ćvοSjUٕAD\6}GZ9yX&JQ^yV8涣y}\8K鎎}T^r  t,{T* $*υ|z a BzPeU$;%+Gģ?H#7ieYBz/ >O #^L*H'SyXc0&v陋_#:Bؚ'g1xQ)kF8cnKm}Jcu~nL91ٺ].f?ZV&-Ñko izA2Ď|0/҈ X > -E?eن?s h[?ß<~Oblջiw|yK>+;;:JFME#jk#62nA& 4P^M?]חxuy~~̖* 5M5ZS*-(1DXمLJѮ\*1QXTZ0&4VOb5EMQ &-Rl%Ed֌cF-Ƣ4mIbK3,%Dh- |dd&Cj+|__[F Hٖ%D4TAXɢh6!gזE[mm[jƶXVm[^5sY(Ȱ )a {qS T Eȳ&|7=vMhU4zWQdvj,Th_Xn\ϲZCo"sq ,|xKNԝ e4PӄT3YĎVY }}b] 8p~Ckg @PDUBn]]<%Qھ6_^QIGܲl%e2εP.L*r?>߷(U'zbZ)%?[j=ۭcAIK*P0?%,i0k&+Qh,[&_?w1,klX F1X41Rj,kXLV6DzALUF#bIOk^: |co:1vjnX$ +xf " ي3nI7HD۶0NCX7ZZƿxzkNs]r,ͰcOۤWMKB9j[aw5\dCd^2"(k.j 2Gߨ^w?f{5uݹp6>i:ie6Pjࣵ;j񵳿З SAOF>lWxTJ dz{ϝs'w2P*E*=l.r Jȫ۳(=NHB;>O)t\dNŔW^}#Hex"o*rVqte{깛7Zx,% !V/e1b!¿Bӛm9*Ǖ_ENgroIrV2O!yah)2Elt4Sz)AzvvaIg&fFRb1rIIh2.!M}ᐋ$V $RqO')hQcDaVdoj5V7硴:rc7'4{5{ۓDΓJ*[T!bo`yz6+F5` {:=,RvɐqUǍ:F?f2yL ?wRбf^NKd:rӴ"+$0"CՐ[۲0ϫ m SH,Kb=N|짎]&@[O^?x?Ad9lݱ+tVw}K Oc{^Uko;jY 5ϻӠQўvOWΧsbOhCF%hpkS;"fG \sS#g\Sr "ɷq?#V !|BCݥESVņRV*}_wT՚"$+v=C^g`*@eI0luBzj'53o;7qYE-[v)"m c_k?њ >c|'T_Ds9NLE@CUQfA j)mPD"4TS^ϒRa3Mxa$9륐b. axVa\֚P@9gu_wu}}o&k)>̜T@_=І"k˟ WJInl~n8hdpDrSS!9&![WtĄ hb/?9K~˸R/Z<I @UL86W>@6q ݕϴW* :jG rH@3{X'+7-OGlFosڇPX(Je^ 7:&o'+\k8 2MʏnVx~ q i-84CEF:@>#?fO/[lٴM~#cћ%*2V"&Jm*X4r+C,)a^L_0pq ];uLs[G eI>(8ޣ=Fv/6n)wB`!{5s ;;UF?h`>wDeE2z, 3xd19ڍ&1rzX9.CMM&>wFrI!tNUs%K#c_};΃q_Íx#Lc);elI''i,"xog>y>20f 5RV0lKz4ěu|^Hsx?Uc4Ke @(E=te׮ŽNg#rOC*4+!~s79gj Qhg Bqޠ1o `s8 zexa՞\pd&^62bM5 NƮ8&Aȗ'/ǝ)`hy!J\sޑq,FӾɄTfYԫV!/8wѕ^[wtoC\Rvqin(*XLJG]Ҽwa]7d3r(UV}47=|NgIL-۳2ܒd'ݙٻΜ4KJ1,\=zzJkiN>>nCFݢhM)!z:×ki:=jˋY'i)!iX G\XO9k) Jg u,1dFSL$qd!nzT#PR|am8HjhAJkuSy~>~:to؃R-K$ [3g=~yV"lys~V uP怤Y#,q%"0@CAH5GOד>34ͼXߓ? ~;23Q(wR kI e.ʬW!^j48fX)z$ʎ(9tjՠn&̋&[;fN(2$XL]PXo3XHs[t3w s78pOɜmc :rpڒ{T=6a6fTg,ûqM}P^o7ؚ玡jȽHyA+-=0"`:Nj͵](T6Oz5(P7XRxiw_Ч Ql7U+p'g;ؖ‰@C;O?wnO构ٰ/i>8ji1Ҥ)foRXiG#a\_iĒgK B!8?$%Xq^hTN$pº_P2!Xm F{YK7|z^R!I`,ysN3uf|tf4TZw>vk?j)]t)/KP2ZAbPŗ$b~{<(c~ &!L%=h搾(v`,2RٻI~:T&jGvtC=eSd0uvr6d4IUQ3B! N6M*3;Yѝ^˻)j6ތ$gvNR5K;5($S\sW^߃WB o41'Ɇ.?BRGUs8Ŋ=+~zUl;竳oWcgkl_y.o3ꇄݏS H$GH3I`͓]j?լ8?6.hPZF6cE'9?F%edFJI|;J;,^ECC_t2ڰrԟŽܴijD́6Kuc8S"C&, Qo2evM{_&64qM aTdtj5wHD8Y2Z4 <X>8;҉LrS"@JbAooB{3Eńcx/dtQ|}^.iQb/Өvi#\婱&8mȜ:G#_;;€]nR7oU8v|IXGxSRPf>Z},)V!gVt| Wޡܪ OA+5bXuC?(h_‹%}2nsP~:49S }IsFcˀZg׼Um~_ZNSn˒m1ORSQqLg]) w \آ:=i|ҧ' l@Vh"3ñ'pQst5]H5fc|p5a`:rdԜJ S9C 8ʽ48x ";@@6CK{J{wOctLwп<v=( p:oEf۱%W |}g)*o?ī8o'*Jr=/;J&FҪe@aGk~E +XH2k~XV\3j}q6`›c@]6 |/-$N 6}OxA7G!_V (9xCpjs<+pnC9(H!YJy8*3diY|b:x>-?HvzkYd}>1 جIeŞyW~yeUA3j(zQ}VE"Bߗ_ ^t+rV/:9WŌ@`AH=(~xvЭ=N ލpFaժ|(cu>g"ل6Qcxcj*Il~4 6Ҕ^S[6S46kpzä\#(!ࢷf_ r%NƸ+ (j݌Ca4t9:eV$ 3C{űVeq})5p])R'CEC. +%s;"#V%P}A<3ň_"d5z]-kB'傘IP}ctw^?ӢB m21WA.Ӳp {,!.gMDhWIxKJ#KZnQ5"itܗAm{{EphJU 8bUzPB ־:)*w-^uI'1Ix"ٔc3@jqIȁ*`A$vw/.H5xX]1H-UZǜ=^.Jyuӥ7sDzi6s?Gw2O>l&P I& Jڇ-PWթ~S&14Ґ{+(.d,;;b0bٹ! P"*8P B8(y~9VY@/BgҨ::ϸ;.5=M:i$5u _S=1 ÀS-%8FG#b):2s UBP)n:3{}:zrEŦuGiyrO#!Ρ&ܤjQ4<0:{;]",V%WmP1l#K[=/(BTzf?69l.p q-%va9p崼CP+>WՏ&uʎez'yQ)##VH"oi{\>ʿ@ep?ŸM1e 1X^ 3h_ۘSmw}C㵜8)98<ى8Zu`)r <ޯ j#8rgAA]ƗZF.ZgDp|t {5.Md'',*>=VJJGL!4![dGK3LNrA<t|:#"FT$]"߳ lf-;^.zuRq+OZ^r̪jz() m6uc3w.k1I&TE%l)l_gИC5*ﰟ0Y{Wd92dmUϔd) k!QYRƿFT+9t7(.߂t!7s%Ҿ5Fk +$i}<| 7ZK`4a5.#YbS2Ӗ;\ N(G{(F+M!CP.oT* E31!(YFvH Y@I'j6QIA<Ӻ{r aIhyv@!'FJALVz,<󉍨5lj >=Zȱ1H7W~](j؄EEKH"'o:Pm`bU|z"ENhJ\0@M: ~)[6My% lƑRC( ~fO+geӂȠS"0PSf) a<#QX̤9thˣSa߰akz'8AFrPX SEZ_x蔨6L&ύj>Laş^ս*1tدTE}ۢzpN:VeL: 8Ǯm_i/V0C* d?,2mv@ qNx!U gxplOkӟraԤEajD$PniO$d[x_B@AUcSkڭܕoMiLmYbly|=Tz_J]3l 3r"6r!#:e JۻTA5 ]C| O7ߝ\ &M|D/W"<b % z꽆vN#|^%8G0#ɳeCm(P1DE#&~\-U#0>AqEj-l2rw6 ?NϹɣ7=Q,7\N?