samba-test-4.19.8+git.430.a10fe64854c-150600.3.18.2<>,1؉hvQ)p9|q&{P 3 Afx ok4 Ӎq%ɮ`5@'@`KbVGPBEHtwꥆZ \[߈Nj;`y.ݩ`0`N?};ÿ̫*s=rYCHk mv﷫y Y+^xJf{pķg):C :ΝuSD.[l*]~bqڝW~2Fa 孃mJIWEד&x_>u&Ps|m>@?d ( 6 b -AX^h     *p 9y(:8:'9?T':R'>@FGHI$X4Y<\]^{bcXdefluv,wxy,zP`djCsamba-test4.19.8+git.430.a10fe64854c150600.3.18.2Testing tools for Samba servers and clientssamba-test provides testing tools for both the server and client packages of Samba.hvQ)h03-ch2dNSUSE Linux Enterprise 15SUSE LLC GPL-3.0-or-laterhttps://www.suse.com/Applications/Systemhttps://www.samba.org/linuxx86_64B(Hh@AH Wԁ큤hvQ hvQ hvQ hvQ hvQ hvQ hvPhvPhvPhvPhvPhvPhvPhvPe4440bb3fc454121a82cb41db942186b8b8800d82197a124050c8d6c00d74ceae494eb2b944aea985a9d68bbeba64c1b3767bfba786d46937d95f68f2176e67efa26ba57cd9441d9e7e362cb28c3e3f65e5865dcb26125afc1c1289c4ed6744e0cae474299d500371501c161c0de6f6e4156a2f660d8fecffd138c0e7b579b3921248647583d9719b65094b1412fd37809771c4ea7c54017616357cd4d81d35182146313d2c98d980564e8697157087f711a5124b16bf21b8f505e6b9db57a03eb3798434f5832c9b33ff4989ca21f468e203834d7235a1e4f8685f209ca3d0b287be9d89c9a3db583691405c8e4661ca843f765cb429e399be7e1742e8350ac75f36a7352f40fe1840893525762b152bef7638ae62307fdbec1c8b2795db7ce119fa07bb529a46451ec0d997556c622ba5b28956a81fc7d049d43a17e7ba674522eb394e25c21921b2cea46fc338d60272dfbb00ece001e52d3f87a6b99e85524f1d24f83bc2df8c42c0fa0b2cc5347c3e0b5f91bb2ae6ec3593354430136589df5786a016f9af9e463e40f40c3d86aa76bd04a854e0a77dcbcf0f1808fe2c304f6b0efeaf0013ac2773e54d7602575ed4d8130f09b8f6f615fee178e1ec33drootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootsamba-4.19.8+git.430.a10fe64854c-150600.3.18.2.src.rpmsamba-testsamba-test(x86-64)@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    /sbin/ldconfig/sbin/ldconfiglibLIBWBCLIENT-OLD-samba4.so()(64bit)libLIBWBCLIENT-OLD-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libMESSAGING-SEND-samba4.so()(64bit)libMESSAGING-SEND-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libMESSAGING-samba4.so()(64bit)libMESSAGING-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libRPC-SERVER-LOOP-samba4.so()(64bit)libRPC-SERVER-LOOP-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libads-samba4.so()(64bit)libads-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libasn1util-samba4.so()(64bit)libasn1util-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libauth-samba4.so()(64bit)libauth-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libauthkrb5-samba4.so()(64bit)libauthkrb5-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.17)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.2)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.32)(64bit)libc.so.6(GLIBC_2.33)(64bit)libc.so.6(GLIBC_2.34)(64bit)libc.so.6(GLIBC_2.38)(64bit)libc.so.6(GLIBC_2.4)(64bit)libc.so.6(GLIBC_2.8)(64bit)libcli-cldap-samba4.so()(64bit)libcli-cldap-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libcli-ldap-common-samba4.so()(64bit)libcli-ldap-common-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libcli-ldap-samba4.so()(64bit)libcli-ldap-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libcli-nbt-samba4.so()(64bit)libcli-nbt-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libcli-smb-common-samba4.so()(64bit)libcli-smb-common-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libcliauth-samba4.so()(64bit)libcliauth-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libcluster-samba4.so()(64bit)libcluster-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libcmdline-contexts-samba4.so()(64bit)libcmdline-contexts-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libcmdline-samba4.so()(64bit)libcmdline-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libcom_err.so.2()(64bit)libcommon-auth-samba4.so()(64bit)libcommon-auth-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libdbwrap-samba4.so()(64bit)libdbwrap-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libdcerpc-binding.so.0()(64bit)libdcerpc-binding.so.0(DCERPC_BINDING_0.0.1)(64bit)libdcerpc-samba-samba4.so()(64bit)libdcerpc-samba-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libdcerpc-samba4.so()(64bit)libdcerpc-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libdcerpc-server-core.so.0()(64bit)libdcerpc-server-core.so.0(DCERPC_SERVER_CORE_0.0.1)(64bit)libdcerpc.so.0()(64bit)libdcerpc.so.0(DCERPC_0.0.1)(64bit)libdsdb-module-samba4.so()(64bit)libdsdb-module-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libevents-samba4.so()(64bit)libevents-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libflag-mapping-samba4.so()(64bit)libflag-mapping-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libgenrand-samba4.so()(64bit)libgenrand-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libgensec-samba4.so()(64bit)libgensec-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libgnutls.so.30()(64bit)libgnutls.so.30(GNUTLS_3_4)(64bit)libgnutls.so.30(GNUTLS_3_6_13)(64bit)libgnutls.so.30(GNUTLS_3_6_3)(64bit)libgse-samba4.so()(64bit)libgse-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libidmap-samba4.so()(64bit)libidmap-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libk5crypto.so.3()(64bit)libk5crypto.so.3(k5crypto_3_MIT)(64bit)libkrb5.so.3()(64bit)libkrb5.so.3(krb5_3_MIT)(64bit)libkrb5samba-samba4.so()(64bit)libkrb5samba-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libldb.so.2()(64bit)libldb.so.2(LDB_0.9.10)(64bit)libldb.so.2(LDB_0.9.15)(64bit)libldb.so.2(LDB_0.9.16)(64bit)libldb.so.2(LDB_1.1.14)(64bit)libldb.so.2(LDB_2.0.1)(64bit)libldb.so.2(LDB_2.8.0)(64bit)libldbsamba-samba4.so()(64bit)libldbsamba-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)liblibcli-lsa3-samba4.so()(64bit)liblibcli-lsa3-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)liblibcli-netlogon3-samba4.so()(64bit)liblibcli-netlogon3-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)liblibsmb-samba4.so()(64bit)liblibsmb-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libmsrpc3-samba4.so()(64bit)libmsrpc3-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libndr-krb5pac.so.0()(64bit)libndr-krb5pac.so.0(NDR_KRB5PAC_0.0.1)(64bit)libndr-nbt.so.0()(64bit)libndr-nbt.so.0(NDR_NBT_0.0.1)(64bit)libndr-samba-samba4.so()(64bit)libndr-samba-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libndr-samba4.so()(64bit)libndr-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libndr-standard.so.0()(64bit)libndr-standard.so.0(NDR_STANDARD_0.0.1)(64bit)libndr.so.3()(64bit)libndr.so.3(NDR_0.0.1)(64bit)libndr.so.3(NDR_0.0.3)(64bit)libndr.so.3(NDR_0.0.4)(64bit)libndr.so.3(NDR_0.0.8)(64bit)libndr.so.3(NDR_0.0.9)(64bit)libndr.so.3(NDR_0.2.0)(64bit)libndr.so.3(NDR_1.0.0)(64bit)libnetapi.so.1()(64bit)libnetapi.so.1(NETAPI_1.0.0)(64bit)libnetif-samba4.so()(64bit)libnetif-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libnss-info-samba4.so()(64bit)libnss-info-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libpopt.so.0()(64bit)libpopt.so.0(LIBPOPT_0)(64bit)libprinter-driver-samba4.so()(64bit)libprinter-driver-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libreadline.so.7()(64bit)libregistry-samba4.so()(64bit)libregistry-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libreplace-samba4.so()(64bit)libreplace-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libsamba-credentials.so.1()(64bit)libsamba-credentials.so.1(SAMBA_CREDENTIALS_1.0.0)(64bit)libsamba-debug-samba4.so()(64bit)libsamba-debug-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libsamba-errors.so.1()(64bit)libsamba-errors.so.1(SAMBA_ERRORS_1.0.0)(64bit)libsamba-hostconfig.so.0()(64bit)libsamba-hostconfig.so.0(SAMBA_HOSTCONFIG_0.0.1)(64bit)libsamba-modules-samba4.so()(64bit)libsamba-modules-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libsamba-net.cpython-36m-x86-64-linux-gnu-samba4.so()(64bit)libsamba-net.cpython-36m-x86-64-linux-gnu-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libsamba-passdb.so.0()(64bit)libsamba-passdb.so.0(SAMBA_PASSDB_0.2.0)(64bit)libsamba-security-samba4.so()(64bit)libsamba-security-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libsamba-sockets-samba4.so()(64bit)libsamba-sockets-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libsamba-util.so.0()(64bit)libsamba-util.so.0(SAMBA_UTIL_0.0.1)(64bit)libsamba3-util-samba4.so()(64bit)libsamba3-util-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libsamdb-common-samba4.so()(64bit)libsamdb-common-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libsamdb.so.0()(64bit)libsamdb.so.0(SAMDB_0.0.1)(64bit)libsecrets3-samba4.so()(64bit)libsecrets3-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libserver-id-db-samba4.so()(64bit)libserver-id-db-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libshares-samba4.so()(64bit)libshares-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libsmbclient-raw-samba4.so()(64bit)libsmbclient-raw-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libsmbclient.so.0()(64bit)libsmbclient.so.0(SMBCLIENT_0.1.0)(64bit)libsmbclient.so.0(SMBCLIENT_0.3.1)(64bit)libsmbclient.so.0(SMBCLIENT_0.3.2)(64bit)libsmbclient.so.0(SMBCLIENT_0.3.3)(64bit)libsmbclient.so.0(SMBCLIENT_0.5.0)(64bit)libsmbclient.so.0(SMBCLIENT_0.6.0)(64bit)libsmbconf.so.0()(64bit)libsmbconf.so.0(SMBCONF_0.0.1)(64bit)libsmbd-shim-samba4.so()(64bit)libsmbd-shim-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libsmbpasswdparser-samba4.so()(64bit)libsmbpasswdparser-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libsocket-blocking-samba4.so()(64bit)libsocket-blocking-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libsys-rw-samba4.so()(64bit)libsys-rw-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtalloc.so.2(TALLOC_2.0.8)(64bit)libtalloc.so.2(TALLOC_2.1.0)(64bit)libtalloc.so.2(TALLOC_2.3.5)(64bit)libtdb-wrap-samba4.so()(64bit)libtdb-wrap-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libtdb.so.1()(64bit)libtdb.so.1(TDB_1.2.1)(64bit)libtevent-util.so.0()(64bit)libtevent-util.so.0(TEVENT_UTIL_0.0.1)(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.11.0)(64bit)libtevent.so.0(TEVENT_0.12.0)(64bit)libtevent.so.0(TEVENT_0.13.0)(64bit)libtevent.so.0(TEVENT_0.15.0)(64bit)libtevent.so.0(TEVENT_0.9.12)(64bit)libtevent.so.0(TEVENT_0.9.13)(64bit)libtevent.so.0(TEVENT_0.9.16)(64bit)libtevent.so.0(TEVENT_0.9.20)(64bit)libtevent.so.0(TEVENT_0.9.26)(64bit)libtevent.so.0(TEVENT_0.9.30)(64bit)libtevent.so.0(TEVENT_0.9.31)(64bit)libtevent.so.0(TEVENT_0.9.36)(64bit)libtevent.so.0(TEVENT_0.9.37)(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)libtime-basic-samba4.so()(64bit)libtime-basic-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libtorture-samba4.so()(64bit)libtorture-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libtrusts-util-samba4.so()(64bit)libtrusts-util-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libutil-reg-samba4.so()(64bit)libutil-reg-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libutil-tdb-samba4.so()(64bit)libutil-tdb-samba4.so(SAMBA_4.19.9_GIT.430.A10FE64854C150600.3.18.2SUSE_OS15.0_X86_64_SAMBA4)(64bit)libwbclient.so.0()(64bit)libwbclient.so.0(WBCLIENT_0.10)(64bit)libwbclient.so.0(WBCLIENT_0.9)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)sambasamba-winbind3.0.4-14.6.0-14.0-15.2-14.19.8+git.430.a10fe64854c4.19.8+git.430.a10fe64854c4.14.3hm@g`@gRgR@gMgp@fٝ@fxfteԔ@ee5@ede6`@e-%e'e%ascabrero@suse.denopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comddiss@suse.comscabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedimstar@opensuse.orgscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.descabrero@suse.denopower@suse.comscabrero@suse.deddiss@suse.comddiss@suse.comddiss@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comnopower@suse.comscabrero@suse.descabrero@suse.dedmulder@suse.comscabrero@suse.descabrero@suse.denopower@suse.comnopower@suse.comnopower@suse.comdmulder@suse.comscabrero@suse.denopower@suse.comddiss@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comjmcdonough@suse.comnopower@suse.comscabrero@suse.denopower@suse.comnopower@suse.comddiss@suse.comddiss@suse.comnopower@suse.comnopower@suse.comddiss@suse.comnopower@suse.comdmulder@suse.comdmulder@suse.comddiss@suse.comscabrero@suse.dedmulder@suse.comddiss@suse.comnopower@suse.comjengelh@inai.dedmulder@suse.comscabrero@suse.descabrero@suse.descabrero@suse.dedmulder@suse.comdmulder@suse.comdmulder@suse.comjmcdonough@suse.comdmulder@suse.comscabrero@suse.dedmulder@suse.comscabrero@suse.dedmulder@suse.comdmulder@suse.comvcizek@suse.comdmulder@suse.comdmulder@suse.comnopower@suse.comscabrero@suse.dejmcdonough@suse.comscabrero@suse.deaaptel@suse.comjengelh@inai.dedimstar@opensuse.orgdmulder@suse.comjmcdonough@suse.comdavid.mulder@suse.comjmcdonough@suse.comaaptel@suse.comdmulder@suse.comscabrero@suse.comscabrero@suse.comkukuk@suse.dedavid.mulder@suse.comscabrero@suse.comrbrown@suse.comdmulder@suse.comscabrero@suse.comdimstar@opensuse.orgscabrero@suse.comaaptel@suse.comnopower@suse.comnopower@suse.comaaptel@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comddiss@suse.comnopower@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comddiss@suse.comdmulder@suse.comnopower@suse.comjmcdonough@suse.comaaptel@suse.comkukuk@suse.comkukuk@suse.denopower@suse.comaaptel@suse.comdmulder@suse.comddiss@suse.comdmulder@suse.comddiss@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comnopower@suse.comnopower@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comnopower@suse.comddiss@suse.comjmcdonough@suse.comddiss@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comjmcdonough@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comtchvatal@suse.comlmuelle@suse.comnopower@suse.comcrrodriguez@opensuse.orglmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.comnoel.power@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comnopower@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.comlmuelle@suse.comddiss@suse.comlmuelle@suse.commpluskal@suse.comlmuelle@suse.comnopower@suse.deddiss@suse.comddiss@suse.comddiss@suse.comlmuelle@suse.denopower@suse.delmuelle@suse.comnopower@suse.deddiss@suse.comlmuelle@suse.comlmuelle@suse.comlmuelle@suse.com- Windows security hardening locks out schannel'ed netlogon dc calls like netr_DsRGetDCName; (bsc#1246431); (bso#15876).- Fix Samba printers reporting invalid sid during print jobs; (bsc#1234210); (bso#15792).- Fix crossing automounter mount points; (bsc#1215212); (bsc#1236803);- Update shipped /etc/samba/smb.conf to point to smb.conf man page;(bsc#1233880).- Update to 4.19.9 * libldb: performance issue with indexes (ldb 2.8.2 is already released); (bso#15590). * DH reconnect error handling can lead to stale sharemode entries; (bso#15624). * Incorrect FSCTL_QUERY_ALLOCATED_RANGES response when truncated; (bso#15699). * irpc_destructor may crash during shutdown; (bso#15280). * Compound SMB2 requests don't return NT_STATUS_NETWORK_SESSION_EXPIRED for all requests, confuses MacOSX clients; (bso#15696). * Crash when readlinkat fails; (bso#15700).