(Ѯk@#j9AӝS7V j(g5xu"\i_x#Y\nlm;!gWYyچʇKVX)+p3eU-) !Ay}&|B'G?0 aѥoNñnaݠ`Rj.T3QC&Bd&"UnjP\:<-!X||0ۙvhv>CMLX<@(V ͥTliz :X[5N (yܑO?RT|vh2dqrc!QKtJb*A-Tn3+1R3I[!mʩI`I dԷJPja'qٔǥHj鈈|DR)6It$Ik͓|9_Y &vbCL7HaAd[Fa@4IHp,!L$G07a)CjML9aHddqPEF58j,bDS +jO]^"{8['&z#* S(YQڍaáZKPXnU93[yL[ ɄlwWݶ12{EyVH}1aXЀxHy$ gJ܌ߦQMop(1>9%&B'PSTDA >W.흹LJ2 HPdC 'jb"وKqAY9pɽ8@xiv)T:K8}˾$mfîf{E~IfS Y)(-4icɧESX V!y_\h=`o1(vyMk?_ޡ4;5fqS|(H*˹@Q)24(^^jhY'$ >!s tLQFz%VzqR+"bgj&o8qe/VzpfTY3VzdB6p33 8&Cώd=9'`V{T`n!_?wF2Nq:\!#$zvܽEL%9g)g(*#[BzxPU1F%@P\]s>nfŎc|  "42G0@)]e(8J#f.tbmTMi }/$`8O~w& |`,ʱ!lLbᠥ;(Ȫ_#pϺW*s^/:cUS'Ӊ5x1cwVl*,^5#O3jsRPctPQb4*!j w{Wwe`(r(ՅB't&d= ?~OHgkF]Sy'<G$͸ۧm(=6׿?eINݱϩ5+z3(*6 ,3}2 ivP¨,-ʢX癋xT. Ngiq)pUW<`8EIުJ8YBgN;0JGb=_\,L^F⒠ʻ 8?Qܧ& $+rkϛyY3עhch|f_ַ([`3&#guW(9Z̀hU0b)'{:C~uܱ&p( kWRbYm)sq 㲰<;3rbd"z悷ƒL*HL'94g}P^*oї3ݵ=7vw );C{NQYII~;6F]D5,bٴbOoդ9꩛\8DXX{Ҫ**D|l9 :SmCe9!7nuBppfAcaGqNio c$xhq8w\ nkE_RgMOuɢ4O}jQ`TYQslHvsP,UښIv:7kIoaVM R"4фvœ.q\ !fv@.T~ъJØIy1O*Ɂ$UE`uh X >r UA:4˕Wl>a#r!ȠJ%dm=͓HukO9z5ilt|Ϳ,s ^Qʺ*"ub_'1JHy}TibdyUB+lS3Q&[+|g5iAxh6Vw|[{IsC7E-am4_*S{M |h5??Ur$=;L8k|ord_:'Xn6p*ݙc`s9'=@l$iEY*4d*P^<':4c^M@+(BHHc.Ȣ8?´3"Y_2 ?2al 8"7鉚rƓ)rMj/PT-(gzpHۣ0pŠ8L^A^~U  #Gs+J*dU|jT%dW<Nip|Sζ튌UjIY $S0(^i$=X+ l#ZtsGP q22YB}V/VpfGK}S*MeIڂ*F(sU*F5vǥN6/& ')ӄrf_]TBpk-0N>pj@&]'m+?ϛҾ~):0RH@ђ^ω8GdJ6kxHqQe |}?7SӉ tH #f4xs53 HLkceBNb(4=T#kL*#(&3o$5mr`l96YKdIoQUҲ 1}N~MBzo׽=@Q=ovL' N*ڠYU45*Ti(:V68EzgYNTmhrάR$P3X&8ɟnnj [VTL5ƩJx6]7&$D0v$, f4 R\XY{tɇBJkX1EByPRQB F? s|YOP)Uw.[k VWl͢gB}{u>ǥ@fl7ssŗgA9gѠQrǑ'GzZ05?f'u9O5&{x ℉rKrfV->6юsE0*JѲ"C"pTJhbBN""աi-ăx%ȩPAߵ(!aKKA DE* q^ PI\".RՍP_C;k_0 Å2;$eCy<=_2azWn$o+;f1w[E'iѱiDE>v~G[B]~)JZ%` ԼZl$.xWI7(h0}+fM./V1xS/"|ݏ=0|f[.K߳xZ6K(KZ9AmV?+Qԅ}lXaVEY&oLߡk[#OR&|J6LxH"ڟP6*.c?*dJL]ݛ6Y=/aض +#ȹ}pS-؂+E)Lg4WMjQ3@!c"?PDirzea)!Gϧ_C) 3?l@U61D?A,'C :Yy ܤ*<) XOs[o0TC& *ܩ"MM%~޿Hu*}NƢ/yYGsN>"Rfw=ͭҹ,<>c*b g;r)KB)s cM[#:݀޳Gd @lݔSurg9OkW;=UtfB>W?X3vAw?98ɼ7bH$<$ç'_nb^iv11mߔѢ#)'\&/ޡɂc}?sd[<s0dkJV"n5~hueWGh1hSv^gf!+M*SͿm3{80BA?Nc<8_@A>~ϒ']9oZWMd:q;ī7+ |y&^B(@+eڽl2B x9m{ lW@&σ;NHhޜ;haGʔ m{-RZyS2싋!J\B\XP,Ey+O [zW_KaDu]{ȀQd/ ph%H>!k(@)x^u"PȊaCS *D  rUDQ\}akGz n@d$T܈HB(L$U$lVV9?/c4~9B Zk1uSVJ(!@JM8*sEd{f!t&7WiRcm?V1&ҧZ%4w{j9P5Yy NX F(a3nդ=] R,;/)bgBpJ1$( r9L7=<mՍA$dT$Iv 7ݨCBNduarHv\A4; ]M&9Yn~+ @l̈́gI 4{vJ9`ukѶb3寀.ccݱ]l&pN@f 'j<բH _f 4:$^ ~7G]eecjbIPDl#įp :HAS 8$',Bdn)"Gq*CffCz(3 ɛXragWzˬRK~vSعV( KF59R{`IX(VT-WivOUD ջ⌼3g.=T]d;s^+&`Q"D= qadlyT qVDpGj W;WWaZt dk817KO!dD80SR` 1RmjьV%reϮxDtj}oXWd?geeu~Lpz993 #44:DG}E"") GmL=8S+Qْ!o/=˜O0Sj$xx.xNeƃ&Ft{5CwÿFwNu6 [fG: F%ҹ2@K1y~Nڷֲ3m. r_n )RDi͏W)2NEjڲg),AN!,aaR2o`hH-_^Y4;8U+;];J_pKy ;Ν];糅oat E]((Rf]Tlٙb)P/ 4QOYT`6!ę4trTEt$'ak5J$=_6wIwnШuɓ8!"4aiDu KtsVa5#]~Q{1 NE2#kw5o|nZ0冬{MwQLu5\:BJ.l^֚ɣO5xv]?gْm0tqQ \W[?_a4fu7gq[ـu+lx89DBuz7-CN.IU~(KKXAf[2Uxn+CZuw{=|8x&w|z8ꈆ)G<9eK_ɣze{sn|ݿ6->, OH,@p7N5}!}?Ձoa d٣g=g9[UF- o|Vs-Ш(ZD\!x#Ǝ.<7nAw22C }\E_Uzo `d!nlv L^pk2*RHzQ8AMj<$&U|/z:s6> ({@؅Nl'GYO: G=W4%X Ig8dM|!4\_vcM揭d5a^m V6[~-af4Mkr196pĬu`Z@^7ed5l\c'k>Vp#S۷9/K\lUHk1=GUf_I%A {Ű%0~/_+dQbԼF[Qhl͹M3LRObN!@=o|Yۂ<AT$f %A[fXƬj6}Kܮ]\,Zkkkj١bEԖ6FUU^xgujT^u\7h_$1\|xzSSqa,[4rC) oT:J%ɱ@FYkږ0ᵸNi(Z':q[;pԡ ܊&.-bɐ5#.u _=ږR>~–jN]hv鷝ZCvO'mPX:wfɨdu7 pR~I#.:w fJR/y8d'SbigϚU܁z<ӇJ&0/b{_"5 _MZ[!Dze(vC i'؟3l,V͝C |86<}|앿]CJOWg]My F)Pfxo3xWL*vOMw~@xGwҎM_Y{˭(+%4 1aŌMᚳѧc+S[pCmA@ gvK@{ DO_e)(g1.Y(瘕0@dƃ "kp0B9]8t38ȝgy>V8T֫?3`EC7 KTP#3}]^|ߣSdiP%Pϻ<$0RI  6b;w\2^:vI13ܸ-< o @[\(R6@JH$p:m{ d##/ ѭV: /ШX:E$``qZT*kz5T~* ޳ǀx$愱gLIH,kǸ"(!2HSH{IZ&׊ DJ$! tԚrqcxzzf nv񣺡iM0~*ȩ~>Ny;wRq}k\y.N7]:)~L , L[8@fpTh{v8o)!TwO4 /VX8ad;90ֽqTufp⃉#F ܙR`t+#S)M:C\ZaRXgOt.prmLcP=dbɬ5 QV~>댓Oy`B枎Z?*47@oj֨.'?Z{k큓EKoIqɀ?X((x7_UJҨǤP@ܽre[ Vj)bJ"ʲ zIrްj]a-IuRz+^!: kk՝S ڗn=g|y۝ٓ|RT7%13(r`z0 ^p⃛,ob+2ɝrk,G 27BQJ:$.)z"PfXLQ|鯺oJ! =dYdEHp'A5Us]nZ#*e=;G 'ZT8 L5Qsj\o2e1ü*g 'sV*e07cxME*ttnfC)hg"u,}EE9IsRsk=?E@h0ӍǢMqe;ADU{pG3aGE#>I7c{i)"k9 k{Gg) "0l~7V q Zk6La)E<^Gyܴ&<_oR`lGG촒=;By)!'?+@sh9tu4o<_+ODE@ Dsўɫeўu3^r#Ɵ[Ru>@{K9=G^oFnmdCNg$.'.O H>ϕBJ ҰB9K`:Rr?v'oQJ\sҙ9(D~ڍт`Ҕ~J( Y a4&ZI-7T_Ni_]jڒDL1U%"CС,ˠHL/9[?o1>k=DFHj 4HeϿp0K-OɄ2U/3Lçl",O^;ݔxL b@{&/_}>&X1݅#v{.o$>M`vײkW*c7yxO2O7'u)zg}UQQR>1VMV"Gm-a3lG4DUi!8)RM rjW0gNND/^6*Qag/R{6=蟁OLbR5;b 3͉gr"S$q#nWBB1ʨ @]m|sw+oQʱjXz_(GnSr"M+%4k0@fݺ *CH>Ѽf fzGG6"Rpvi[lnJ LZ6  Έ@RIV$6뛩&jjz[l,.U뼹t֭*Ro+# H߷=}4=T ݲ9zgx9!`"g]k獾mi^YObxE.!(x,*VI+Pʈ bz{:^';QQkXW` |I ٶBo7Y6~6#:=d;x{:˧{z]7`:kv4џ\e3Ts]&5ћ?v"7/x>b\M9iaĐ$ :&Tݸ|@:"Mga 殧r^ q.?O`O :AH溮Fb=ؘ 2V ɕ,~1BE#:6ݭؠ\Vc@PPEP cR^3gz熪z(c"S7{GTD:n ؚ- tzA|d{S&H R8[=];~zDғ͒8OeA:ֆn].5բB95i~K6ok6s"Rp(9~|OMf͕eAYݑ-&LS XA/5u=a~j y<ij I6x' Rzy:ɖCA`1KO񟵎Ã>u^5Ž㬞ۀUDx]Ukۦ~—Swk",O29TM6D?9U3T@ed]&/*/n)M|8/޻9v-Q6685U>!(QXH 1\W-5^3R(P`" 7֯)3-1ѭvA;5?4=R5;)(3?S) 5ҧ/V~,&I>wk"ϵ& $$ŁMsSQpK'#_5[ʫQјE@eb:6^Q<0enVf. yiiӶ/*e2ƻhU/;S:sv&L^qOwck(ѮMh NuZhKns?eگœ# !H$@;,z~MzEzĿ5mתJ#8P3n6n "(r?E N+ziP*ci˵z%J NPs4:iO;13u؁ә"5.5ZR\_^ՌUm@JE Iu8g̪<\LfW~mnuvZHo&9.",&UE5ECEQIVww mQ'Gb⤺>R7Zarnғ(ز ϸNᴮ!cy'&!&;hɊqW@ݠj-@DGu[.HiTDo:K`z&>=GPkTWQeieM_ߟ'J R10|iL>F 2 ^Ea b[))Ղ?q 7x߫u/Nrگ) lXIJ_kk % Z Q:裱n> >%i"ٝsݻ{bxP쀣p:4&IXM՞ǛTF#hsL+{oTr'J"\qry~JqR4IF53vJ%hDR%ϒbX7+q0oYL^(u!nߢ|I9ZRk&vi 'Gbmzb sA);*"QR7UmĚ0զ7-{)NW-wq706M- ):+EĂ `y&^0~%[{Zf PI'e`>'?{ә@(|oM 7fPa̬XJu.`ll\RZ29Bղe,:HԌB6C(t\ K[5!EHw߀{TWğ^Y ɋ WQQFN̒,G2~ܰWlG_"80v:k@K[;fwʇEZ+ d66|b!޺ H* ;7,*.L+liG~0`Bz~V =mqygjj*v#׭)IL Н^'5wiS퇜-9ptXI7X'&pW\U-ÍzFbU)K[0~S-HrGO&9,ԙQkQSITmXsݯFM?k?f}4 oJ&MrID.^v<@%J`ନ$THHI93fv~C+oLͶSlnw{[=`H hs(5gMI2n3 o++F`FN Ίo[2&s8Oz,/r;=Y\QGEh~IꞂ0v'%KF> 3D*RE<:Q%:ʂ M%4~]^x$WzZ@f=>zQrpl#i#җ??-'IoY%4%2왢"-j5p7§""N~g'Qd)[~'BҋQqK Єm~0.ѨPP~5O\H& ;D/.uG7hȆiؙhsT^D}(V0p4}\,o{h#Ks?.:{̘%#1cO|V IXQi"AD R@oUCz{ЭD*GL$j~prҳ֙Hy!CCkkzwα7~<.@cɱٙ @BrH"x`x3X9xoݸim.osy<{"SQ(ӤRЎPXڥwR[QƯ$b,PPHœx!>сVpFc&,W{6SK٨Ϫu p8%P*L- I% I @#:/ls}vq(DcXnEA"B><|[ `1Ur1S>.]9N[IvyN.v&mf1R)' tjA_0}L:.TnY3'<ۨO1AY&SYH"Sgpm}X@L xbj "Δ'׾Bʯ3V髊W-vW닽EgYA-`y/{E]Sws}fvd HI(|{k[5rO mQڽwۣ=t9;f+݀rѯ{+ݒϗnsׯ>|4@#F! F64M0)=2I'4OL6$O)<҇OSz5O6G$ z'HzGPi Ai؄eOSꞧ&Dz5h=Lɠ44h@4PѠ4 LHB6j=F=@h24z@d 4hzJjLI 4 4h0h h #@ L$@QmML'zS6QM=6 M4ɣdFM02dzj@  iI@M4'F!diЙaA<"6e14= CzO)yLjz@4`' zѐѣCAha4Fz~eE1=Z@,-ZE"_C[ F@ ذJI3!?&y8L| CC! `AAHm4/PV-`@m1kbTU E[ g*CL(؀2/Yߖs9bGvٍy&P,V O4YB1U"60;Ch$Js[i0(vjԥ],TXEs=qN.\O8ztMlSV8.=TyT5ikc$ c\w`Z$Tt~,솩ׅked/ 0geEVLFkl3x$/W%P}&ifEdLiZ)+4k X%Jk@1pjB`Iip"*<BC^ +!OMI<ִ"%lHmmF"e#Y3TXkS-ɲFhaE1(M,!PܾsBT-MT,w=WS!#DMZF`̌5!FK%w]SOr, \gpKQJ.T@đ+;(zSUV?5{ay^N;oCrʔQ!$L,L43qr]59aPpQsZ_! BQG}2N޵9 Lj%z2!zUsTW )m 5=NWTiqޖ"da8^1m@9(m+ ],:Fn@ŷ4&pɶM߳iښ4&u8z2-oY۞.N2BB.};ΓWnٔ$zb"TRP;GME'34L8vMrNi3s 4*"olMʹfrCfl!@(;d9#fn:N1a~9OZ`ED"q\S=z$VsOi1N{ԹPD` ] uUr]?OxeHב @ͤD]0"moaQ$H-fN_CѸm: AMFɟ 'Cw/мa<D TI K0$ ``Ýqsʵ'=Ɲ<}\wtjd +^@.ȍcʬ[2{\+h @::b9iQ  $ Hv=pE$#@P1T@-  Auo`g! HkKV20qnlI@APeA1E:@A &hB?fB""ʝ @,'r$Rrah 9G@U#}Y007 f2+ng+e LH@az)z8H04X؊M6JRedіFDV6=f؋ l,FD׆;/| @ 5ݗ[TCYyORL+L@;'Rl`sL2v4&Ďs+q*"zO~*нv' 2M{T |ICF @ЮSf/nZGCհQAiH1f31pRؑb&Xَ $۪;ծMע"M9:Ib`ÖkIkleB Ol,^fX:٩Y ܘJd4 5Sb6I:5AHY! :83 ĮuЀpS*bFO" +QUܕ:@CQ9] 9*RYL@ǿL]kyþ>d^qrg>/6G)4-YDs,Rܧ2cDSMO3 \,dG%tw^Ns ]p;LR%0gm3\RSS*l|f+LW:e/knHKՕH&SnO3I&O>7~mr!