- Adjust spec to split out rpcd_* binaries into a separate sub package; (bsc#1231414).- Incorrect FSCTL_QUERY_ALLOCATED_RANGES response when truncated; (bso#15699); (bsc#1229684). - Update to 4.19.8 * Invalid client warning about command line passwords; (bso#15671); * Version string is truncated in manpages; (bso#15672); * --version-* options are still not ergonomic, and they reject tilde characters; (bso#15673); * cmdline_burn does not always burn secrets; (bso#15674); * Samba doesn't parse SDDL found in defaultSecurityDescriptor in AD_DS_Classes_Windows_Server_v1903.ldf; (bso#15685); * We have added new options --vendor-name and --vendor-patch- revision arguments to ./configure to allow distributions and packagers to put their name in the Samba version string so that when debugging Samba the source of the binary is obvious; (bso#15654); * When claims enabled with heimdal kerberos, unable to log on to a Windows computer when user account need to change their own password; (bso#15655); * Fix clock skew error message and memory cache clock skew recovery; (bso#15676); * CTDB RADOS mutex helper misses namespace support; (bso#15665); * The images don't build after the git security release and CentOS 8 Stream is EOL; (bso#15660); * Fix unnecessary delays in CTDB while processing requests under high load; (bso#15678); * Dynamic DNS updates with the internal DNS are not working; (bso#13019); * s4:nbt_server: does not provide unexpected handling, so winbindd can't use nmb requests instead cldap; (bso#15620); * Panic in vfs_offload_token_db_fetch_fsp(); (bso#15664); * "client use kerberos" and --use-kerberos is ignored for the machine account; (bso#15666); * Regression DFS not working with widelinks = true; (bso#15435); * ntlm_auth make logs more consistent with length check; (bso#15677);- Fix a crash when joining offline and 'kerberos method' includes keytab; (bsc#1228732); - Fix reading the password from STDIN or environment vars if it was already given in the command line; (bsc#1228732);- Update to 4.19.7 * ldb qsort might r/w out of bounds with an intransitive compare function (ldb 2.8.1 is already released); (bso#15569). * Many qsort() comparison functions are non-transitive, which can lead to out-of-bounds access in some circumstances (ldb 2.8.1 is already released); (bso#15625). * Need to change gitlab-ci.yml tags in all branches to avoid CI bill; (bso#15638). * netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with SysvolReady=0; (bso#14981). * Anonymous smb3 signing/encryption should be allowed (similar to Windows Server 2022); (bso#15412). * Panic in dreplsrv_op_pull_source_apply_changes_trigger; (bso#15573). * winbindd, net ads join and other things don't work on an ipv6 only host; (bso#15642). * Smbcacls incorrectly propagates inheritance with Inherit-Only flag; (bso#15636). * http library doesn't support 'chunked transfer encoding'; (bso#15611). - Update to 4.19.6 * fd_handle_destructor() panics within an smbd_smb2_close() if vfs_stat_fsp() fails in fd_close(); (bso#15527). * samba-gpupdate: Correctly implement site support; (bso#15588). * libgpo: Segfault in python bindings; (bso#15599). * Packet marshalling push support missing for CTDB_CONTROL_TCP_CLIENT_DISCONNECTED and CTDB_CONTROL_TCP_CLIENT_PASSED; (bso#15580).- Update to 4.19.5 * Windows 2016 fails to restore previous version of a file from a shadow_copy2 snapshot; (bso#13688). * Symlinks on AIX are broken in 4.19 (and a few version before that); (bso#15549). * Fake directory create times has no effect; (bso#12421). * ctime mixed up with mtime by smbd; (bso#15550). * samba-gpupdate --rsop fails if machine is not in a site; (bso#15548). * gpupdate: The root cert import when NDES is not available is broken; (bso#15557). * samba-gpupdate should print a useful message if cepces-submit can't be found; (bso#15552). * samba-gpupdate logging doesn't work; (bso#15558). * smbpasswd reset permissions only if not 0600; (bso#15555).- Remove -x from bash shebang update-apparmor-samba-profile; (bsc#1218431).- Update to 4.19.4 * net changesecretpw cannot set the machine account password if secrets.tdb is empty; (bso#13577). * For generating doc, take, if defined, env XML_CATALOG_FILES; (bso#15540). * Trivial C typo in nsswitch/winbind_nss_netbsd.c; (bso#15541). * vfs_linux_xfs is incorrectly named; (bso#15542). * systemd stumbled over copyright-message at smbd startup; (bso#15377). * Following intermediate abolute share-local symlinks is broken; (bso#15505). * ctdb RELEASE_IP causes a crash in release_ip if a connection to a non-public address disconnects first; (bso#15523). * shadow_copy2 broken when current fileset's directories are removed; (bso#15544). * smbd does not detect ctdb public ipv6 addresses for multichannel exclusion; (bso#15534). * 'force user = localunixuser' doesn't work if 'allow trusted domains = no' is set; (bso#15469). * smbget debug logging doesn't work; (bso#15525). * smget: username in the smburl and interactive password entry doesn't work; (bso#15532). * smbget auth function doesn't set values for password prompt correctly; (bso#15538). * Unable to copy and write files from clients to Ceph cluster via SMB Linux gateway with Ceph VFS module; (bso#15440). * Multichannel refresh network information; (bso#15547).- Update to 4.19.3 * sid_strings test broken by unix epoch > 1700000000; (bso#15520). * smbd crashes if asked to return full information on close of a stream handle with delete on close disposition set; (bso#15487). * smbd: fix close order of base_fsp and stream_fsp in smb_fname_fsp_destructor(); (bso#15521). * Improve logging for failover scenarios; (bso#15499). * Files without "read attributes" NFS4 ACL permission are not listed in directories; (bso#15093). * CVE-2018-14628 [SECURITY] Deleted Object tombstones visible in AD LDAP to normal users; (bso#13595). * Kerberos TGS-REQ with User2User does not work for normal accounts; (bso#15492). * vfs_gpfs stat calls fail due to file system permissions; (bso#15507). * Samba doesn't build with Python 3.12; (bso#15513).- packaging: samba-tool domain provision requires python3-Markdown; (bsc#1216519).- Update to 4.19.2 * Use-after-free in aio_del_req_from_fsp during smbd shutdown after failed IPC FSCTL_PIPE_TRANSCEIVE; (bso#15423). * clidfs.c do_connect() missing a "return" after a cli_shutdown() call; (bso#15426). * macOS mdfind returns only 50 results; (bso#15463). * GETREALFILENAME_CACHE can modify incoming new filename with previous cache entry value; (bso#15481). * libnss_winbind causes memory corruption since samba-4.18, impacts sendmail, zabbix, potentially more; (bso#15464). * ctdbd: setproctitle not initialized messages flooding logs; (bso#15479). * CVE-2023-5568 Heap buffer overflow with freshness tokens in the Heimdal KDC in Samba 4.19; (bso#15491). * The heimdal KDC doesn't detect s4u2self correctly when fast is in use; (bso#15477).- use systemd-logind rather than utmp for y2038 safety; (bsc#1216159).- CVE-2023-4091: samba: Client can truncate file with read-only permissions; (bsc#1215904); (bso#15439). - CVE-2023-42669: samba: rpcecho, enabled and running in AD DC, allows blocking sleep on request; (bso#1215905); (bso#15474). - CVE-2023-42670: samba: The procedure number is out of range when starting Active Directory Users and Computers; (bsc#1215906); (bso#15473). - CVE-2023-3961: samba: Unsanitized client pipe name passed to local_np_connect(); (bsc#1215907); (bso#15422). - CVE-2023-4154: samba: dirsync allows SYSTEM access with only "GUID_DRS_GET_CHANGES" right, not "GUID_DRS_GET_ALL_CHANGES; (bsc#1215908); (bso#15424).- Update to 4.19.0 * File doesn't show when user doesn't have permission if aio_pthread is loaded; (bso#15453). * ctdb_killtcp fails to work with --enable-pcap and libpcap ≥ 1.9.1; (bso#15451). * Logging to stdout/stderr with DEBUG_SYSLOG_FORMAT_ALWAYS can log to syslog; (bso#15460). * ‘samba-tool domain level raise’ fails unless given a URL; (bso#15458). * reply_sesssetup_and_X() can dereference uninitialized tmp pointer; (bso#15420). * missing return in reply_exit_done(); (bso#15430). * TREE_CONNECT without SETUP causes smbd to use uninitialized pointer; (bso#15432). * Avoid infinite loop in initial user sync with Azure AD Connect when synchronising a large Samba AD domain; (bso#15401). * Samba replication logs show (null) DN; (bso#15407). * 2-3min delays at reconnect with smb2_validate_sequence_number: bad message_id 2; (bso#15346). * DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED can't be parsed; (bso#15446). * CID 1539212 causes real issue when output contains only newlines; (bso#15438). * KDC encodes INT64 claims incorrectly; (bso#15452). * mdssvc: Do an early talloc_free() in _mdssvc_open(); (bso#15449). * Windows client join fails if a second container CN=System exists somewhere; (bso#9959). * regression DFS not working with widelinks = true; (bso#15435). * Heimdal fails to build on 32-bit FreeBSD; (bso#15443). * samba-tool ntacl get segfault if aio_pthread appended; (bso#15441). - Update to 4.18.6 * reply_sesssetup_and_X() can dereference uninitialized tmp pointer; (bso#15420); * Missing return in reply_exit_done(); (bso#15430); * post-exec password redaction for samba-tool is more reliable for fully random passwords as it no longer uses regular expressions containing the password value itself; (bso#15289); * Windows client join fails if a second container CN=System exists somewhere; (bso#9959); * Spotlight sometimes returns no results on latest macOS; (bso#15342); * Renaming results in NT_STATUS_SHARING_VIOLATION if previously attempted to remove the destination; (bso#15417); * Spotlight results return wrong date in result list; (bso#15427); * "net offlinejoin provision" does not work as non-root user; (bso#15414); * rpcserver no longer accepts double backslash in dfs pathname; (bso#15400); * cm_prepare_connection() calls close(fd) for the second time; (bso#15433); * 2-3min delays at reconnect with smb2_validate_sequence_number: bad message_id 2; (bso#15346); * samba-tool ntacl get segfault if aio_pthread appended; (bso#15441); * DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED can't be parsed; (bso#15446); * Python tarfile extraction needs change to avoid a warning (CVE-2007-4559 mitigation); (bso#15390); * Regression DFS not working with widelinks = true; (bso#15435); * mdssvc: Do an early talloc_free() in _mdssvc_open(); (bso#15449); - Update to 4.18.5 * CVE-2022-2127: lm_resp_len not checked properly in winbindd_pam_auth_crap_send; (bso#15072); (bsc#1213174). * CVE-2023-34966: Samba Spotlight mdssvc RPC Request Infinite Loop Denial-of-Service Vulnerability; (bso#15340); (bsc#1213173). * CVE-2023-34967: Samba Spotlight mdssvc RPC Request Type Confusion Denial-of-Service Vulnerability; (bso#15341); (bsc#1213172). * CVE-2023-34968: Spotlight server-side Share Path Disclosure; (bso#15388); (bsc#1213171). * CVE-2023-3347: Samba doesn't require SMB2+ signing if `server signing = mandatory` is set; (bso#15397); (bsc#1213170). * secure channel faulty since Windows 10/11 update 07/2023; (bso#15418); (bsc#1213384). - Update to 4.18.4 * Backport --pidl-developer fixes; (bso#15404). * Named crashes on DLZ zone update; (bso#14030). * smbcacls and smbcquotas do not check // before the server; (bso#2312). * cli_list loops 100% CPU against pre-lanman2 servers; (bso#15382). * smbclient leaks fds with showacls; (bso#15391). * smbd returns NOT_FOUND when creating files on a r/o filesystem; (bso#15402). * NSS_WRAPPER_HOSTNAME doesn't match NSS_WRAPPER_HOSTS entry and causes test timeouts; (bso#15355). * net ads lookup (with unspecified realm) fails; (bso#15384). * Register Samba processes with GPFS; (bso#15381). * Python tarfile extraction needs change to avoid a warning (CVE-2007-4559 mitigation); (bso#15390). * The winbind child segfaults when listing users with `winbind scan trusted domains = yes`; (bso#15398). * Remove comments about deprecated 'write cache size'; (bso#15383). * smbget memory leak if failed to download files recursively; (bso#15403). - Update to 4.18.3 * Symlinks to files can have random DOS mode information in a directory listing; (bso#15375). * vfs_fruit might cause a failing open for delete; (bso#15378). * winbind recurses into itself via rpcd_lsad; (bso#15361). * wbinfo -u fails on ad dc with >1000 users; (bso#15366). * DS ACEs might be inherited to unrelated object classes; (bso#15338). * a lot of messages: get_static_share_mode_data: get_static_share_mode_data_fn failed: NT_STATUS_NOT_FOUND; (bso#15362). * aes256 smb3 encryption algorithms are not allowed in smb3_sid_parse(); (bso#15374). * Setting veto files = /.*/ break listing directories; (bso#15360). * "samba-tool domain provision" does not run interactive mode if no arguments are given; (bso#15363). * dsgetdcname: assumes local system uses IPv4; (bso#15325). - Update to 4.18.2 * Log flood: smbd_calculate_access_mask_fsp: Access denied: message level should be lower; (bso#15302). * Floating point exception (FPE) via cli_pull_send at source3/libsmb/clireadwrite.c; (bso#15306). * test_tstream_more_tcp_user_timeout_spin fails intermittently on Rackspace GitLab runners; (bso#15328). * Reduce flapping of ridalloc test; (bso#15329). * large_ldap test is unreliable; (bso#15351). * New filename parser doesn't check veto files smb.conf parameter; (bso#15143). * mdssvc may crash when initializing; (bso#15354). * large directory optimization broken for non-lcomp path elements; (bso#15313). * streams_depot fails to create streams; (bso#15357). * shadow_copy2 and streams_depot don't play well together; (bso#15358). * Flapping tests in samba_tool_drs_show_repl.py; (bso#15316). * winbindd idmap child contacts the domain controller without a need; (bso#15317). * idmap_autorid may fail to map sids of trusted domains for the first time; (bso#15318). * idmap_hash doesn't use ID_TYPE_BOTH for reverse mappings; (bso#15319). * net ads search -P doesn't work against servers in other domains; (bso#15323). * Temporary smbXsrv_tcon_global.tdb can't be parsed; (bso#15353). * Tests use depricated and removed methods like assertRegexpMatches; (bso#15343). - Update to 4.18.1 * CVE-2023-0225: AD DC "dnsHostname" attribute can be deleted by unprivileged authenticated users. (bso#15276);(bsc#1209483). * CVE-2023-0614: Access controlled AD LDAP attributes can be discovered (bso#15270); (bsc#1209485). * CVE-2023-0922: Samba AD DC admin tool samba-tool sends passwords in cleartext(bso#15315);(bsc#1209481). * ldb wildcard matching makes excessive allocations; (bso#15331). * large_ldap test is inefficient; (bso#15332). - Update to 4.18.0 * SMB server performance improvements * More succinct samba-tool error messages * Color output with samba-tool --color The NO_COLOR environment variable will disable colour output * New samba-tool dsacl subcommand for deleting ACEs * New wbinfo option --change-secret-at * Net option to change the NT ACL default location * Azure AD / Office365 synchronization improvements- Fix DFS not working with widelinks enabled; (bsc#1213607); (bso#15435);- Move libcluster-samba4.so from samba-libs to samba-client-libs; (bsc#1213940);- net ads lookup with unspecified realm fails; (bso#15384); (bsc#1213826);- secure channel faulty since Windows 10/11 update 07/2023; (bso#15418); (bsc#1213384).- CVE-2022-2127: lm_resp_len not checked properly in winbindd_pam_auth_crap_send; (bso#15072); (bsc#1213174). - CVE-2023-34966: Samba Spotlight mdssvc RPC Request Infinite Loop Denial-of-Service Vulnerability; (bso#15340); (bsc#1213173). - CVE-2023-34967: Samba Spotlight mdssvc RPC Request Type Confusion Denial-of-Service Vulnerability; (bso#15341); (bsc#1213172). - CVE-2023-34968: Spotlight server-side Share Path Disclosure; (bso#15388); (bsc#1213171). - CVE-2023-3347: Samba doesn't require SMB2+ signing if `server signing = mandatory` is set; (bso#15397); (bsc#1213170).- Update to 4.17.9 * Backport --pidl-developer fixes; (bso#15404). * smbd_scavenger crashes when service smbd is stopped; (bso#15275). * vfs_fruit might cause a failing open for delete; (bso#15378). * named crashes on DLZ zone update; (bso#14030). * winbind recurses into itself via rpcd_lsad; (bso#15361). * cli_list loops 100% CPU against pre-lanman2 servers; (bso#15382). * smbclient leaks fds with showacls; (bso#15391). * aes256 smb3 encryption algorithms are not allowed in smb3_sid_parse(); (bso#15374). * winbindd gets stuck on NT_STATUS_RPC_SEC_PKG_ERROR; (bso#15413). * smbget memory leak if failed to download files recursively; (bso#15403).- Update to 4.17.8 * log flood: smbd_calculate_access_mask_fsp: Access denied: message level should be lower; (bso#15302). * Floating point exception (FPE) via cli_pull_send at source3/libsmb/clireadwrite.c; (bso#15306). * test_tstream_more_tcp_user_timeout_spin fails intermittently on Rackspace GitLab runners; (bso#15328). * Reduce flapping of ridalloc test; (bso#15329). * large_ldap test is unreliable; (bso#15351). * New filename parser doesn't check veto files smb.conf parameter; (bso#15143). * mdssvc may crash when initializing; (bso#15354). * Large directory optimization broken for non-lcomp path elements; (bso#15313). * streams_depot fails to create streams; (bso#15357). * shadow_copy2 and streams_depot don't play well together; (bso#15358). * wbinfo -u fails on ad dc with >1000 users; (bso#15366). * winbindd idmap child contacts the domain controller without a need; (bso#15317). * idmap_autorid may fail to map sids of trusted domains for the first time; (bso#15318). * idmap_hash doesn't use ID_TYPE_BOTH for reverse mappings; (bso#15319). * net ads search -P doesn't work against servers in other domains; (bso#15323). * DS ACEs might be inherited to unrelated object classes; (bso#15338). * Temporary smbXsrv_tcon_global.tdb can't be parsed; (bso#15353). * Setting veto files = /.*/ break listing directories; (bso#15360); (bsc#1212375). * CVE-2020-25720 [SECURITY] Create Child permission should not allow full write to all attributes (additional changes); (bso#14810). * dsgetdcname: assumes local system uses IPv4; (bso#15325).- Update to 4.17.7 * CVE-2023-0922: Samba AD DC admin tool samba-tool sends passwords in cleartext; (bso#15315); (bsc#1209481). * CVE-2023-0225: Samba AD DC "dnsHostname" attribute can be deleted by unprivileged authenticated users; (bso#15276); (bsc#1209483). * CVE-2023-0614: samba: Access controlled AD LDAP attributes can be discovered; (bso#15270); (bsc#1209485). * large_ldap test is inefficient; (bso#15332). * CVE-2020-25720 [SECURITY] Create Child permission should not allow full write to all attributes (additional changes); (bso#14810). - Update to 4.17.6 * streams_xattr is creating unexpected locks on folders; (bso#15314). * Use of the Azure AD Connect cloud sync tool is now supported for password hash synchronisation, allowing Samba AD Domains to synchronise passwords with this popular cloud environment; (bso#10635). * Spotlight doesn't work with latest macOS Ventura; (bso#15299). * New samba-dcerpc architecture does not scale gracefully; (bso#15310). * vfs_ceph incorrectly uses fsp_get_io_fd() instead of fsp_get_pathref_fd() in close and fstat; (bso#15307). * With clustering enabled samba-bgqd can core dump due to use after free; (bso#15293). * fd_load() function implicitly closes the fd where it should not; (bso#15311). - Update to 4.17.5 * smbc_getxattr() return value is incorrect; (bso#14808). * Compound SMB2 FLUSH+CLOSE requests from MacOSX are not handled correctly; (bso#15172). * synthetic_pathref AFP_AfpInfo failed errors; (bso#15210). * samba-tool gpo listall fails IPv6 only - finddcs() fails to find DC when there is only an AAAA record for the DC in DNS; (bso#15226). * smbd crashes if an FSCTL request is done on a stream handle; (bso#15236). * DFS links don't work anymore on Mac clients since 4.17; (bso#15277). * vfs_virusfilter segfault on access, directory edgecase (accessing NULL value); (bso#15283). * CVE-2022-38023 [SECURITY] Samba should refuse RC4 (aka md5) based SChannel on NETLOGON (additional changes); (bso#15240). * %U for include directive doesn't work for share listing (netshareenum); (bso#15243). * Shares missing from netshareenum response in samba 4.17.4; (bso#15266). * ctdb: use-after-free in run_proc; (bso#15269). * irpc_destructor may crash during shutdown; (bso#15280). * auth3_generate_session_info_pac leaks wbcAuthUserInfo; (bso#15286). * smbclient segfaults with use after free on an optimized build; (bso#15268). * smbstatus leaking files in msg.sock and msg.lock; (bso#15282). * Leak in wbcCtxPingDc2; (bso#15164). * Access based share enum does not work in Samba 4.16+; (bso#15265). * Crash during share enumeration; (bso#15267). * rep_listxattr on FreeBSD does not properly check for reads off end of returned buffer; (bso#15271). * Avoid relying on C89 features in a few places; (bso#15281).- Make (32bit) samba-libs conflict with old samba-ad-dc-libs package to satisfy installcheck.- Make samba-libs conflict with old samba-ad-dc-libs package to satisfy installcheck.- Remove non functioning ifup/ifdown samba-winbindd scripts; (bsc#1207414).- libdsdb-module-samba4 should be packaged as part of samba-libs and not samba-ad-dc-libs. Additionally no need for it to be removed conditionally.- Clean up logic for PAM migration settings in spec file.- Change with_dc default to 0 (for non TW builds), ADDC feature is deprecated and will no longer be included in >= SLE15-SP5; (jsc#PED-1122).- Update to 4.17.4 * CVE-2022-44640 Upstream Heimdal free of user-controlled pointer in FAST; (bsc#14929); * CVE-2021-20251 Bad password count not incremented atomically; (bsc#14611); * CVE-2022-42898 krb5_pac_parse() buffer parsing vulnerability; (bsc#15203); * CVE-2022-37966 rc4-hmac Kerberos session keys issued to modern servers; (bso#15237); * CVE-2022-37967 Kerberos constrained delegation ticket forgery possible against Samba AD DC; (bso#15231); * CVE-2022-38023 RC4/HMAC-MD5 NetLogon Secure Channel is weak and should be avoided; (bso#15240); * pam_winbind uses time_t and pointers assuming they are of the same size; (bso#15224); * Heimdal session key selection in AS-REQ examines wrong entry; (bso#15219); * filter-subunit is inefficient with large numbers of knownfails; (bso#15258); * smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories; (bso#15252); * The KDC logic arround msDs-supportedEncryptionTypes differs from Windows; (bso#13135); * libnet: change_password() doesn't work with dcerpc_samr_ChangePasswordUser4(); (bso#15206); * Heimdal session key selection in AS-REQ examines wrong entry; (bso#15219); * Memory leak in snprintf replacement functions; (bso#15230); * RODC doesn't reset badPwdCount reliable via an RWDC (CVE-2021-20251 regression); (bso#15253); * Prevent EBADF errors with vfs_glusterfs; (bso#15198); * %U for include directive doesn't work for share listing (netshareenum); (bso#15243); * Stack smashing in net offlinejoin requestodj; (bso#15257); * Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue; (bso#15197); * Heimdal session key selection in AS-REQ examines wrong entry; (bso#15219); - Remove deprecated if-{down,up} scripts; (bsc#1206444); - Adjust the systemd drop-in file for named service; (bsc#1201689); * Paths are additive so do not repeat paths from named.service * Prefix the samba DLZ directory with "-" to ignore this path if it does not exists- Introduce without-smb1-server spec flag; (bsc#1205104); - Update to 4.17.3 * CVE-2022-42898: Samba buffer overflow vulnerabilities on 32-bit systems; (bsc#1205126); (bso#15203); - Replace obsolete python-gpgme with python-gpg * Upstream replaced it in v4.9.5 -- bso#13728 - Update to 4.17.2 * CVE-2022-3592 [SECURITY] samba: Wide links protection broken; (bso#15207); (bsc#1204499). * CVE-2022-3437 [SECURITY] samba: Buffer overflow in Heimdal unwrap_des3();(bso#15134); (bsc#1204254). - Update to 4.17.1 * CVE-2021-20251 [SECURITY] Bad password count not incremented atomically; (bso#14611). * smbXsrv_connection_shutdown_send result leaked; (bso#15174). * Flush on a named stream never completes; (bso#15182). * Permission denied calling SMBC_getatr when file not exists; (bso#15195). * Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC; (bso#15189). * pytest: add file removal helpers for TestCaseInTempDir; (bso#15191). * CVE-2021-20251 [SECURITY] Bad password count not incremented atomically; (bso#14611). * Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC; (bso#15189). * Flush on a named stream never completes; (bso#15182). * vfs_gpfs silently garbles timestamps > year 2106; (bso#15151). * CVE-2021-20251 [SECURITY] Bad password count not incremented atomically; (bso#14611). * multi-channel socket passing may hit a race if one of the involved processes already existed; (bso#15200). * memory leak on temporary of struct imessaging_post_state and struct tevent_immediate on struct imessaging_context (in rpcd_spoolss and maybe others); (bso#15201). * Since popt1.19 various use after free errors using result of poptGetArg are now exposed; (bso#15205); (boo#1204279). * Remove special case for O_CREAT in SMB_VFS_OPENAT from vfs_glusterfs; (bso#15192). * GETPWSID in memory cache grows indefinetly with each NTLM auth; (bso#15169). * CVE-2021-20251 [SECURITY] Bad password count not incremented atomically; (bso#14611). - Install a systemd drop-in file for named service to allow read/write access to the DLZ directory; (bsc#1201689); - Fix use after free errors resulting from using return of poptGetArg exposed since popt-1.19; (boo#1204279); (bso#15205). - s3: smbd: Fix memory leak in smbd_server_connection_terminate_done(); (bso#15174). - Disable SMB1 for tumbleweed builds. - Update to 4.17.0 * acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr; (bso#15126). * Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1; (bso#15153). * assert failed: !is_named_stream(smb_fname)") at ../../lib/util/fault.c:197; (bso#15161). * acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr; (bso#15126). * assert failed: !is_named_stream(smb_fname)") at ../../lib/util/fault.c:197; (bso#15161). * Cross-node multi-channel reconnects result in SMB2 Negotiate returning NT_STATUS_NOT_SUPPORTED; (bso#15159). * winbind at info level debug can coredump when processing wb_lookupusergroups; (bso#15160). * Make use of glfs_*at() API calls in vfs_glusterfs; (bso#15157). * Possible use after free of connection_struct when iterating smbd_server_connection->connections; (bso#15128). * `net usershare add` fails with flag works with --long but fails with -l; (bso#15145). * acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr; (bso#15126). * Performance regression on contended path based operations; (bso#15125). * Missing READ_LEASE break could cause data corruption; (bso#15148). * libsamba-errors uses a wrong version number; (bso#15141). * SMB1 negotiation can fail to handle connection errors; (bso#15152). * New filename parser doesn't check veto files smb.conf parameter; (bso#15143). * 4.17.rc1 still uses symlink-race prone unix_convert(); (bso#15144). * Backport fileserver related changed to 4.17.0rc2; (bso#15146). * Manpage for smbstatus json is missing; (bso#15147). * Backport fileserver related changed to 4.17.0rc2; (bso#15146). * Performance regression on contended path based operations; (bso#15125). * Backport fileserver related changed to 4.17.0rc2; (bso#15146). * Fix issues found by coverity in smbstatus json code; (bso#15140). * Backport fileserver related changed to 4.17.0rc2; (bso#15146). - Migration to /usr/etc: Saving user changed configuration files in /etc and restoring them while an RPM update. - Update to 4.16.4 * CVE-2022-2031: Samba AD users can bypass certain restrictions associated with changing passwords; (bsc#1201495); (bso#15047); * CVE-2022-32744: Samba AD users can forge password change requests for any user; (bsc#1201493); (bso#15074); * CVE-2022-32745: Samba AD users can crash the server process with an LDAP add or modify request; (bsc#1201492); (bso#15008); * CVE-2022-32746: Samba AD users can induce a use-after-free in the server process with an LDAP add or modify request; (bsc#1201490); (bso#15009); * CVE-2022-32742: Server memory information leak via SMB1; (bsc#1201496); (bso#15085); - Update to 4.16.3 * Using vfs_streams_xattr and deleting a file causes a panic; (bso#15099); * Add support for bind 9.18; (bso#14986); * logging dsdb audit to specific files does not work; (bso#15076); * Problem when winbind renews Kerberos; (bso#14979); (bsc#1196224); * Samba with new lorikeet-heimdal fails to build on gcc 12.1 in developer mode; (bso#15095); * Crash in streams_xattr because fsp->base_fsp->fsp_name is NULL; (bso#15105); * Crash in rpcd_classic - NULL pointer deference in mangle_is_mangled(); (bso#15118); * smbclient commands del & deltree fail with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556); * Fix check for chown when processing NFSv4 ACL; (bso#15120); * The pcap background queue process should not be stopped; (bso#15082); * testparm: Fix typo in idmap rangesize check; (bso#15097); * net ads info returns LDAP server and LDAP server name as null; (bso#15106); * ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link; (bso#15108); * CTDB child process logging does not work as expected; (bso#15090); - Update spec file to fix the optional Heimdal DC build - Fix external trusts with MIT Kerberos 1.20 - Add missing samba-client requirement to samba-winbind package; (bsc#1198255); - Move