/[ڝ҅-xvM #37{e6ȑ53\B'-%"$$s`r^ ,S1eؕZ(L5X2LjW^5 iؙRs*lՊD6[n5ƕ WtڗsxK/4,$TЫ*)憜Z^*(tX"ZfMM2g(b |)!8dD÷]*zkArFpk1yM6ɮ \wkAò,Te,%)4,/BrF@[Jbؒ!uܩkZo nDE[ݣQO",;x8Q DQ ԦձI=!W7F͐Ia!t p$BWK{TYǗ(H7>+쉴<]2 2Vc}]oنLEn9]{AkN;y(-o"‹w:ᲶYS+F.;$Pe}Ti//Blk~(2[SW38ww[Z~[H]ڪ.ڗ5DpU:?t] 隝P+)DQ6?:da׶ȯ,ȉwv+&$/V5˖rǛ,ZkLF]qB q ]5:jeZs8YLӮg,Qbgt66Eju ]e )U,sUi8ֱ,zђ sle{1(*ebgC[:*[ hT-Lh3J1Q*P1-7a3ڌ4\ꦴn@|f";v;أ0GKLo#G*5K[s͡.h FD[MHI "˖NڥF0Bt&2"P4 cIfW:%H6*rWqSJ:,u dmv_~GC琁Vzgc(ж^6Y.|!͚B,)8 tՈc\z"`]=q_NVҬV5PrXbvֲ'Z[>{*͘Sv,$N즘^eW$D25x8`e"L"NieF[Erfix8Hc3:)ٌ# ܐ>zuDrS$:jss"P(^8doSյҹ*,M4 &&M*q]:\׎I&tK$&Kd_=8lsvF,J-\Ob9VS6*ҹhKfh %VlR {VH+Ev]R0n4\DO2"LIۊ\؍,W u˪uǡYk xK6[H˂2"l]^UE8W xFpogMfڜjd&,hצ˙!Ev1BR K: TQ[( L@;S>+dLPTM˦Ii1ߋo\-_+t @ ( L]E #x$c2PX^̂L]hHP1:i񖩔sɃ^3 @m6,(}? m6=vIuEfyh8q[ߑu|\%GQś)cQ$"qWʃ=L Z3|ՑclHZZΧמf2@;gJMYz$ܐ$PI 39n7plC[mD+04I ۈysg KuA-Jdž" @xXqM @n?'"?\e}i TjHzO_FZĠ(gv2"tocLMݔ@tU a3oMd`Pb_xEԆ*jY)O$%*k[[|$؉#|,JˤyhQSgk]^p`SOe5vȕuaH12Rgj&|>v/* +ع}v*,ƙKާ6w*̓N"^N]g9ɮZvufgr7{ߴ5 hP,/aK pXk^@T; ߤHiV>n=3_/xn]e72ksf8 JP7Hk]izCwRĒ-;•a .u$&!Y`ˆ0DZ_FOs߶ZjL6юUʐ-YVWdn8@{p! #R PP>*(GŽP9U@UN ÔN8N`11 h¼SFÜNW&q*?29:t%:${kH(wQ{ D }y{^"3ݸ`ϸQC}:C^J-k:>ڡڒm[a\ۯ^;d$(ICߝnծz78kL 6'kv[e5eZ'~{S^ E|zLnQՈ ~`F.\hl8ʪ,D|׀ʤshZZFwCi"f rːqr1C|^s7Sdzۧŝ/z`k9@ Nf ŋu{Wnu:t;}+PE`6?I7-̤O )uP(̔]r hh]W3nJO+JMė;sOtm&P+q1pfvDU+e=fӷ3y:۸ݺ4&B҅zb@WPZmxY]R B)&aϰwh+՘hpZ]܂O.kIiFڮѶC 򠢠%6\iߎZԶern$]EUu}+ {xsriLa(!c2\DQM $@\2tĕh'Jh;%]XVB&#;%9 d+}„Zh`31C󷎊O N06Zkcı_4 [lbn)2_G}. glgfkM1W-Dg~H[Fod^ԪeփA1W︹1ét4eђ,BO@\eǿ\qWӰ^ ,X^ˁv.̆EpE4c5$?._AC>0k~2uyzm19H|)2%X t˳?tN0TMI8%;fd q\#1Eʂ 7AUx՜4 X`DfLq0FC)8 [gN{Zn@--]=zU$K3ϫ'VKQ[n"68BC#b;G743~*iDq3>=Z_ǁjOG|@N Dtr"z$'BJN{貍zD/DLnoJCou+859w#p_4`R_~NUJ,XÀ|51 C̅4Wkk[ȘPMGSzQjU\!ԯ`:Sd.=w‡Ph TI]%R]RA$jQ8 4c?Ă%F tͽ'38!P_.Q"R9re'[0gn? [\Tܶ |te8z ,5gitj6Xcp+e=XF*K=u񅒺(]؃Qx{Kl#OAAer~Fk@2ax9M Xzb~h2Q{lڑ&q}g_8_W Z_b,G,n>|}4B2k7da+s{ײ}VK7!3!" +"m1VT[ԅÑ%D]]&|>3M;haYz2'UfvoEo]QNko^ަ,96'{O;EZW_{g,؁TA*h`aC+%*)WYStI쿋Ug܃nlv{u)(r}p]G_9 cNm-iNv >]4+ɔҠ,gblp󳷫7u|jy KRTw+bY cmږ)<@((a흷!+JɦC{G#+ oǷ+boZh!$wx{"/>ܑ_%(/me' [/ gBKz\>=s{v ^3^QTb(h瘘 մCN@7NKJk=[(E\/$s2T`~.;F" nw-N40 $d,}`$+\sN&.ZӐŻa obt,ͱ/ӂFݪ֎@~J4{Ǫ 0B8pދN :Iw7~璯̟r;΂ݵ;K&C,uAMCU)nn2p:NWMW0}54XVk(剤v) =()4E$qȏ ;g8$]hUg= 93~LTL88_w?Z\IKK!Q4J~3HE\IƇn! !đ] -007wk'xͲFoHvH;Mnq6K$b5 Gd[ ÍLx`G΄ |^9 tpLaev2mZZ%\GyֻB;Ar^ k)mY^{׾sw] qd-v&J^(JLOS޵"GɰzT2~O<Ǹ;I8L8/!eEZ_Sg!~`c|'څn%5GKqf1QFņK( [0+-PJ:;/7u;zB;? _4NYnBBZ/-AomFl6ޞP暉a~z()y"So-=uAA$e!޶d/`d e"@9"P,ͮ|#%F vg* |īY_hʰ>Tws:X܃Zww@ԵfÙ&zF!) viDཏ  Ҽ[&jt lHD, u B,d *cDa&A#Pߕe$ccW@AbYҧcsq`_3v;yۑ78>~pKd%~G7&?;W}PXA ؘݦuƑaZ*0^2ǍjأPƒ$3%t9qZ-XgP7!+5Tl?%di*`gieNHo^_*/Z Vc#d\9 *Z aXЭa;G X8BGZDAqi ̳^e;ԑP1ܹBƋJÁ[M4Aj(echE` 01V,0^ }}͢;ᔄEiņ9)HD#7pYu'URSA<9 =(Q Vd8(S(}3a@!%Y/д вmI[m() 1^(:>}PGTv'+偝|L= (x2oQZ݂WH/X#ymNFqi}0Ul!637k29ت 3 /"Q0Ʉ3%gݎ<( 5\1kg G%s+.O<~E+޵M*3-K#(G4FK{qI(aidQ7'i 8g4UI)\?Y5HKަ$48*%݃&\佢dcmv67^/Dr1I}܆t f" LCl$ l{*LU,/=1S<*DvZ\5&ʹ=+NZ pGr3fЙh$/2#mˡKW'KީA}qNyB`k/􉞡 Wj{~gm_*WQ'rnTG.4?m] aHpgFwt31:oXjA'C\*$ˆ~*v2dEޱ9kP0>,o̫}7uȰ+W cF("d&0h@~3R "h@Pj _|&EBN:0YB5<)KM'Zzя;_x,ݱn9T?ϗuhL`{}JdYث^_ͺ~Br,z4feO m0'#ǫ3Ѐx(N<(e\hXVx w&𢓏!-_Tt> f[t~ !X)h%(h2l҆l񴦺'|&\x_6[N2aGL쩮¸b\%roU;>MR/rg. ?8q,+ *Fٳ~Y.en/9uH  2;7<4c4?3'V1o iu?"#>A_^7A+{qҥæ5Y|]zޑ4LUTQd )ߛE蚆_SZK ^SS͂/]7oSq+8YJXۣy`#, օ %)ڈ(Ejg=<JްTٖא1.A-;o厫v_nzۏ%ڽrjxcJ>8ȗn$EAi1vzSEǯJ`JTPBACLR`sDV!*,xN⋭'zG׹W^PC.^2PYYKǒFcv>C_ i%*\nmf1B p(/;iHz,vBC降f`&<>ʈ-9j>-o2!m#ƣ,qH.4 Y%?"N%M 젇Kvm5gZi)?"q~++}b΁1;Bƒ._WYrR;ֶԐ G/dW8>C]M>t&uT!G2Ađ{Ecƒ>D]kNY ~*qkȱR+w|.68t!X)y(k#"g.CDIkT'H%qywabb^sg:AHbbcqMɆz}Ji8Ke!,d⯅Z *uUE8MWVb3M^=i4K,AΙ}Y˿u G,ʱMj@ '@-ªpF+k!µ7R緄8f#sJ+3swuz@/Νxw td{MZr{,B1CI >T•wFp~|>91jV_۵"֒FÑyp\QK>*s? ɧKr{';ŗ5}2Ю1)0w&Yn/Y0BXCu` +ygN5Sc]2Sdj5JuYPj{aO=Iaax;l *ZeC^P ٸlDJHi h=6~! Ј:Ve%eoƋijkѵOm)wE6v99NHv}/M5/!@;<:I1V8|5‘DсW+-]b0 W˩Y{Vn!X-q}8+ I{)EFjQ9]CL\x{R]egwsYUfk;؉]C J#,aZP]ٳ ϡq?5{oDC`W.ڟlhu ZX V!XjnpRp4ruz2J09r-Wś>zWvVֲ:ohK0%qwG(7MF١E9tI56D  7${st?Y@X3jifRi RK^:[cBk[vHjKV_c⎥[ɭ?FdѐyN'qy^j0-ׇW};*гr>h`ek P@ ;0c _a2 hVc$JG'(,~8(ڍOI:}ہK'~=L7ͺ)njY|G;/(kF,ڢ G.Hmmɠtb"76G(]2rYj- T3@u;C zo(DNK le^ !ី1dph Ͼ*ɉ(ܳ͟NS2t*v䙟ZBn@7^?I?t9D* d_!oQ~kLlKSau~O;mCi&Aۃ$tvy=d]3$,H- <@m*@qrػygk5v˰in5nML=F IWWUŰzr#=DS. Pbp^z/q9aPCKD|CHyQi^ܒpNF5_w`@(6spU=G+g x'()p=.})hbζYeei CuZml"t|oQ1y{z^eɈuF[J͸GP?KҐ;{$X֌oɼ;rD6 É^ZL1x0%cH8'y!BKދW@#_:<Dv%:E% #-qjdǹֲ08x?Th.EP6-^է[#!=Oa+DXslηua`'f-81C;`,7$"tK%62<1]dp \D?$c9#K@f 5-ifYV_IMf]9`x-n. ډK<pUOh\Vb#nO*y*}Zoc:btj0}& 0胚`\##'*O3#X/e:R:u+H#_ˌ;3 Dyh~c7 UڍbF;y *ސJbZs 'Z0_Pi_a\0L!t}Le{  S6. uoZ59u DH% 5.ek2ӡF/EF 4S ˌQ /MTq_ĺag/u59LwO13~F{AmAƌ3#VtsA - jZ܆0W әV=/}pWz>=!꒎'-j'97~A+ֽZ.7ܘ:P0k >앒y;lVps救kR7jfn>na9]܆HM(i,\$U#Tez1Wl&N#KbgTP\([H z|L"Tٻ +c-Q )Խ.؈msd칅>JH)#P_or!x뗜2n  @Ge ν <%{GuĩcDZ* H^%>PI<ϣ%S'N\]//c#_4Idn bj/W^|P*or2HΧtMW-ap疁 ̽ / sZ'8DIaKq[n/l6˛,H'J # B9ڢCMY= ]aeM9zR><4r~_7.n,E$k*q .@?M dF9s܏:Cvu3QT~Yƻi K]/3h=y4h2 tǭ [ M7p1}e>(X]{464 {6-?\GCcYt vTZ֮fa֔-h;?7Sx3<.%]!rO>|cv[Su Δ} `?:[/(@X^wq{]mwI \=N߿f|HskHAQEԋ Bl1h#IVDiz\8)S';fN9/O G˖h~ 4 (7QnJJN&3u0t EӵQ,"3rf\j{4 6g+ۘhqY0AVEKb6V1%]@0,f ZB ZONR퐛m0҂Yy bbМb*]#*ʺ?<-7sx0&}`7<9q.U3.Y?SXJW'Q5woHY z>{4&ofh#ҳeCצM"vecT[cv|4A,`1hw0ˀ9c.ET KJo%@NǰB˾:@njD~uz2 eqg =iMi2a wNVZ2,PӰS~bz=eQξS @q>b,F.]Qj%JfӉ}/Ե@8n ﷓KPMp Aܸ}f?-mi "fW<+:8Y䛑-:UH陷GŏzND횘z Fae篝.NbxԬr Բ-ʃ QaT81 8t #:r*ZV[k2QIH 4P3z4E&u De &`񺢹 ^: =U)J"a=ΧrnbEI iP'PWl[ S患_2ܷӱul@EҷjWC}udk)~abG#.|O߿V%֮$N?k "7d{ycƪ"x94N?!C:mQe_"WƲM0ܭfb[N׎!@Vlч{'2m(4 Y{vbf0dVۚ.H/&5 F:0$3njnD, ~xO^$+asH`.8 ''I3^"$Re%jyӫ̐*4 9x@0¹3V#mLQs-F6@ܼo%}Ct]NŊT#L|naܷ g^4X!!`~uq}I]ٽe\WgF♴-y3Ă]t;uq bO=.L %&id@|g/a RW~7,P>p*,u:bi/@#8ȾgBA ,DDD"m!W!vi?;쎭{YѭfY7z6[5໯?Q'EPfԕJV|̳(@* qww=hMȒ[#7Ѡyw4 *2 4c1R--3su4P@@Ia8Y&[ ň$ZOkN6pr!uِA*@ksex#)x>7\chEpmU=Y[FI7[ChJZ:[.=0s}DMXۤeAUslߒxkHiB!^Z)\6 V_"eQ81,\Z$\̋rG,tԬM͒~[R.?_ i^.~]F^ɞE_J#Ԧ87# Pms Vwm::;!"Tg2 GX )]_dtUq^#<aZ_C/:1 \_&p-xDAnG:e{Y30;t* cP#yhd"^<4)p`V8:4kzC @M]f^$/.)ilJ,1BlBDFztMiL!4ԕa[Z< yj/ZXŢ @zpsA!T$3VG fmnk4 |ZwO6,hJ&|qI(]O/)zI3^u4.>nͩO0]d> Gv}v$ p#9=QNdͅ\8pzQHg Qdk6f^F@$M F ( SHKӂ/3;n(&gza8;SۂUN`)c 볿iY%|@"C!Ρ,~GnmX+z;enf#jȜ`duJWtbL8~Q;!#bwhR|nl8V/l5Jqe/L=Y{S*|gc9xN-`'b r"œG:JF{mQډU]ZP_w:&aB%\_ˬy={e# I%R~hf{Ԋܚ-bdޞCM{עTTPSo9ȸ$2M$-lCd 0h>s`){xsn5Rf!1e$3hh-y,ӾV 5Bt+XIeS|t4l]iB%6qc%}"dP,:)0Րٞ*Ow1ݳ|&Q4,j!]uٍNq}.ƄЂtYڇ굎sR/ZSW)i[cEW|œ;sܾ}Ag0e !}Yf#lS s^x[["-Y1`le>s0O_SFf3 pʥw?5dd-NXoShgx<#^KP R>fYVGΓśLIn Q\(n(p iG1^LW8>Ybyc(Uj P:{'?N},, pfQыShhcrP{Ǽ} z[5n^Z_sVεCcFQAk?i/p7}9gKbyz'S>l4Ջ%̓k.I79v:J-#q`4D8f<6Y_z:ˀz!:e^ɖu{_sK`MZ.$BX 1ok!X\mK)q} LU(]gMlUQW80EP;M{a}]#(&3Rc7Llu xA]dcp(Dzy;kkOA,?&[^F ^k9wM~r/cH*\/[<'Q!fuz|̬&^Kql~XjGRq.gXHm7e S@yq8A߻=vsfSS6oVJ4)}%F`<ӟ(h+3I@Nr-5&qKP=n FمiR8pC*YSO qGf`Ly1Q^?WNL)bFL ORFLqefV [_(G. as3,M(K%\}보!QVS{\Ҭ;FZgc."@H va*)IN,.xXސ*NtZ}.NU(,{p1WBб*1?qXXE*y-mO^]X|?'y2'_xtsN`H5"mp}_x|/"u}|~3 G/b8:|(^ZkuZ8}MTt19H.