pdb backends from package samba-libs to package samba-client-libs and remove samba-libs requirement from samba-winbind; (bsc#1200964); (bsc#1198255); - Add sysuser-shadow requirement for packages using systemd-sysusers - Use the canonical realm name to refresh the Kerberos tickets; (bsc#1196224); (bso#14979); - Moved logrotate files from user specific directory /etc/logrotate.d to vendor specific directory /usr/etc/logrotate.d. - Update to 4.16.2 * Use pathref fd instead of io fd in vfs_default_durable_cookie; (bso#15042); * vfs_gpfs with vfs_shadowcopy2 fail to restore file if original file had been deleted; (bso#15069); * Reintroduce netgroups support; (bso#15087); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); * Update from 4.15 to 4.16 breaks discovery of [homes] on standalone server from Win and IOS; (bso#15062); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * smbclient -E doesn't work as advertised; (bso#15075); * The samba background daemon doesn't refresh the printcap cache on startup; (bso#15081); * Out-by-4 error in smbd read reply max_send clamp; (bso#14443); - Fix samba4.blackbox.net_ads_dns_async test with bind9 >= 9.17.7 - Support building with MIT Kerberos 1.20 - Bronze bit and S4U support with MIT Kerberos 1.20 for Samba AD DC; (CVE-2020-17049); - Resource Based Constrained Delegation (RBCD) for Samba AD DC - Support building with gcc 12.1 - Use requires_eq macro to require the libldb2 version available at samba-dsdb-modules build time; (bsc#1199362); - Update to 4.16.1 * Share and server swapped in smbget password prompt; (bso#14831); * Durable handles won't reconnect if the leased file is written to; (bso#15022); * rmdir silently fails if directory contains unreadable files and hide unreadable is yes; (bso#15023); * SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on renamed file handle; (bso#15038); * Need to describe --builtin-libraries= better (compare with - -bundled-libraries); (bso#8731); * vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback; (bso#14957); * shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes; (bso#15035); * PAM Kerberos authentication incorrectly fails with a clock skew error; (bso#15046); * Username map - samba erroneously applies unix group memberships to user account entries; (bso#15041); * KVNO off by 100000; (bso#14951); * Uninitialized litemask in variable in vfs_gpfs module; (bso#15027); * vfs_gpfs recalls=no option prevents listing files; (bso#15055); * smbd doesn't handle UPNs for looking up names; (bso#15054); - Update update-apparmor-samba-profile script, replace non-printable delimiter with more human readable separator as sed can accept separators that can appear in the input data. - Fix update-apparmor-samba-profile script, sed doesn't like multibyte separators; (bsc#1198309). - Update to 4.16.0 * New samba-dcerpcd binary to provide DCERPC in the member server setup * Certificate Auto Enrollment * Ability to add ports to dns forwarder addresses in internal DNS backend * No longer using Linux mandatory locks for sharemodes * SMB1 protocol has been deprecated, particularly older dialects * SMB1 protocol SMBCopy command removed * SMB1 server-side wildcard expansion removed - Add python3-dnspython to samba-ad-dc recommens; (bsc#1187101); - Use systemd-sysusers to create system users; (bsc#1182847);- Install a systemd drop-in file for named service to allow read/write access to the DLZ directory; (bsc#1201689);- Update to 4.15.12 * CVE-2022-42898: samba: heimdal: Samba buffer overflow vulnerabilities on 32-bit systems; (bso#15203); (bsc#1205126). - Update to 4.15.11 * Allow rebuild of Centos 8 images after move to vault for Samba 4.15; (bso#15193). * CVE-2022-3437: samba: Buffer overflow in Heimdal unwrap_des3(); (bso#15134); (bsc#1204254)- Update to 4.15.10 * Possible use after free of connection_struct when iterating smbd_server_connection->connections; (bso#15128); (bsc#1200102). * smbXsrv_connection_shutdown_send result leaked; (bso#15174). * Spotlight RPC service returns wrong response when Spotlight is disabled on a share; (bso#15086). * acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr; (bso#15126). * Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1; (bso#15153). * assert failed: !is_named_stream(smb_fname)") at ../../lib/util/fault.c:197; (bso#15161). * Missing READ_LEASE break could cause data corruption; (bso#15148). * rpcclient can crash using setuserinfo(2); (bso#15124). * Samba fails to build with glibc 2.36 caused by including in libreplace; (bso#15132). * SMB1 negotiation can fail to handle connection errors; (bso#15152). * samba-tool domain join segfault when joining a samba ad domain; (bso#15078). - Update to 4.15.9 * CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). * CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). * CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); * CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). * CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); * CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- CVE-2022-1615: Do not ignore errors in random number generation; (bso#15103); (bsc#1202976); - CVE-2022-32743: Implement validated dnsHostName write rights; (bso#14833); (bsc#1202803);- Fix Use after free when iterating smbd_server_connection->connections after tree disconnect failure; (bso#15128); (bsc#1200102).- CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). - CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). - CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); - CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). - CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493).- Update to 4.15.8 * Use pathref fd instead of io fd in vfs_default_durable_cookie; (bso#15042); * Setting fruit:resource = stream in vfs_fruit causes a panic; (bso#15099); * Add support for bind 9.18; (bso#14986); * logging dsdb audit to specific files does not work; (bso#15076); * vfs_gpfs with vfs_shadowcopy2 fail to restore file if original file had been deleted; (bso#15069); * netgroups support removed; (bso#15087); (bsc#1199247); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); (bsc#1199734); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * smbclient commands del & deltree fail with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556); * vfs_gpfs recalls=no option prevents listing files; (bso#15055); * waf produces incorrect names for python extensions with Python 3.11; (bso#15071); * Compile error in source3/utils/regedit_hexedit.c; (bso#15091); * ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link; (bso#15108); * smbd doesn't handle UPNs for looking up names; (bso#15054); * Out-by-4 error in smbd read reply max_send clamp; (bso#14443); - Move pdb backends from package samba-libs to package samba-client-libs and remove samba-libs requirement from samba-winbind; (bsc#1200964); (bsc#1198255); - Use the canonical realm name to refresh the Kerberos tickets; (bsc#1196224); (bso#14979);- Fix smbclient commands del & deltree failing with NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100); (bsc#1200556).- Revert NIS support removal; (bsc#1199247);- Use requires_eq macro to require the libldb2 version available at samba-dsdb-modules build time; (bsc#1199362);- Add missing samba-client requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.7 * Share and server swapped in smbget password prompt; (bso#14831); * Durable handles won't reconnect if the leased file is written to; (bso#15022); * rmdir silently fails if directory contains unreadable files and hide unreadable is yes; (bso#15023); * SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on renamed file handle; (bso#15038); * vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback; (bso#14957); * shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes; (bso#15035); * PAM Kerberos authentication incorrectly fails with a clock skew error; (bso#15046); * username map - samba erroneously applies unix group memberships to user account entries; (bso#15041); * NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES in SMBC_server_internal; (bso#14983); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Crash of winbind on RODC; (bso#14641); * uncached logon on RODC always fails once; (bso#14865); * KVNO off by 100000; (bso#14951); * LDAP simple binds should honour "old password allowed period"; (bso#15001); * wbinfo -a doesn't work reliable with upn names; (bso#15003); * Simple bind doesn't work against an RODC (with non-preloaded users); (bso#13879); * Uninitialized litemask in variable in vfs_gpfs module; (bso#15027); * Regression: create krb5 conf = yes doesn't work with a single KDC; (bso#15016);- Add provides to samba-client-libs package to fix upgrades from previous versions; (bsc#1197995);- Add missing samba-libs requirement to samba-winbind package; (bsc#1198255);- Update to 4.15.6 * Renaming file on DFS root fails with NT_STATUS_OBJECT_PATH_NOT_FOUND; (bso#14169); * Samba does not response STATUS_INVALID_PARAMETER when opening 2 objects with same lease key; (bso#14737); * NT error code is not set when overwriting a file during rename in libsmbclient; (bso#14938); * Fix ldap simple bind with TLS auditing; (bso#14996); * net ads info shows LDAP Server: 0.0.0.0 depending on contacted server; (bso#14674); * Problem when winbind renews Kerberos; (bso#14979); (bsc#1196224); * pam_winbind will not allow gdm login if password about to expire; (bso#8691); * virusfilter_vfs_openat: Not scanned: Directory or special file; (bso#14971); * DFS fix for AIX broken; (bso#13631); * Solaris and AIX acl modules: wrong function arguments; (bso#14974); * Function aixacl_sys_acl_get_file not declared / coredump; (bso#7239); * Regression: Samba 4.15.2 on macOS segfaults intermittently during strcpy in tdbsam_getsampwnam; (bso#14900); * Fix a use-after-free in SMB1 server; (bso#14989); * smb2_signing_decrypt_pdu() may not decrypt with gnutls_aead_cipher_decrypt() from gnutls before 3.5.2; (bso#14968); * Changing the machine password against an RODC likely destroys the domain join; (bso#14984); * authsam_make_user_info_dc() steals memory from its struct ldb_message *msg argument; (bso#14993); * Use Heimdal 8.0 (pre) rather than an earlier snapshot; (bso#14995); * Samba autorid fails to map AD users if id rangesize fits in the id range only once; (bso#14967);- Fix mismatched version of libldb2; (bsc#1196788). - Drop obsolete SuSEfirewall2 service files.- Drop obsolete Samba fsrvp v0->v1 state upgrade functionality; (bsc#1080338).- Fix ntlm authentications with "winbind use default domain = yes"; (bso#13126); (bsc#1173429); (bsc#1196308).- Fix samba-ad-dc status warning notification message by disabling systemd notifications in bgqd; (bsc#1195896); (bso#14947).- libldb version mismatch in Samba dsdb component; (bsc#1118508);- Update to 4.15.5 * CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target of a symlink exists; (bso#14911); (bsc#1193690). * CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module; (bso#14914); (bsc#1194859). * CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks; bso#14950); (bsc#1195048).- CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share; (bso#14911); (bsc#1193690); - CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution; (bso#14914); (bsc#1194859); - CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services; (bso#14950); (bsc#1195048);- Update to 4.15.4 * Duplicate SMB file_ids leading to Windows client cache poisoning; (bso#14928); * Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error - NT_STATUS_BUFFER_TOO_SMALL; (bso#14932); * kill_tcp_connections does not work; (bso#14934); * Can't connect to Windows shares not requiring authentication using KDE/Gnome; (bso#14935); * smbclient -L doesn't set "client max protocol" to NT1 before calling the "Reconnecting with SMB1 for workgroup listing" path; (bso#14939); * Cross device copy of the crossrename module always fails; (bso#14940); * symlinkat function from VFS cap module always fails with an error; (bso#14941); * Fix possible fsp pointer deference; (bso#14942); * Missing pop_sec_ctx() in error path inside close_directory(); (bso#14944); * "smbd --build-options" no longer works without an smb.conf file; (bso#14945);- Use pkgconfig(krb5) as dependency for the -devel package: allow OBS to pick the right flavor of krb5-devel (full vs mini). - Do not require the 'krb5' symbol by samba-client-libs: this package has an automatic dependency due to linkage on libgssapi_krb5.so.2. Automatic deps are always better. - Do not require the 'krb5' symbol from samba-libs: samba-libs requires samba-client-libs, which in turn requires krb5 libraries. Samba-libs itself has no need for krb5 (but get it indirectly anyway).