[ӆ݆fco[C)\Eeuݛ>N(Dh>t`&20'a{T?Aqgdֲ#]{,.\5S=svy@3!+hߢKa58ޚVr!PuX̴UjX{-,߇ɀ0+U6G?|;s9z 1+2vZ?TC .)/Dό~5DC!ؠ1Y0:^Pb)9gU«hFYOl  C*J٥]KX w jiœ&N{7Dk0p8\cZuiLp <ςV^zg\!g>Xa !E,VV8TZ `jyiI$?Dx+U¾fm, %ZՕq_t&J9.hS,S]j6߷`ZT`liإU6E씲@b-}D!9Iv3B(/$ơ]rz3N+lh .ޏfVa# 7p5rSn4]v dcM"s쵎[`êΙxӹ! P3a#);LK*"򭒶'Lu~׵u6OGo7$""nTiݷ @ޯB ?`/AdJd%2|%5oQ$wZ:Ɋf܄P/"Br1 w% R$gl8~ fj;?c9^u; }F#CGW "FF nfR:YwvT+/h4B;aRsIFz뀩ǐGjMűWYӀlS*Ͱlpe#}mED oXzRlQTi.{$=N3Yj|k$==MFZVO椲Ά2f\mAl˲U')W&|}>6_֍D!1q>!F3M/ `M yɟNS7XV mK!d#Z<c\(+fgBck);!=N8*`sjCK;,r^fT ކ3WvP_CO?7|!ֱemp2E2΂ KZ,UH {(+A.i3AQ}B_:m{ F`SgM^j?lA;EvL5 >$+1C abb~+PKr*wϨ9mӎ0: dXɝW+zLM9a5Y?)[]jcYbzo"2C g5|c͌kV!z1%jE.:H] e& (qb0ّB§Loi!ߦE[L$%%C^Ld&χNBF#a2*')@#у$[_Zlqmaݥ7 v=$E/MU!Wc5=|TtrljGsUd@rض|DqT&VʹJe$d-UTooMRBGw\Wg3Xy+O79WaNsjV#;Ii~5yB)qBPq[<_p3w[= o]4~%M~cX{eK(T†Tƒr4tli4+iЫEGt/=#%v]hy_ޒ^|AK%J2N 0B?JقjK=չwaJmGL? 犬#|ӡ3?qH/f9bq_> E%MAX,Lehk5&tʉIIn4,?":mٓ^!JN'۶q_҂?,D%fjCqV=x/y רXz6,dJ憼VjWF$>&]p֩+%.k~gNv˳6"z8'1o@m4ʾ3Vw. R[uEOkإ^MY&)0sjrP<^2PLB<%O=4LȎ`g< )H),͝iHWXkwL\9? tRoQsNy2~ yRd֖,> B׸$SRvpFk舊芍Q^e-+_ _R9RXZO/ǷKިqژ~ $#'!_cS_Py4uoՉ"n)d0myo|ȿ7.z@eduK5(MMyClN_nKk^>~]>ee;׎sXҟO ޏk;|BGA=sJ)Ut6y~>}d G L{Ci($B|='vMv ~$Ѿ Y '&Ӳ3<;gf;ꕳe姦KB 6& :^I~B)}jDq2:~v:`&Srћg縄booJ-6*,d?aUGe2a\P^CӵEΞs{L4~X.f8<|ފZc#DhS8v7~(CX/E*a2GHfo7[$RX= ά}*Ȯ SV!febu9~g[ʄ}r# b] 蓜W`'GAgD10I7 IO[ nktpp ^(Iɵ}9%R)܆@} 7KgE!^(~F0XN~?u`)iwi[\5+$^됪&.+]tb\OP[FXLP$کt_VK1bLX-&umhp|*zGY>}bndz$Yvӄ\L}̉Ly %'W߼jWs.2و)%?ҹڰA;V A`bq-Ya;h64 9Z K.ފ Sp쾏gV.}s uECnK$?7' vy䘣z&Brj04]ٮ  "*;v@&홏8{qXkt%fu?p d2BX (O4 G R:kFu*iz3 }4-Ld俇 N$qY=ZE 厍 j*2XؤIogqꅉF$c *_<~A 'YlۢDyPޑzN됶̏M9{L6vQ-Wm}5óhn>fC G8}SNVy+5JI ;7&Oy].lnWQUtj0(lì56tAEtUyV6ϳO6yp|#Ϲ&αtbϥ|-7D7]E._w\3V3qb,Ԁ(sBY,㣋Rڥ|)/U ݠmbZk*ύBx5=U5SdGYhSz7wRi#s,N –L I47 2u;|Wֵ܉=>sJL u`oFu:Az00n'fuԃ.G-,E4e`\8Q+ڲrytDX޳K+,sæfz}{AT5%7]da,C"P,fv<>"-+.޾7sC";}k= :JQX>¥` M ~c#!qDXo*D dW9w+Qa8aHKud xY|g@Cp]*XQ2!aRbڊWJ?o$3c*'kHXdʚh9BUklVӾ ۙ?:B 1p+ 3c/V݊ʳ-ܻ:jF-Ti u7?\\Vvntt&5! &Y:4g ;M4QA)Oz5.{ Nf.:]2xu; vZ<BR6Pގ0!eK㇨&W{О~0:x-Sa65Df$Q*U7]W8UU(nYk CTS' kXc Q2TTB⋜|#] h M٤sl~* g?&FV4`33R1<Oδ4'9Y{OlVoY$v=KBUo^MVl*cIqqgn(`lQ?FIJ`9-:i(O]@%L2ΌDa6:t=kkN47[LƮ4Gmf<1;7g"n<|~atk[_⒋~a/ޙ5= #C bnG LJ!H} K˯E9FVn ;xl-Gjm+ἄ@jLspu 嶈-Z4+FxTRCӄ-(d/òx|UF rv ds-d.(&R41fq@cTbVT:'I<꤫!tޓ3盶sEf)ep+~pϮTl2K<|VCK,鐸xu3r;i`ƮBQ{e,w[U3m+#>NO n6ǁVv|[Tt}bwM') |` b ؕicnI܁Ik/}u)>BTC{a\NNKg0\!겤CMds} q%5:GukwnR6Ŝu/^2$N6 ]P\ܨɩzi iU[j'mݻu,aʆ:I{T-_{zT30|hmNxBS*r*.[|CJ'N9HiNX5MiWvTɯm=i/ݽZ 8CI-HY.k\bՠE S9r5|tj_\\9*Vyu>2c6(TMRO7=*&FkCaJ^Y[|K5ȏbXv aX;<(iypi<+VEd&-fE0qg5ScV-1]N zq l3#`?eH֤Ha0uq^YPҮ ݪFN-"ԮAu[E|ɱP YH! :XE3v$s[ibB#7C g!}*p-]@ێh֢s/bb(}ǡ'ꮎta.Xja駧,VÖ1 ~-9WIk7SHԀ*)+MqDE&?OHIXduP^%%UT_.yR]ʳ#UJYŷ34 ^ S؃fJ8]˥!!9sÁ*ԇ DQuE=k ĬIȌW0rrL&" L (Hj+)k(WUHGݑ4!a%SqVvty'&;b*0D*E(-/su.Uw~\xBnm4` Oڗ`C^|Ƨ.8[er(52o7rPH+Sw`ې?/7LqEa|cӬt r'bG+9-VS'䉊9UqhPώY7B]4pת: !όMKhXx5[4,SwYRTk&H7X?v/,Oc7n5 W$5xQeIљ9]d 2.b4/ׂ suU,WRk&pyVהQg#YGLw5TvvNq1]r,Tx+`ˋX&[ᅓ8hx|Z9B+at?W;o3e3N+HqPW#nJ~pvm imE&`7TMM1J^N@N\浡m:UYlGGCd*kcbc ݙ>sbʀ=P!rFQR/#rjKeESm>H=ɫG^sgu胭j X,)~%Q;P,F.Li]M]cckTUelh(lE{&Wȕ"}>;s5S.]zVHeP[L(bX85E_GM/.fr>ʎ0bz"B u6P)0궆ވdC^옶s۸Ht`8?(7mJܽ6*X< k,sbGU$r1K7jZ|_"w sDa1:&rJbf;FV;ȄۅO3ipkUn)Әfq4@vYԄ4/):G'I -ރ6l,^DP^΂,RЧkEKZZe?8ߑXx t3g+ KG0үč[ JV],G=XǍz czطQeX3LͿeW 4Pg=K}8u³lssirhy)"~O;Mh]?@[jss܂كM?