- Reorganize libs packages. Split samba-libs into samba-client-libs, samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba public libraries depending on internal samba libraries into these packages as there were dependency problems everytime one of these public libraries changed its version (bsc#1192684). The devel packages are merged into samba-devel. - Rename package samba-core-devel to samba-devel - Add python-rpm-macros to build requirements - Update the symlink create by samba-dsdb-modules to private samba ldb modules following libldb2 changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba- Update to 4.15.3 * Recursive directory delete with veto files is broken in 4.15.0; (bso#14878); * A directory containing dangling symlinks cannot be deleted by SMB2 alone when they are the only entry in the directory; (bso#14879); * SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used uninitialized in rmdir_internals(); (bso#14892); * MaxQueryDuration not honoured in Samba AD DC LDAP; (bso#14694); * The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token; (bso#14901); (bsc#1192849); * User with multiple spaces (eg FredNurk) become un-deletable; (bso#14902); * Avoid storing NTTIME_THAW (-2) as value on disk; (bso#14127); * smbXsrv_client_global record validation leads to crash if existing record points at non-existing process; (bso#14882); * Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call; (bso#14890); * Samba process doesn't log to logfile; (bso#14897); * set_ea_dos_attribute() fallback calling get_file_handle_for_metadata() triggers locking.tdb assert; (bso#14907); * Kerberos authentication on standalone server in MIT realm broken; (bso#14922); * Segmentation fault when joining the domain; (bso#14923); * Support for ROLE_IPA_DC is incomplete; (bso#14903); * rpcclient cannot connect to ncacn_ip_tcp services anymore; (bso#14767); * winexe crashes since 4.15.0 after popt parsing; (bso#14893); * net ads status -P broken in a clustered environment; (bso#14908); * Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before smbd_smb2_ioctl_send; (bso#14788); * winbindd doesn't start when "allow trusted domains" is off; (bso#14899); * smbclient login without password using '-N' fails with NT_STATUS_INVALID_PARAMETER on Samba AD DC; (bso#14883); * A schannel client incorrectly detects a downgrade connecting to an AES only server; (bso#14912); * Possible null pointer dereference in winbind; (bso#14921); * Fix -k legacy option for client tools like smbclient, rpcclient, net, etc.; (bso#14846); * Add Debian 11 CI bootstrap support; (bso#14872); * Crash in recycle_unlink_internal(); (bso#14888);- Fix dependency problem upgrading from libndr0 to libndr2 and from libsamba-credentials0 to libsamba-credentials1; (bsc#1192684);- Fix regression introduced by CVE-2020-25717 patches, winbindd does not start when 'allow trusted domains' is off; (bso#14899); - Update to 4.15.2 * CVE-2016-2124: SMB1 client connections can be downgraded to plaintext authentication; (bso#12444); (bsc#1014440); * CVE-2020-25717: A user on the domain can become root on domain members; (bso#14556); (bsc#1192284); * CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued by an RODC; (bso#14558); (bsc#1192246); * CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets; (bso#14561); (bsc#1192247); * CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers (eg objectSid); (bso#14557); (bsc#1192505); * CVE-2020-25722: Samba AD DC did not do suffienct access and conformance checking of data stored; (bso#14564); (bsc#1192283); * CVE-2021-3738: Use after free in Samba AD DC RPC server; (bso#14468); (bsc#1192215); * CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability; (bso#14875); (bsc#1192214); - Update to 4.15.1 * vfs_shadow_copy2: core dump in make_relative_path; (bso#14682); * Log clutter from filename_convert_internal; (bso#14685); * MacOSX compilation fixes; (bso#14862); * rodc_rwdc test flaps; (bso#14868); * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal; (bso#14642); * Python ldb.msg_diff() memory handling failure; (bso#14836); * "in" operator on ldb.Message is case sensitive; (bso#14845); * Release LDB 2.4.1 for Samba 4.15.1; (bso#14848); * samldb_krbtgtnumber_available() looks for incorrect string; (bso#14854); * Fix Samba support for UF_NO_AUTH_DATA_REQUIRED; (bso#14871); * Allow special chars like "@" in samAccountName when generating the salt; (bso#14874); * Correctly ignore comments in CTDB public addresses file; (bso#14826); * Fix transit path validation; (bso#12998); * Fix that child winbindd logs to log.winbindd instead of log.wb-; (bso#14852); * SMB3 cancel requests should only include the MID together with AsyncID when AES-128-GMAC is used; (bso#14855); * Prepare to operate with MIT krb5 >= 1.20; (bso#14870); * Heimdal prefers RC4 over AES for machine accounts; (bso#14864);- Enable samba-tool without ad dc.- Adjust spec to use pam macros; (bsc#1191046).- Adjust spec for size * allow some Recommends instead Requires to be configured for cifs-utils, samba-libs-python3 & samba-gpupdate; (bsc#1182847). * remove fam, undocumented and unneeded.- Add missing build dependency on bison when building with the embedded Heimdal Kerberos- Update to 4.15.0 * Removed SMB development dialects SMB2_22, SMB2_24 and SMB3_10 * VFS layer modernized. * Add the ability to set allow/deny lists for zone transfer clients in Bind DLZ plugin * Server multi-channel support no longer experimental * Improved command line user experience, unifying the options in different commands * Winbindd no longer scans trusted domains on startup and will use enterprise principals by default. * The net utility is now able to support the offline domain join feature * New options for 'samba-tool dns zoneoptions' for aging control and to mark old records as static or dynamic * DNS tombstones are now deleted as appropriate and use a consistent timestamp format * The 'samba-tool dns update' command validates and rejects now malformed IPv4 and IPv6 addresses * The 'samba-tool domain backup' command correctly takes out locks against concurrent modification during backup when using the LMDB backend * TruACL support has been removed * NIS support has been removed- Fix 'net rpc' authentication when using the machine account; (bsc#1189017); (bso#14796);- Fix dependency problem upgrading from libndr0 to libndr1; (bsc#1189875); - Fix dependency problem upgrading from libsmbldap0 to libsmbldap2; (bsc#1189875); - Fix wrong kvno exported to keytab after net ads changetrustpw due to replication delay; (bsc#1188727); - Add Certificate Auto Enrollment Policy; (jsc#SLE-18456). - Update to 4.13.10 * s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles; (bso#14708); * Take a copy to make sure we don't reference free'd memory; (bso#14721); * s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722); * s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path; (bso#14736); * samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID; (bso#14575); * smbd: Correctly initialize close timestamp fields; (bso#14714); * Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740); * ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475); * gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750); * smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records; (bso#14752); * samba-tool domain backup offline doesn't work against bind DLZ backend; (bso#14027); * netcmd: Use next_free_rid() function to calculate a SID for restoring a backup; (bso#14669); - Update to 4.13.9 * s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success; (bso#14696); * Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code; (bso#14689); * Fix smbd panic when two clients open same file; (bso#14672); * Fix memory leak in the RPC server; (bso#14675); * s3: smbd: Fix deferred renames; (bso#14679); * s3-iremotewinspool: Set the per-request memory context; (bso#14675); * rpc_server3: Fix a memleak for internal pipes; (bso#14675); * third_party: Update socket_wrapper to version 1.3.2; (bso#11899); * third_party: Update socket_wrapper to version 1.3.3; (bso#14639); * idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict; (bso#14663); * Fix the build on OmniOS; (bso#14288); - Update to 4.13.8 * CVE-2021-20254: Fix buffer overrun in sids_to_unixids(); (bso#14571 - Update to 4.13.7 * Release with dependency on ldb version 2.2.1.- CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bnc#14571); (bsc#1184677).- Fix offline domain backup not possible using lmdb version >= 0.9.26; (bso#14676); - Require libldb >= 2.2.1; (bsc#1183572); (bsc#1183574); - Update to 4.13.6 * CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). * CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Update to 4.13.5 * s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure; (bso#14634); * s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection; (bso#13992); * smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services; (bso#14604); * dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones (bso#14593); * s3: Fix fcntl waf configure check; (bso#14503); * s3/auth: Implement "winbind:ignore domains"; (bso#14602); * smbd: Use fsp->conn->session_info for the initial delete-on-close token; (bso#14617); * s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path; (bso#14648); * classicupgrade: Treat old never expires value right; (bso#14624); * g_lock: Fix uninitalized variable reads; (bso#14636); * s3:pysmbd: Fix fd leak in py_smbd_create_file(); (bso#13898); * lib:util: Avoid free'ing our own pointer; (bso#14625); * HEIMDAL: krb5_storage_free(NULL) should work; (bso#12505);- Spec file fixes around systemd and requires; (bsc#1182830); - Align systemd service unit files with upstream provided ones.- Update to 4.13.4 * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * lib: Avoid declaring zero-length VLAs in various messaging functions; (bso#14605); * Do not create an empty DB when accessing a sam.ldb; (bso#14579); * vfs_fruit may close wrong backend fd; (bso#14596); * Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does; (bso#14612); * vfs_virusfilter: Allocate separate memory for config char*; (bso#14606); * vfs_fruit may close wrong backend fd; (bso#14596); * Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7; (bso#14607); * The cache directory for the user gencache should be created recursively; (bso#14601); * Be more flexible with repository names in CentOS 8 test environments; (bso#14594);- Uninstalling samba-client: Failed to disable unit, cifs.service does not exists; (bsc#1180388);- Update to 4.13.3 + libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob; (bso#14210); + s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function; (bso#14486); + s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE(); (bso#14515); + s3: spoolss: Make parameters in call to user_ok_token() match all other uses; (bso#14568); + s3: smbd: Quiet log messages from usershares for an unknown share; (bso#14590); + samba process does not honor max log size; (bso#14248); + vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE; (bso#14587); + s3-libads: Pass timeout to open_socket_out in ms; (bso#13124); + s3-vfs_glusterfs: Always disable write-behind translator; (bso#14486); + smbclient: Fix recursive mget; (bso#14517); + clitar: Use do_list()'s recursion in clitar.c; (bso#14581); + manpages/vfs_glusterfs: Mention silent skipping of write-behind translator; (bso#14486); + vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bso#14573); + interface: Fix if_index is not parsed correctly; (bso#14514);- Update to 4.13.2 + s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return; (bso#14486); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471); + smb.conf.5: Add clarification how configuration changes reflected by Samba; (bso#14538); + daemons: Report status to systemd even when running in foreground; (bso#14552); + DNS Resolver: Support both dnspython before and after 2.0.0; (bso#14553); + s3-vfs_glusterfs: Refuse connection when write-behind xlator is present; (bso#14486); + provision: Add support for BIND 9.16.x; (bso#14487); + ctdb-common: Avoid aliasing errors during code optimization; (bso#14537); + libndr: Avoid assigning duplicate versions to symbols; (bso#14541); + docs: Fix default value of spoolss:architecture; (bso#14522); + winbind: Fix a memleak; (bso#14388); + s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531); + docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs; (bso#14486); + nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h. + vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530); + third_party: Update resolv_wrapper to version 1.1.7; (bso#14547); + examples:auth: Do not install example plugin; (bso#14550); + ctdb-recoverd: Drop unnecessary and broken code; (bso#14513); + RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special; (bso#14471);- Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469).- Update to samba 4.13.1 + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records; (bsc#1177613); (bso#14472); + CVE-2020-14323: Unprivileged user can crash winbind; (bsc#1173994); (bso#14436); + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify; (bsc#1173902); (bso#14434); - Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba; (bsc#1177355);- Fix vfs_ceph query_directory regression; (bso#14519) - Drop liburing-devel for SLE15-SP2; (bsc#1177245)- Register CTDB recovery lock holder with ceph-mgr - Add liburing-devel dependency- Update to samba 4.13.0 + Require Python 3.6 + Move wide links functionality into VFS module + Deprecate NT4-like 'classic' Samba domain controllers + Deprecate SMBv1 only protocol options + Remove deprecated "ldap ssl ads" option + Unify asynchronous DCE-RPC server; (jsc#SES-645) + Replay multichannel lease break requests; (bso#11897); (jsc#SES-655) + Drop internal byteorder.h header from util-devel package + Remove final code for the AD DC LDAP backend + Add AD DC Group Policy Scripts + Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14; (bso#14399) + Fix %U substitutions if it contains a domain name; (bso#14467) + Fix krb5.conf creation for 'net ads join'; (bso#14479) + Fix build problem if libbsd-dev is not installed; (bso#14482) + Toggle vfs_snapper using "--with-shared-modules"; (bso#14437) + Fix idmap_ad RFC4511 response handling; (bso#14465) + Fix panic in get_lease_type(); (bso#14428)- Update to samba 4.11.13 + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge; (bsc#1176579); (bso#14497); + CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no"; (bsc#1176579); (bso#14497); - Update to samba 4.11.12 + s3: libsmb: Fix SMB2 client rename bug to a Windows server; (bso#14403); + dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on RHEL7; (bso#14424); + dbcheck: Allow a dangling forward link outside our known NCs; (bso#14450); + lib/debug: Set the correct default backend loglevel to MAX_DEBUG_LEVEL; (bso#14426); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + lib/util: do not install "test_util_paths"; (bso#14370); + lib:util: Fix smbclient -l basename dir; (bso#14345); + s3:smbd: PANIC: assert failed in get_lease_type(); (bso#14428); + util: Allow symlinks in directory_create_or_exist; (bso#14166); + docs: Fix documentation for require_membership_of of pam_winbind; (bso#14358); + s3:winbind:idmap_ad: Make failure to get attrnames for schema mode fatal; (bso#14425);- Add obsoletes to libsmbldap2 package to fix upgrades from previous versions; (bsc#1172810);- Fix net command unable to negotiate SMB2; (bsc#1174120);- Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227).- Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307);- Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437);- Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521);- Require libldb2 >= 2.0.10 after security release.- CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850);- Fix smbclient crash with double free (with unresolved krb5 credential cache); (bso#14344); (bsc#1169095).- Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680).- CTDB doesn't retry outgoing connections on bind (and some other) failures; (bso#14274); (bsc#1162680).- Revert: Allow idmap_rid to have primary group other than "Domain Users"; (bsc#1087931).