>cKإ'x-G`WwM"0uڿ`Z{FKoTj송Ԍ1>"0pvU)]xs ns)<һ9b<Qe}8$p%%pFd|Zڞ.jAzãJPJ #"}HlBw:,[z~U6OڪZ5b8`[FS Dr_i΢uQ^F.Vr}RzJ&u)w)BKySs PMQ'K|`P)ط$7GI rwOԝ/5M眭G D)[:b8E*D- 22k :)\{oHP$K fY.s:T 6δhsf.B  *#ˆ'%cwT醏Hゟ|Ct`'iT-UcN{UfN' 3( ljuco)Yʥ~΢gtBjh`r;Yp hGl KupdnIGe+u>c G3Aǂ~qiB y&$֫)%Eֈh#Yh ,k~Ml+|ot*Nh(kj7^.vld[ *R9 R@#)XoNVy^:v<L]tzgc5n~ O%P\ s|oyrT d\J PfSp%(yJVD'ɺ<bҩ'jXxbYrUGi<1jT=C_Z +{H໔> e D1> /NhxՄmKQF(eu#]@82'"[ }`w4oieq!Sv6 aC7'VU@b$ ~;CS15O\fr"ܸ)U5)@ND:_]2xLکv-ђ%aJO/},?8ɡ5a-r=C?n^zYMn4=@o0(F5Q)"E:1 SG f̅r~ɐyfw5wPthuTr;]J-'ye9 _~<fk4WtTm>N !%/r0QZS.{T1(q*j9dEAtan3co0d7v1b%`NYrzLx~8E =dD4֌51VOu2Z+[e֘1B ȔB ՕP>n3◘dRI\S>>pg˓|EG*uAKU ˦s$ u R¾ R; 8<DC) 9[Re)v M3iMЏ="| WdCP(&ȻFEػ)Ks.}?N;brxs)iXʮi=.34!; _y2RPb[BI R+ݶRIJռb>64SC CД ΐ7z軏p9M X& .d󽝪ZC9e _VWT"bk_KU(wquhr,ŹŒ!%hrE38Dh`YƦR4,^cR8me+{}θn$ޭ&^pkHB'"4cYGbύ Phs'QyVܶ&pZ|p%u`dȕeR|$@2$ w]]*svKlY^ЇK}1 0vyaGmcyҕGJc0G*Bb!IwįjdhSaP|[v H]P2T)<-fhǬpX#Ҏ׼sW[DwtݢQ4W]}eGcVqћ#f1Q:sAB>E{$iڢʻ:4JblV]z?U;_~u^rk=ӱ+{y/ތ|+^+#~ vEb* 7_/2樤 1pF=o7'})&plр4U R+>׊K۹!j-dqu{kcvB"9Jzj,P Y},nT>BVjA pAM%M"~5(R*Co*?ED֬lOnUxxHUƤ1&Q|0>a4@h_ yG`@7@(zyvd R;DkѲz𣒋p[5S[Ǵ[KUO Kx׬4BYY7Uu9ouZ P7B6^r::]=(lB$O-q@,~*$P9ΞAl_ybY{J>x| tQJr5&D#iavROȕܕdZ4"Q/RO#n>Ʊ%@FkMȭJhnG2K4{gf4O s ΰ.ہ؝S0JtI&BIZUjoGxz4%/ҩ*ֺfv_lyjzl X;D9")E 0q"ј+ V8,c3vZOl|b~T7Ap*S"90dX^6==x$rq3mOۊx.eZ⏣Bc# 7(0s~ƞ2R)֩x;À(^9קkF=Ƒ! ;rI#_P# wVE&$/h45|=ꏧ `R =W7[{6e 1L6Uwbah["0؍3 Ne/p=ueRJTGrOYZTwŶ0ZjlyiMY*"-cBkK巓2mȟAwTYSVN=(,s2ҭ&O5l.FIC !mZwhnbS+'شJ##0 HևR.)q9<$O \:Z_so A\f7"/)TA |Uˉϙ(. Qs@C yݠ|QppO8u\YV *I)(T~q\54-92lN)NW)]Yq{jꚷn=n77Jw8>t w|-Pl ,ׅ^`ZdQc@lThdЋ0dDo1}X}d0|!|%.cGn0Ky$ٟTC{0F:m?c3D4Y1s1C:cRV k7PrOA"͋RT2~EUɋ~L+<&W D*]S@C@ݪ):eЭL}=_DF+d{ ,Ac>t2~~=ݭ"C6[ˡ9HR߮_9Ʃ w?<<՛2w5WO3¨w/K?/eƿ l Y1X(BKUKu6.Jf,t:t8 ƪ_vQlH32 7F}[/mA|5[ʔ%yƨpX*ʀ _o%JiyփBf 3w(7Q\p)XOǒ*bD$BFu^*q/2~ U=T'M q/:zbBD`5WF_bUAՑڅc:dPh $S !-6KK$!bc% 6DnW~Vb5˲LQz_ 竦z@.6xEyHZ9&RW!6kaJXJ 2!n̋mXjcZq" Ċs"Wq!Z$ "+׋$|olpy[` ROHvn7O, !V#b+bjsؘ&rJ+jctݿqJ)q ґ$i{<9.Fe()7|&2)#;!_ E2Jla$-Lu 4ZַkvpwK+fȶ,ϯgo֋h$CS0WA3u{Ͻcȯ^TA U=ѓN5kt5\jObV+nɷN2n\ƍ{ۑY0Qm2 d TzHTOM!I=KrnZKS?!ywD.:,J\4. aBo,H[k"mjñ 2+0ofkU(_/ Blc>hꂋk@n)=3alt6 $8ZU]2[u}H0v-v1[_zHC"[ [0[q d{FUƥS w'6/BlDLU,lˉ+3q%ߵrݒ؍ݍ2K'8&@-b5>0c㬎O%r \*;ST:Y@ r9zIik7bX¹:Xqqs, {.VNݸ8  pm ZeUqcjqru0V>> `Kt1oPyU ,b~oI>g/:HƠK0)!f~-d)Ja@+լe/}*wE~ssߞnf)6 n/8ct?mh` }~#:oիeE- ,AQ0Ŷ&p!H:4#;3͕=(YK~ef(OgN~=Xf!5D&dܓ^Z5o%9\Qg%];^1JLPDQ[.jvzSɧş~hY$Jw ՂJsbΩM ԬdmqU6~I'vl䨻64fPйRE ?:t$SDA+hk*51f0R{Z,T6'u.(J,ؘP*f+$|泧ˁןJ@}gp+MG9dNE!m#sےP)^Z^v1Lَ!=KD/zz~A':KH 栭Y@5Ox~ 3"Qi ~!Y@pQz OXe-G[*E\aF`d/w|bL;Nښ"_}  3tUV1K J:Vd LC[랟~MUg=N3" 7l;bR}TcC`UDF!~+]ex͹f!ZI޽8;Aȗ_0xW) 8weFM"P>ZAYՌ i/ќLRC Lc7Yyb_3ŕ(HD-#( 98S2dɔEz.axHSBvKE2n?|T{&tcU,MxvLfa^އ%V7޳.r\}a|$YQ-Uzo?1=eЃI3F}$Ub 21o)O$':5Pni6|9B36 U g9 L40ٟ||)&^T4r 1q v*1͇xZHĭ E]a7{%sD幓-J <|iqI&1U Hgi7oIX{藪 IN yYa_GzeQ'ZUV):"KrS-m*[#YRoDgZf{e9MG}H.3muռz[d0,jgS{mB{8z}{EtmrP9s D2!@|B6qOmeCpѺ*.9 87QJzX=aA*';7&_)e }]o?V)JhRSlj6~u#j9t>qzod=/gjvT %!1HӍmQ͝<9b퓎!@ͩ&4޽Ұ8,K>C dr|2TIA jUeiye ;ď(xlBMڏ9f z::;g%C99n u P!qYnd+o5ƓRX,]Ơ}GI\N}">UX5GIVR޶k3}:ؚaap{vU4K_AlKZpAƞ'e sPf'gFE~]MZJ-CtF̊^kK7p%L5s(l<8M{j2lcr~JzAe}܍4mvqC*o%jLI޸y4,vqpyZ +qҎ ΃P՗,{Mř7 jN# lDvGn);F0'׮Eg H.VȧVY9TžȠ5 bQq-p^#8wdԕM]ˎpDo0>1J]3 "ӹ+/Q<}jU)Lb{;Z`6YKM ~;Aqݷ/|d% ⽨w{+XL~/?.,wAj".# w"}Y4_=ʮ\B#7ԈOq$/2dd4<{lXBD-фm{zm+ R&lrz0)†*̀hn@ȦYE8}gcl&_w  /s_-F `>I$&%_!X t `T6`;kT^nAs?޽85ZX,[T7 xo6-UsBcQ5ּL(CD}q-!>ɖ4 0e!Y9Ă0-~"Lc-"X2;?Y0 dG/-j0֞%=Z!w ctL/{)v - }qOi{p{OsA&/3ƋjLNዝPn}kٝHWv2_MUvM}qI&aF$>{Oim=K /36!HAg\ݪ=*i ]`u UwI%~)\O?Y} i2^) af` (aB9u-{tXx0?Z+։k62]|AshkNiӽG>e,ǿOgN5t2LqycgnI@> P#á_+plKo`fsxCfsTMl.. 