- Fix nmbstatus not reporting detailed information about workgroups; (bsc#1159464); - Fix querying all names registered within broadcast area; (bso#8927);- Update to samab 4.11.5 + CVE-2019-14902: Replication of ACLs down subtree on AD Directory is not automatic; (bso#12497); (bsc#1160850). + CVE-2019-19344: Fix server crash with dns zone scavenging = yes; (bso#14050); (bsc#1160852). + CVE-2019-14907: server-side crash after charset conversion failure (eg during NTLMSSP processing); (bso#14208); (bsc#1160888). - Update to samba 4.11.4 + Ensure SMB1 cli_qpathinfo2() doesn't return an inode number; (bso#14161). + Ensure we don't call cli_RNetShareEnum() on an SMB1 connection; (bso#14174). + NT_STATUS_ACCESS_DENIED becomes EINVAL when using SMB2 in SMBC_opendir_ctx; (bso#14176). + SMB2 - Ensure we use the correct session_id if encrypting an interim response; (bso#14189). + Prevent smbd crash after invalid SMB1 negprot; (bso#14205). + printing: Fix %J substition; (bso#13745). + Remove now unneeded call to cmdline_messaging_context(); (bso#13925). + Fix incomplete conversion of former parametric options; (bso#14069). + Fix sync dosmode fallback in async dosmode codepath; (bso#14070). + vfs_fruit returns capped resource fork length; (bso#14171). + libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116). + smbd: Increase a debug level; (bso#14211). + Prevent azure ad connect from reporting discovery errors reference-value-not-ldap-conformant; (bso#14153). + krb5_plugin: Fix developer build with newer heimdal system library; (bso#14179). + replace: Only link libnsl and libsocket if required; (bso#14168); + ctdb: Incoming queue can be orphaned causing communication; breakdown; (bso#14175). + ldb: Release ldb 2.0.8. Cross-compile will not take cross-answers or cross-execute; (bso#13846). + heimdal-build: Avoid hard-coded /usr/include/heimdal in asn1_compile-generated code; (bso#13856).- Fix Ceph snapshot root relative path handling; (bso#14216); (bsc#1141320).- Update to samba 4.11.3 + CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). + CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- CVE-2019-14861: DNSServer RPC server crash, an authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name; (bso#14138); (bsc#1158108). - CVE-2019-14870: DelegationNotAllowed not being enforced, the DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC; (bso#14187); (bsc#1158109).- Update to samba 4.11.2 + CVE-2019-10218: Client code can return filenames containing path separators; (bsc#1144902); (bso#14071). + CVE-2019-14833: Samba AD DC check password script does not receive the full password; (bso#12438). + CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040). - Fixes from 4.11.1 + Overlinking libreplace against librt and pthread against every binary or library causes issues; (bso#14140); + kpasswd fails when built with MIT Kerberos; (bso#14155); + Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106); + Stale file handle error when using mkstemp on a share; (bso#14137); + non-AES schannel broken; (bso#14134); + Joining Active Directory should not use SAMR to set the password; (bso#13884); + smbclient can blunder into the SMB1 specific cli_RNetShareEnum() call on an SMB2 connection; (bso#14152); + Deleted records can be resurrected during recovery; (bso#14147); + getpwnam and getpwuid need to return data for ID_TYPE_BOTH group; (bso#14141); + winbind does not list forest trusts with additional trust attributes; (bso#14130); + fault report points to outdated documentation; (bso#14139); + pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests; (bso#14124); + classicupgrade results in uncaught exception - a bytes-like object is required, not 'str'; (bso#14136); + pod2man is not longer required, stop checking at build time; (bso#14131); + Exit code of ctdb nodestatus should not be influenced by deleted nodes; (bso#14129); + username/password authentication doesn't work with CUPS and smbspool; (bso#14128); + smbc_readdirplus() is incompatible with smbc_telldir() and smbc_lseekdir(); (bso#14094);- CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server via dirsync; (bso#14040); (bsc#1154598); - CVE-2019-10218: Client code can return filenames containing path separators; (bso#14071); (bsc#1144902);- CVE-2019-14833: samba: Accent with "check script password" Samba AD DC check password script does not receive the full password; (bso#12438); (bsc#1154289).- Update to samba 4.11.0 + For details on all items see WHATSNEW.txt in samba-doc package + Python2 runtime support removed; python 3.4 or later required + Security improvements: - SMB1 disabled by default - lanman and plaintext authentication deprecated - winbind: PAM_AUTH and NTLM_AUTH events logged - GnuTLS 3.2 required; system FIPS mode setting honored + CephFS Snapshot integration, exposed as previous file versions + ctdb changes: - onnode -o option removed - ctdbd logs when using more than 90% of a CPU thread - CTDB_MONITOR_SWAP_USAGE variable removed + AD Domain controller improvements: - Upgrade AD databse format - BIND9_FLATFILE deprecated - default process model chagned to prefork - bind9 dns operation duration logging - Default schema updated to 2012_R2; function level is unchanged - many performance improvements + Configuration webserver support removed- Fix broken username/password authentication with CUPS and smbspool; (bsc#1152143); (bso#14128).- Fix auth problems when printing via smbspool backend with kerberos; (bnc#1148539); (bso#13832).- Update to samba 4.10.8 + CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267);- Fix build on newer systems by modifying samba.spec to use consistent non-relative paths for pammodules in configure line and specification of pam_winbind.so library to package.- Update to samba 4.10.7 + Unable to create or rename file/directory inside shares configured with vfs_glusterfs_fuse module; (bso#14010). + build: Allow build when '--disable-gnutls' is set; (bso#13844) + samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973). + Fix 'Error 32 determining PSOs in system' message on old DB with FL upgrade; (bso#14008). + s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021) + join: Use a specific attribute order for the DsAddEntry nTDSDSA object; (bso#14046). + vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015). + lookup_name: Allow own domain lookup when flags == 0; (bso#14091). + s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932). + DEBUGC and DEBUGADDC doesn't print into a class specific log file; (bso#13915). + Request to keep deprecated option "server schannel", VMWare Quickprep requires "auto"; (bso#13949). + dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967). + dnsProperty fails to decode values from older Windows versions; (bso#13969). + samba-tool: Use only one LDAP modify for dns partition fsmo role transfer; (bso#13973). + third_party: Update waf to version 2.0.17; (bso#13960). + netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051). + ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).- CVE-2019-10197: user escape from share path definition; (bso#14035); (bsc#1141267).- Prepare for use future use of kernel keyrings, modify /etc/pam.d/samba to include pam_keyinit.so; (bsc#1144059).- Update samba-winbind script to work with systemd; (bsc#1132739); - Drop samba dhcpcd hook scripts - Update to samba 4.10.6 + s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956). + smbd does not correctly parse arguments passed to dfree and quota scripts; (bso#13964). + samba-tool dns: use bytes for inet_ntop; (bso#13965). + samba-tool domain provision: Fix --interactive module in python3; (bso#13828). + ldb_kv: Skip @ records early in a search full scan; (bso#13893). + docs: Improve documentation of "lanman auth" and "ntlm auth" connection; (bso#13981). + python/ntacls: Use correct "state directory" smb.conf option instead of "state dir"; (bso#14002). + registry: Add a missing include; (bso#13840). + Fix SMB guest authentication; (bso#13944). + AppleDouble conversion breaks Resourceforks; (bso#13958). + vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968). + s3:mdssvc: Fix flex compilation error; (bso#13987). + s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly; (bso#13872). + dsdb:samdb: schemainfo update with relax control; (bso#13799). + s3:util: Move static file_pload() function to lib/util; (bso#13964). + smbd: Fix a panic; (bso#13957). + ldap server: Generate correct referral schemes; (bso#12478). + s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value; (bso#13941). + s4 dsdb: Fix use after free in samldb_rename_search_base_callback; (bso#13942). + dsdb/repl: we need to replicate the whole schema before we can apply it; (bso#12204). + ldb: Release ldb 1.5.5; (bso#12478). + Schema replication fails if link crosses chunk boundary backwards; (bso#13713). + 'samba-tool domain schemaupgrade' uses relax control and skips the schemaInfo update provision; (bso#13799). + dsdb_audit: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."; (bso#13916). + python/ntacls: We only need security.SEC_STD_READ_CONTROL in order to get the ACL; (bso#13917). + s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary; (bso#13947). + Using Kerberos credentials to print using spoolss doesn't work; (bso#13939). + wafsamba: Use native waf timer; (bso#13998). + ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).- Update to samba-4.10.5 (including updates for 4.10.4, 4.10.3) + CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found in DnssrvOperation2; (bso#13922); (bsc#1137815). + CVE-2019-12436 dsdb/paged_results: Ignore successful results without messages; (bso#13951); (bsc#1137816). - Update to samba-4.10.4 + s3: SMB1: Don't allow recvfile on stream fsp's; (bso#13938). + py/provision: Fix for Python 2.6; (bso#13882). + netcmd: Fix 'passwordsettings --max-pwd-age' command; (bso#13873). + s3-libnet_join: 'net ads join' to child domain fails when using "-U admin@forestroot"; (bso#13861). + vfs_ceph: Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245). + vfs_ceph: Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). + ctdb-common: Avoid race between fd and signal events; (bso#13895). + ctdb-common: Fix memory leak in run_proc; (bso#13943). + lib: Initialize getline() arguments; (bso#13892). + winbind: Fix overlapping id ranges; (bco#13903). + lib util debug: Increase format buffer to 4KiB; (bso#13902). + nsswitch pam_winbind: Fix Asan use after free; (bso#13927). + s4 lib socket: Ensure address string owned by parent struct; (bso#13929). + s3 rpc_client: Fix Asan stack use after scope; (bso#13936). + s3:smbd: Handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO; (bso#10097). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#10344). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#12845). + smb2_tcon: Avoid STATUS_PENDING completely on tdis; (bso#13698). + smb2_sesssetup: avoid STATUS_PENDING responses for session setup; (bso#13796). + dbcheck: Fix the err_empty_attribute() check; (bso#13843). + vfs_snapper: Drop unneeded fstat handler; (bso#13858). + vfs_default: Fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check; (bso#13862). + smb2_server: Grant all 8192 credits to clients; (bso#13863). + smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling; (bso#13919). + s3/vfs_glusterfs: Dynamically determine NAME_MAX; (bso#13872). + s3: modules: ceph: Use current working directory instead of share path; (bso#13918); (bsc#1134452). + winbind: Use domain name from lsa query for sid_to_name cache entry; (bso#13831). + memcache: Increase size of default memcache to 512k; (bso#13865). + docs: Update smbclient manpage for "--max-protocol"; (bso#13857). + s3:utils: If share is NULL in smbcacls, don't print it; (bso#13937). + s3:smbspool: Fix regression printing with Kerberos credentials; (bso#13939). + ctdb-scripts: CTDB restarts failed NFS RPC services by hand, which is incompatible with systemd; (bso#13860). + ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"; (bso#13888). + ctdb-daemon: Never use 0 as a client ID; (bso#13930). + ctdb-common: Fix memory leak; (bso#13943). + s3:debug: Enable logging for early startup failures; (bso#13904) - Update to samba-4.10.3 + CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum; (bso#13685); (bsc#1134024).- CVE-2019-12435: zone operations can crash rpc server; (bso#13922); (bsc#1137815).- Fix cephwrap_flistxattr() debug message; (bso#13940); (bsc#1134697). - Add ceph_snapshots VFS module; (jsc#SES-183).- Fix vfs_ceph realpath; (bso#13918); (bsc#1134452).- Update to samba-4.10.2: + CVE-2019-3870 (World writable files in Samba AD DC private/ dir); (bso#13834). + CVE-2019-3880 (Save registry file outside share as unprivileged user); (bso#13851). + py/kcc_utils: py2.6 compatibility; (bso#13837). + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869). + regfio: Improve handling of malformed registry hive files; (bso#13840). + ctdb-version: Simplify version string usage; (bso#13789). + lib: Make fd_load work for non-regular files; (bso#13859). + dbcheck: in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816). + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818). + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854). + acl_read: Fix regression for empty lists; (bso#13836). + s4:dlz make b9_has_soa check dc=@ node; (bso#13841). + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832). + s4:librpc: Fix installation of Samba; (bso#13847). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793). + s3:lib: Fix the debug message for adding cache entries; (bso#13848). + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853). * ctdb-build: Drop creation of .distversion in tarball; (bso#13789). * ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838). - Update to samba-4.10.1: + py/kcc_utils: py2.6 compatibility; (bso#13837); + libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response; (bso#13869); + regfio: Improve handling of malformed registry hive files; (bso#13840); + ctdb-version: Simplify version string usage; (bso#13789); + lib: Make fd_load work for non-regular files; (bso#13859); + dbcheck in the middle of the tombstone garbage collection causes replication failures, dbcheck: add --selftest-check-expired-tombstones cmdline option; (bso#13816); + ndr_spoolss_buf: Fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT(); (bso#13818); + s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so; (bso#13854); + acl_read: Fix regression for empty lists; (bso#13836); + s4:dlz make b9_has_soa check dc=@ node; (bso#13841); + s3:client: Fix printing via smbspool backend with kerberos auth; (bso#13832); + s4:librpc: Fix installation of Samba; (bso#13847); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:utils: Add 'smbstatus -L --resolve-uids' to show username; (bso#13793); + s3:lib: Fix the debug message for adding cache entries; (bso#13848); + s3:waf: Fix the detection of makdev() macro on Linux; (bso#13853); + ctdb-build: Drop creation of .distversion in tarball; (bso#13789); + ctdb-packaging: Test package requires tcpdump, ctdb package should not own system library directory; (bso#13838); - Update to samba-4.10.0: + s4-server: Open and close a transaction on sam.ldb at startup; (bso#13760); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s4/scripting/bin: Open unicode files with utf8 encoding and write + unicode string. + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + Fix idmap cache pollution with S-1-22- IDs on winbind hickup; (bso#13813); + passdb: Update ABI to 0.27.2. + lib/winbind_util: Add winbind_xid_to_sid for --without-winbind; (bso#13813); + lib:util: Move debug message for mkdir failing to log level 1; (bso#13823);- MacOS credit accounting breaks with async SESSION SETUP; (bsc#1125601); (bso#13796). - Mac OS X SMB2 implmenetation sees Input/output error or Resource temporarily unavailable and drops connection; (bso#13698)- Explicitly enable libcephfs POSIX ACL support; (bso#13896); (bsc#1130245).- CVE-2019-3880: Save registry file outside share as unprivileged user; (bso#13851); (bsc#1131060 ).- CVE-2019-3870 pysmbd: missing restoration of original umask after umask(0); (bso#13834); (bsc#1130703);- Update to samba-4.9.5 + audit_logging: Remove debug log header and JSON Authentication: prefix; (bso#13714); + Fix upgrade from 4.7 (or earlier) to 4.9; (bso#13760); + s3: lib: nmbname: Ensure we limit the NetBIOS name correctly; (bso# CID: 1433607; (bso#11495); + smbd: uid: Don't crash if 'force group' is added to an existing share connection; (bso#13690); + s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code; (bso#13770); + s3: SMB1 POSIX mkdir does case insensitive name lookup; (bso#13803); + s3:utils/smbget fix recursive download with empty source directories; (bso#13199); + samba-tool drs showrepl: Do not crash if no dnsHostName found; (bso#13716); + s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection; (bso#13736); + join: Throw CommandError instead of Exception for simple errors; (bso#13747); + ldb: Avoid inefficient one-level searches; (bso#13762); + s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list(); (bso#13736); + tldap: Avoid use after free errors; (bso#13776); + Fix idmap xid2sid cache churn; (bso#13802); + access_check_max_allowed() doesn't process "Owner Rights" ACEs; (bso#13812); + s3-smbd: Avoid assuming fsp is always intact after close_file call; (bso#13720); + s3-vfs-fruit: Add close call; (bso#13725); + s3-smbd: Use fruit:model string for mDNS registration; (bso#13746); + s3-vfs: add glusterfs_fuse vfs module; (bso#13774); + printing: Check lp_load_printers() prior to pcap cache update; (bso#13766); + vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS) ftruncate and fallocate; (bso#13807); + lib/audit_logging: Actually create talloc; (bso#13737); + netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg; (bso#13728); + dns: Changing onelevel search for wildcard to subtree; (bso#13738); + samba-tool: Don't print backtrace on simple DNS errors; (bso#13721); + sambaundoguididx: Use the right escaped oder unescaped sam ldb files; (bso#13759); + ctdb: Print locks latency in machinereadable stats; (bso#13742); + messages_dgm: Messaging gets stuck when pids are recycled; (bso#13786); + audit_logging: auth_json_audit required auth_json; (bso#13715); + man pages: Document prefork process model; (bso#13765); + CVE-2019-3824 ldb: Release ldb 1.4.6; (bso#13773); + s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration; (bso#13697); + s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC without trusts; (bso#13722); + s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available; (bso#13723); + s4:server: Add support for 'smbcontrol samba shutdown' and 'smbcontrol debug/debuglevel'; (bso#13752); + Python: Ensure ldb.Dn can doesn't rencoded str with py2; (bso#13616); + vfs_glusterfs: Adapt to changes in libgfapi signatures; (bso#13330); + s3-vfs: Use ENOATTR in errno comparison for getxattr; (bso#13774); + notifyd: Fix SIGBUS on sparc; (bso#13704); + waf: Check for libnscd; (bso#13787); + s3:vfs: Correctly check if OFD locks should be enabled or not; (bso#13770); + lib/util: Count a trailing line that doesn't end in a newline; (bso#13717); + Recovery lock bug fixes; (bso#13800); + s3: net: Do not set NET_FLAGS_ANONYMOUS with -k; (bso#13726); + s3:libsmb: Honor disable_netbios option in smbsock_connect_send; (bso#13727); + vfs_fileid: Fix get_connectpath_ino; (bso#13741); + vfs_fileid: Fix fsname_norootdir algorithm; (bso#13744);- Fix vfs_ceph ftruncate and fallocate handling; (bso#13807); (bsc#1127153).- Fix update-apparmor-samba-profile script after apparmor switched to using named profiles. The change is backwards compatible; (bsc#1126377);- LoadParm().load_default() fails with "Unable to load default file"; (bsc#1089758);- Abide by load_printers smb.conf parameter; (bso#13766); (bsc#1124223);- Update to samba-4.9.4 + libcli/smb: Don't overwrite status code; (bso#9175). + wbinfo --group-info 'NT AUTHORITY\System' does not work; (bso#12164). + Session setup reauth fails to sign response; (bso#13661). + vfs_fruit: Validation of writes on AFP_AfpInfo stream; (bso#13677). + vfs_shadow_copy2: Nicely deal with attempts to open previous version for writing; (bso#13688). + Restoring previous version of stream with vfs_shadow_copy2 fails with NT_STATUS_OBJECT_NAME_INVALID fsp->base_fsp->fsp_name; (bso#13455). + CVE-2018-16853: Fix S4U2Self crash with MIT KDC build; (bso#13571). + s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs; (bso#13708) + PEP8: fix E231: missing whitespace after ','. + winbindd: Fix crash when taking profiles;(bso#13629) + CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression; (bso#13600) + 'samba-tool user syscpasswords' fails on a domain with many DCs; (bso#13686). + CVE-2018-16853: Do not segfault if client is not set; (bso#13571). + lib:util: Fix DEBUGCLASS pointer initializiation; (bso#13679) + ctdb-daemon: Exit with error if a database directory does not exist; (bso#13696). + s3:libads: Add net ads leave keep-account option; (bso#13498).- Drop more %if..%endif guards which are idempotent. - Drop requires on ldconfig which are already auto-discovered. - Do not ignore errors from useradd/groupadd.- Remove python2 build dependency from samba-libs; (bsc#1116900);- Update update-apparmor-samba-profile script to ignore the shares's paths containing substitution variables in any place, not only at the beginning of the path.- Update to samba-4.9.3 + CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server; (bso#13600); (bsc#1116319); + CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT; (bso#13628); (bsc#1116320); + CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server; (bso#13674); (bsc#1116322); + CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers; (bso#13669); (bsc#1116321); + CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported); (bso#13678); (bsc#1116324); + CVE-2018-16857: Bad password count in AD DC not always effective; window; (bso#13683); (bsc#1116323);- Update to samba-4.9.2 + dsdb: Add comments explaining the limitations of our current backlink behaviour; (bso#13418); + Fix problems running domain backups (handling SMBv2, sites); (bso#13621); + testparm: Fix crashes with PANIC: Messaging not initialized on SLES 12 SP3; (bso#13465); + Make vfs_fruit able to cleanup AppleDouble files; (bso#13642); + File saving issues with vfs_fruit on samba >= 4.8.5; (bso#13646); + Enabling vfs_fruit looses FinderInfo; (bso#13649); + Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR; (bso#13667); + Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming; (bso#13641); + examples: Fix the smb2mount build; (bso#13465); + libtevent: Fix build due to missing open_memstream on Illiumos; (bso#13629); + winbindd_cache: Fix timeout calculation for sid<->name cache; (bso#13662); + dsdb encrypted_secrets: Allow "ldb:// and "mdb://" in file path; (bso#13653); + Extended DN SID component missing for member after switching group membership; (bso#13418); + Return STATUS_SESSION_EXPIRED error encrypted, if the request was encrypted; (bso#13624); + python: Allow forced signing via smb.SMB(); (bso#13621); + lib:socket: If returning early, set ifaces; (bso#13665); + ldb: Bump ldb version to 1.4.3, Python: Ensure ldb.Dn can accept utf8 encoded unicode; (bso#13616); + smbd: Fix DELETE_ON_CLOSE behaviour on files with READ_ONLY attribute; (bso#13673); + waf: Add -fstack-clash-protection; (bso#13601); + winbind: Fix segfault if an invalid passdb backend is configured; (bso#13668); + Fix bugs in CTDB event handling; (bso#13659); + Misbehaving nodes are sometimes not banned; (bso#13670);- lib:socket: If returning early, set ifaces; (bso#13665); (bsc#1111373);- winbind requires latest version of libtevent-util0 to start- Backport latest gpo code from master + Read policy from local gpt cache + Offline policy application + Make group policy extensible via register/unregister gpext + gpext's run via a process_group_policy method- Enable profiling data collection- Change samba-kdc package name to samba-ad-dc - Move samba-ad-dc.service to the samba-ad-dc package- Update to samba-4.9.1 + s3: nmbd: Stop nmbd network announce storm; (bso#13620); + s3-rpcclient: Use spoolss_init_spoolss_UserLevel1 in winspool cmds; (bso#13597); + CTDB recovery lock has some race conditions; (bso#13617); + s3-rpc_client: Advertise Windows 7 client info; (bso#13597); + ctdb-doc: Remove PIDFILE option from ctdbd_wrapper man page; (bso#13610);- Tumbleweed doesn't define the sle_version macro, so we must include a check for suse_version also. Otherwise python3 is disabled on Tumbleweed.- Update to samba-4.9.0 + samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed; (bso#13605); + wafsamba: Fix 'make -j'; (bso#13606);- Update to samba-4.9.0rc5 + s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames; (bso#13565); + s3: util: Do not take over stderr when there is no log file; (bso#13578); + Durable Reconnect fails because cookie.allow_reconnect is not set; (bso#13549); + krb5-samba: Interdomain trust uses different salt principal; (bso#13539); + vfs_fruit: Don't unlink the main file; (bso#13441); + smbd: Fix a memleak in async search ask sharemode; (bso#13602); + Fix Samba GPO issue when Trust is enabled; (bso#11517); + samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'; (bso#13539); + Fix CTDB configuration issues; (bso#13589); + ctdbd logs an error until it can successfully connect to eventd; (bso#13592);- Update to samba-4.9.0rc4 + s3: smbd: Ensure get_real_filename() copes with empty pathnames; (bso#13585); + samba domain backup online/rename commands force user to specify password on CLI; (bso#13566); + wafsamba/samba_abi: Always hide ABI symbols which must be local; (bso#13579); + Fix a panic if fruit_access_check detects a locking conflict; (bso#13584); + Fix memory and resource leaks; (bso#13567); + python: Fix print in dns_invalid.py; (bso#13580); + Aliasing issue causes incorrect IPv6 checksum; (bso#13588); + Fix CTDB configuration issues; (bso#13589); + s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv(); (bso#13568);- Add missing zlib-devel dependency which was previously pulled in by libopenssl-devel- Update to samba-4.9.0rc3+git.22.3fff23ae36e + CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers; (bso#13453); + CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140; (bso#13374); + CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user; (bso#13552); + CVE-2018-10919: acl_read: Fix unauthorized attribute access via searches; (bso#13434); + ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler; (bso#13540); + CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth"; (bso#13360); + s3-tldap: do not install test_tldap; (bso#13529); + ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals; (bso#13540); + CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr(); (bso#13374); + ctdb-eventd: Fix CID 1438155; (bso#13554); + Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value); (bso#13553); + ctdb: Fix a cut&paste error; (bso#13554); + systemd: Only start smb when network interfaces are up; (bso#13559); + Fix quotas don't work with SMB2; (bso#13553); + s3/smbd: Ensure quota code is only called when quota support detected; (bso#13563); + s3/libsmb: Explicitly set delete_on_close token for rmdir; (bso#13204); + s3:waf: Install eventlogadm to /usr/sbin; (bso#13561); + Shorten description in vfs_linux_xfs_sgid manual; (bso#13562);- Update to samba-4.9.0rc2+git.21.a1069afb007 + s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin; (bso#13537); + s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check(); (bso#13535); + samba-tool trust: Support discovery via netr_GetDcName; (bso#13538); + s4-dsdb: Only build dsdb Python modules for AD DC; (bso#13542); + Fix portability issues on freebsd; (bso#13520); + DNS wildcard search does not handle multiple labels correctly; (bso#13536); + samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA; (bso#13308); + Fix portability issues on freebsd; (bso#13520); + ctdb-protocol: Fix CTDB compilation issues; (bso#13545); + ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option; (bso#13546); + ctdb-doc: Provide an example script for migrating old configuration; (bso#13550); + ctdb-event: Implement event tool "script list" command; (bso#13551);- Update to samba-4.8.4+git.37.a7a861d7982; + CVE-2018-1139: Weak authentication protocol allowed; (bsc#1095048); (bsc#13360); + CVE-2018-1140: Denial of Service Attack on DNS and LDAP server; (bsc#1095056); (bso#13466); (bso#13374); + CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient; (bsc#1103411); (bso#13453); + CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server; (bsc#1103414); (bso#13552); + CVE-2018-10919: Confidential attribute disclosure from the AD LDAP server; (bsc#1095057); (bso#13434); + s3:winbind: winbind normalize names' doesn't work for users; (bso#12851); + winbind: Fix UPN handling in canonicalize_username(); (bso#13369); + s3: smbd: Fix SMB2-FLUSH against directories; (bso#13428); + samdb: Fix building Samba with gcc 8.1; (bso#13437); + s3:utils: Do not segfault on error in DoDNSUpdate(); (bso#13440); + smbd: Flush dfree memcache on service reload; (bso#13446); + ldb: Save a copy of the index result before calling the + lib/util: No Backtrace given by Samba's AD DC by default; (bso#13454). + s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x; (bso#13457). + python: Fix talloc frame use in make_simple_acl(); (bso#13474). + krb5_wrap: Fix keep_old_entries logic for older Kerberos libraries;(bso#13478). + krb5_plugin: Add winbind localauth plugin for MIT Kerberos; (bso#13480).