8ԳqVIӖnu6BrAq]6/ p<[sgx+@^vw _KA| עײx5|6eT"31J4pQPIU㪽Njx$)%|zᖠ@$UxLFOV" '>;*7<Ho<)TH+Dh=e,'^m$VkyUK.; SyNrQ[(`}9/NnT~f+J%ywrmP98004{+-( cM p {x#! 8.qB"F1ׄFoe{Ic ~!ssaQi%^OΗ3>!0l=bn4o\..71J *9>ǯ:y2$WYxCy ȋ]p}jJFu`m`/f(*n|ڀi+ϲoA˵8}VxZ2{)ܬq6?lvg cO8ldMVvŜxP'?lHtu7ʝ'gzR6< Aj˿ .c1#7د-Gilz1d{|e@.Y_ƫirRʺ5X 4*|dInW,40WΔ./;hTWOߔ{i vYC=Z`ȄE0Qj]VRP>xz R+JNt @Di( xP<'3֭-;g[`5(¶( y>u!z-0%ZZ9}G[64E%=!i|HFK϶q.#eE\N bͽG\n[\X:o/8X‰ _z'nwj9*&Hnӊ737V6 a-!#؋8_|"ڑ'jt1Rl ֙*$G\&-^h;iB?)cRJ B_nVz:5A?3NJk\"xɊrML8//L}TN zi;9;G˦wI9_\A:[;r8%9p!L/P\ڈ$r[7^pR#qwnOo&m93Sǐ[$ ʅFs!qT2u?jC&!4=;lSMWv )_'Gv]֬JcZ \j NZ6\G80c3cdG^n)6RPL-Zj'zwr%EѦɜ9(,³QDz[8o&x8+-"5j9IԌ 0@f:X'!𵯧.CnF!OT6^ǸJ>aݟŪ{HB ޤYvut]Ekfwg2l JK;;\9!lxYH1AΠetdjP6Vzug"QJ};~Vu uF H5 G&o/>l{)8ZWXK689ߒR #jxX( [4Py]Hl%V= ;Ȧy  C0PpDm?zctq`GE/QO}{UD:bYn;~a0X,9j g*z-6Ad$Y&"6=gh@kKSflo^^'cdͣ(Zw.wzGA+}So}틚urZmF7dnCKgV[& STi5wG+dh:9WG!ou pr4 N=or.ъhN? xoLwy&ytϥZ[2zr Hj/ 0 Kii\RI@~]^6MfN0-('odd]/13)[Eɔ, Z4-ՋI Y ZPԜ- VFOTk"ځ-z덝1K2%C3澨/)ˠ|WZqjj⬮X%Ԛ> 7QTuAc5&nb R iũ~f%X55g*5JӋ珝|x(j>bԢ5~C;'WY>s WQTopo\xQH6YF L"0MJ[(#q`yO;7XpS+B68)Tn(_ώj6' ++Kl&B<2Z뵹2&NrYv3i{,23=縝E "f^9Y۬dD|5TU#q_?/ o|MցYlaOM3i>ep[)ϰ 1\KS lUx~«mYHF EUen4*N]UKZD͌a (Og&(/.q(j-GUVu G% *N渏O7ܑv6Ԇ0v[Ee@"=X& Hd _{9y)02԰)jm`Biw Oj)mW i7 :B=GX82&w}JANJ%*doQ(PߕR}ܘIpEٞ=_/^Y\YXv3`bp4D1^p _SKn914±rX{6Je_v={q@Hzm y< Tnҭ"]yKKM/ᴘ(Jn*tʢ?LR"k'+%xzooT 8'8SlflX?Ϝgʡ [c>̮ Oq%,z#^: ϥD`GbOZlFyXs1ROmd,J9#7qRz6?ο^G86*R[ Oo1XaĎ}ӧ\v/ 63p/jݯj]-dj9.v;ԡB\gA\^LrfBLFuNAV 31kc&~݌srI6x j[q) |zD$|SCK}$gwp%JQn2gP굝iǣgF,(ь}ЇMz^,W_ m=:\ՅzOl"BVH(t4I<mGWC.n[::[Os0k#!Z^ o6X\u]XS0%4=f9CawI|w)ӯ,bCe8dz z.? #)C8AzNWZ+ 0Dv[fj0379(0쌣لV`I9FCClX FWE.iOg]UqA_p˕D| "O<5Yl")߉ZV5> %n '@ ]Nx=GlJ{\\g !ylb4橻ޕ&}"_S^[am p=y&xy@ͺB7ٝ(1ɦ X { o{̭E;+gê)kwĻjIF3a+ib./096yF.ߗ aR'oFV,]!e0] B !r`]{z[T L\t&sm\A1>G_tyW(`; P+d6jn 6tPspsg Yo2qڧt5W) Bos~.xȶkn=U {0+eO9*:<ո3ҼL#^_6X_Eol{N@^\ B|3[JScG)L r/`! 5z V-?' 8jT|=Qi;!hL6q.l?M/#FFGފ)f#S1l,Y*Jh'̧ "tU;O_/I٪@Sр"hA@†,Mn +q<1ЁYFPT%zayUk#-W!w_OW+*]0a6)5kaZI ˜ L6;@f) @+^zAx.Q9=Ms02/Lu*=gvG#z6qPX3ˋۡvL!zsNqlNV5{Ğ' <q%-&A:+]5I-x-;/u-PTŨT G v/6Ϲ!Y Geӻj,)pnym {`U8[VxN|z=7f#'pؿhwPr rźٔ]ܤ7 Pyw%PR~8E=+;:5l0+&.}U0d@Dm*b<}28EI䵧Ԭ@zfKn?@U"JfNR@i n(HF }S{1gKe?fXJSNtuc#>xLV >iSV谑VG$¡"(|$L 8H‚UZheyg@4}qk-jԴ RxmYegovsHZ~y>_]6KkC쌘sylD2tz#ugxwm_7w?>Єʒ{+ ΒNgFc]]~~V"hW|yMllw]O%}e09C颹+VK%M9inhHJ/Yt8,qvQWPRQQiN~ֳ_dWoPF۝xE! 3](@4nDѐTZ~y㆒2):OœNUX nZ Y^a;"y5vaqw :{NEv0$9dKsYM>/u簀5[ːKmir4Lrv"GN]_;r~+2^(keϷHbT]ʍy頲tq@m¹$O^wAkfvuv?AA%5RuBM+!} v('e ]=C!NC"' [9.Ӎ@4VS7] _w%T<0|nB)R>͜M!'ZMznk* >}2R fv䪄M,F_d-1el`rI?8yVdim6KF0kkc'yAy<]R+`jo:<(ŚRfkj ,KY``MT@Ȃx MC,_VGETN[Ϳ TQËIf08|2e]B.yV{kL69 т*2U✦VP90&NnH3MXE!zlt }sE^\c[0f|AY1( /]QDIŌMMRv~C`e c9{KFvMٶMt7: !mv߻V tPyJH=ܰ"·GQ7 I:.XfIIK bTb¨d\)}*\%虏O{LNuyY\]T$;&_&Ulv`4^Ok1͌/I=b|Ck+=Ɋ,ݿ7@NFձ~K}cK\7lY_9eE[!XL*x|r{6>=#;:7Ca3v` E&)6-(Um@ -mt`BHvBQNf!@֊p#\* hSPZoO\ĎW2[&dGԂɇ/&=]DbmV:qA0_#D[i:v6.ĥ.o.J^E |y%z?s?Jdwt:`crmtx@Pi܄QIb <)hfd~L 2FLS2e?N(֠fg%|\qRL"Z6T0S^B.ݾ>!#bx<‡x#ksU;o[/L9Bjw:UaM\['PB)!% /EְۤwT]BG`RK謞t>Q*ZjRotLj2Zϩe{ >X|e~{_jɀJ/**zGFR1yqj=\c@VV/k+_ X]@þ2U(&2ʬR6qF|_Fъ Ь+T3nuĚ p 34޵ʚa~A-sp$#RT ē(.{뙑, q@bP͗BnrDSkJw ԍ:7`Lȇ3IJؖ2Sp}>u;?kE@n؁Wp (-9)0YI[ dG ¨4 ǐF wnhLP'qw,)e_F=,S{b%)\( yWV%:U#F펬É7.Zպ kÞpCĪnkR 0rKX.Do~_pQD4[4I^0X#baiUFJluYP~-5L-F6Ě~r9c2Ǩ]@xp?p`"Ī.GS|]12OY7P,L9o.oGuQ6 [Q=xD86ݮ Ny'}aZ_=e9&,ܯ>}($:´QsEm6u9k/aSa]|>@{ k7S9 tn4n"%,L(|!G ZSm<["Cx0)_~ #dUe^1_U19{cb~"{E\ D:F(myD! "I*|tLwu19dpY=js8,/ |'C2C'7E}q0 O