- Add missing package descriptions; (bsc#1093864); - Fix dependency issue between samba-python and samba-kdc; (bsc#1062876); - Call update-apparmor-samba-profile when running samba-ad-dc; (bsc#1092099);- Update to 4.8.2 + After update to 4.8.0 DC failed with "Failed to find our own NTDS Settings objectGUID" (bso#13335). + fix incorrect reporting of stream dos attributes on a directory (bso#13380). + vfs_ceph: add asynchronous fsync; fake synchronous call (bso#13412). + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425) + vfs_ceph: Fix memory leak; (bso#13424). + libsmbclient: Fix hard-coded connection error return of ETIMEDOUT; (bso#13419). + s4-lsa: Fix use-after-free in LSA server; (bso#13420). + winbindd: Do re-connect if the RPC call fails in the passdb case; (bso#13430). + cleanupd: Sends MSG_SMB_UNLOCK twice to interested peers; (bso#13416). + cleanupd: Use MSG_SMB_BRL_VALIDATE to signal cleanupd unclean process shutdown; (bso#13414). + ctdb-client: Remove ununsed functions from old client code; (bso#13411). + printing: Return the same error code as windows does on upload failures; (bso#13395). + nsswitch: Fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable; (bso#13400). + s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls; (bso#13420). + rpc_server: Fix NetSessEnum with stale sessions; (bso#13407). + s3:smbspool: Fix cmdline argument handling; (bso#13417).- Move libdfs-server-ad-samba4.so library from kdc to libs package, as it is required by some client libs; (bsc#1074135); - Update to 4.8.1; (bsc#1091179); + s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here; (bso#13244); + s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir(); (bso#13270); + Round-tripping ACL get/set through vfs_fruit will increase the number of ACE entries without limit; (bso#13319); + s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues; (bso#13347); + s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access; (bso#13358); + s3: smbd: Fix memory leak in vfswrap_getwd(); (bso#13372); + s3: smbd: Unix extensions attempts to change wrong field in fchown call; (bso#13375); + ms_schema/samba-tool visualize: Fix python2.6 incompatibility; (bso#13337); + Fix invocation of gnutls_aead_cipher_encrypt(); (bso#13352); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + winbindd: Recover loss of netlogon secure channel in case the peer DC is rebooted; (bso#13332); + s3:smbd: Don't use the directory cache for SMB2/3; (bso#13363); + ctdb-client: Fix bugs in client code; (bso#13356); + ctdb-scripts: Drop "net serverid wipe" from 50.samba event script; (bso#13359); + s3: lib: messages: Don't use the result of sec_init() before calling sec_init(); (bso#13368); + libads: Fix the build '--without-ads'; (bso#13273); + winbind: Keep "force_reauth" in invalidate_cm_connection, add 'smbcontrol disconnect-dc'; (bso#13332); + vfs_virusfilter: Fix CIDs 1428738-1428740; (bso#13343); + dsdb: Fix CID 1034966 Uninitialized scalar variable; (bso#13367); + rpc_server: Fix core dump in dfsgetinfo; (bso#13370); + smbclient: Fix notify; (bso#13382); + Fix smbd panic if the client-supplied channel sequence number wraps; (bso#13215); + Windows 10 cannot logon on Samba NT4 domain; (bso#13328); + lib/util: Remove unused '#include ' from tests/tfork.c; (bso#13342); + Fix build errors with cc from developerstudio 12.5 on Solaris; (bso#13343); + Fix the picky-developer build on FreeBSD 11; (bso#13344); + s3:modules: Fix the build of vfs_aixacl2.c; (bso#13345); + s3:smbd: map nterror on smb2_flush errorpath; (bso#13338); + lib:replace: Fix linking when libtirpc-devel overwrites system headers; (bso#13341); + winbindd: 'wbinfo --name-to-sid' returns misleading result on invalid query; (bso#13312); + s3:passdb: Do not return OK if we don't have pinfo set up; (bso#13376); + Allow AESNI to be used on all processor supporting AESNI; (bso#13302);- Use new foreground execution flags for systemd samba daemons; (bsc#1088574); (bsc#1071090); (bsc#1065551); + Add %post scriptlet to clear old sysconfig flags - Update vendor-files to commit 880b3e7. + Set samba sysconfig template variables to "" + Add required daemon flags directly to systemd unit- Specfile cleanup + Remove %if..%endif guards which don't affect the build + Remove redundant %clean section + Replace old $RPM_* shell vars with macros- BuildRequire pkgconfig(systemd) and pkgconfig(libsystemd) in place of systemd and systemd-devel: Allow OBS to optimize the workload by allowing the usage of the 'build-optimized' systemd packages.- Enable building samba with python3, and create a samba-python3 package.- Update to 4.8 + New GUID Index mode in sam.ldb for the AD DC + GPO support for samba KDC + Time machine support with vfs_fruit + Encrypted secrets + AD Replication visualization + Improved trust support - ability to not scan global trust list - AD external trusts have limited support - verbose trusted domain listing + VirusFilter VFS module + NT4-style replication removed + vfs_aio_linux removed- Disable samba-pidl package, due to the removal of dependency perl-Parse-Yapp; (bsc#1085150);- Update to 4.7.6; + CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally; (bso#11343); (bsc#1081741); + CVE-2018-1057: Authenticated users can change other users' password; (bso#13272); (bsc#1081024).- Disable python until full python3 port is done; (bsc#1082139); + Remove contents of package samba-python + Remove contents of package libsamba-policy0 + Remove contents of package libsamba-policy-devel + Remove library libsamba-python-samba4.so from samba-libs package + Remove library libsamba-net-samba4.so from samba-libs package + Remove smbtorture binary and manpage from samba-test- samba fails to build with glibc2.27; (bsc#1081042);- Update to 4.7.5; (bsc#1080545); + smbd tries to release not leased oplock during oplock II downgrade; (bso#13193); + Fix copying file with empty FinderInfo from Windows client to Samba share with fruit; (bso#13181); + build: Deal with recent glibc sunrpc header removal; (bso#10976); + Make Samba work with tirpc and libnsl2; (bso#13238); + vfs_ceph: Add fs_capabilities hook to avoid local statvfs; (bso#13208); (bsc#1075206); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + ctdb-recovery-helper: Deregister message handler in error paths; (bso#13188); + samba: Only use async signal-safe functions in signal handler; (bso#13240); + Kerberos: PKINIT: Can't decode algorithm parameters in clientPublicValue; (bso#12986); + repl_meta_data: Fix linked attribute corruption on databases with unsorted links on expunge. dbcheck: Add functionality to fix the corrupt database; (bso#13228); + Fix smbd panic when chdir returns error during exit; (bso#13189); + Make Samba work with tirpc and libnsl2; (bso#13238); + Fix POSIX ACL support on HPUX and possibly other big-endian OSs; (bso#13176);- Update to 4.7.4; (bsc#1080545); + s3: smbclient: Implement 'volume' command over SMB2; (bso#13140); + s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(); (bso#13171); + s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient; (bso#13172); + Build man page for vfs_zfsacl.8 with Samba; (bso#12934); + repl_meta_data: Allow delete of an object with dangling backlinks; (bso#13095); + s4:samba: Fix default to be running samba as a deamon; (bso#13129); + Performance regression in DNS server with introduction of DNS wildcard, ldb: Release 1.2.3; (bso#13191); + vfs_zfsacl: Fix compilation error; (bso#6133); + "smb encrypt" setting changes are not fully applied until full smbd restart; (bso#13051); + winbindd: Fix idmap_rid dependency on trusted domain list; (bso#13052); + vfs_fruit: Proper VFS-stackable conversion of FinderInfo; (bso#13155); + winbindd: Dependency on trusted-domain list in winbindd in critical auth codepath; (bso#13173); + repl_meta_data: Fix removing of backlink on deleted objects; (bso#13120); + ctdb: sock_daemon leaks memory; (bso#13153); + TCP tickles not getting synchronised on CTDB restart; (bso#13154); + winbindd: winbind parent and child share a ctdb connection; (bso#13150); + pthreadpool: Fix deadlock; (bso#13170); + pthreadpool: Fix starvation after fork; (bso#13179); + messaging: Always register the unique id; (bso#13180); + s4/smbd: set the process group; (bso#13129); + Fix broken linked attribute handling; (bso#13095); + The KDC on an RWDC doesn't send error replies in some situations; (bso#13132); + libnet_join: Fix 'net rpc oldjoin'; (bso#13149); + g_lock conflict detection broken when processing stale entries; (bso#13195); + s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions; (bso#13197); + s3:libads: net ads keytab list fails with "Key table name malformed"; (bso#13166); (bsc#1067700); + Fix crash in pthreadpool thread after failure from pthread_create; (bso#13170); + s4:samba: Allow samba daemon to run in foreground; (bso#13129); (bsc#1065551); + third_party: Link the aesni-intel library with "-z noexecstack"; (bso#13174); + vfs_glusterfs: include glusterfs/api/glfs.h without relying on "-I" options; (bso#13125);- Re-enable usage of libnsl (did got lost with glibc change) - Use TI-RPC (sunrpc is deprecated and will be removed soon from glibc)- smbc_opendir should not return EEXIST with invalid login credentials; (bnc#1065868).- Update to 4.7.3; (bsc#1069666); + Non-smbd processes using kernel oplocks can hang smbd; (bso#13121); + python: use communicate to fix Popen deadlock; (bso#13127); + smbd on disk file corruption bug under heavy threaded load; (bso#13130); + tevent: version 0.9.34; (bso#13130); + s3: smbd: Fix delete-on-close after smb2_find; (bso#13118); + CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug; (bsc#1060427);(bso#13041); + CVE-2017-15275: s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown; (bsc#1063008); (bso#13077); - Build with AD DC support only in openSUSE.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- samba-tool requires samba-python; (bnc#1067771).- Run all daemons in the foreground and let systemd handle it; (bsc#1065551). - Update to 4.7.1; + Fix exporting subdirs with shadow_copy2; (bso#13091); + Currently if getwd() fails after a chdir(), we panic; (bso#13027); + Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename; (bso#13068); + sys_getwd() can leak memory or possibly return the wrong errno on older systems; (bso#13069); + smbclient doesn't correctly canonicalize all local names before use; (bso#13093); + Fix broken linked attribute handling; (bso#13095); + Missing LDAP query escapes in DNS rpc server; (bso#12994); + Link to -lbsd when building replace.c by hand; (bso#13087); + Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem; (bso#6133); + Map SYNCHRONIZE acl permission statically in zfs_acl vfs module; (bso#7909); + Samba fails to honor SEC_STD_WRITE_OWNER bit with the acl_xattr module; (bso#7933); + Missing assignment in sl_pack_float; (bso#12991); + Wrong Samba access checks when changing DOS attributes; (bso#12995); + samba_runcmd_send() leaves zombie processes on timeout; (bso#13062); + groupmap cleanup should not delete BUILTIN mappings; (bso#13065); + Enabling vfs_fruit results in loss of Finder tags and other xattrs; (bso#13076); + man pages: Properly ident lists; (bso#9613); + smb.conf.5: Sort parameters alphabetically; (bso#13081); + Fix GUID string format on GetPrinter info; (bso#12993); + Remote serverid check doesn't check for the unique id; (bso#13042); + CTDB starts consuming memory if there are dead nodes in the cluster; (bso#13056); + ctdb-common: Ignore event scripts with multiple '.'s; (bso#13070); + libgpo doesn't sort the GPOs in the correct order; (bso#13046); + Remote serverid check doesn't check for the unique id; (bso#13042); + vfs_catia: Fix a potential memleak; (bso#13090); + Fix file change notification for renames; (bso#12903); + Samba DNS server does not honour wildcards; (bso#12952); + Can't change password in samba from a Windows client if Samba runs on IPv6 only interface; (bso#13079); + vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR; (bso#13086); + Apple client can't cope with SMB2 async replies when creating symlinks; (bso#13047); + s4:rpc_server:backupkey: Move variable into scope; (bso#12959); + Fix ntstatus_gen.h generation on 32bit; (bso#13099); + Fix a double free in vfs_gluster_getwd(); (bso#13100); + Fix resouce leaks and pointer issues; (bso#13101); + vfs_solarisacl: Fix build for samba 4.7 and up; (bso#13049);- Add samba-kdc to baselibs.conf. - Do not wrap samba-kdc's package definition into if/endif: the package won't be generated simply based on the fact that there is no files section for the package. Allows the source validator to ensure samba-kdc is a built package.- Update to 4.7.0; + Whole DB read locks: Improved LDAP and replication consistency; (bso#12858). + Samba AD with MIT Kerberos + Dynamic RPC port range: Default range changed from "1024-1300" to "49152-65535". + Authentication and Authorization audit support: New auth_audit debug class. + Multi-process LDAP Server: The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process. + Improved Read-Only Domain Controller (RODC) Support; (bso#12977). + Additional password hashes stored in supplementalCredentials. + Improvements to DNS during Active Directory domain join. + Significant AD performance and replication improvements. + Query record for open file or directory. + Removal of lpcfg_register_defaults_hook(). + Change of loadable module interface. + SHA256 LDAPS Certificates: The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature. + CTDB no longer allows mixed minor versions in a cluster. + CTDB now ignores hints from Samba about TDB flags when attaching to databases. + New configuration variable CTDB_NFS_CHECKS_DIR. + The CTDB_SERVICE_AUTOSTARTSTOP configuration has been removed. + The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed. + The example NFS Ganesha call-out has been improved. + A new "replicated" database type is available.- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file; (bso#13020); (bsc#1058624).- CVE-2017-12150: Some code path don't enforce smb signing, when they should; (bso#12997); (bsc#1058622).- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects; (bso#12996); (bsc#1058565).- Clean specfile assuming SUSE-only system and product >=SLE11 + %{ul_version}, %{rhel_version}, %{mandriva_version}, %{centos_version} are always undefined + %{_vendor} is "suse" and %{suse_version} is at least 1100- Update to 4.6.7; (bsc#1054017) + Joining a Huawai storage fails: empty CLDAP ping answer; (bso#11392). + smbcacls can fail against a directory on Windows using SMB2.; (bso#12937). + vfs_ceph provides inconsistent directory listings; (bso#12911). + Misused talloc context can cause a user to crash their smbd by chaining SMB1 commands.; (bso#12836). + Use-after free can crash libsmbclient code.; (bso#12927). + Server exit with active AIO can crash.; (bso#12925). + Ensure notifyd doesn't return from smbd_notifyd_init; (bso#12910). + fd leak to ctdb sub-processes leads to SELinux AVC denial in audit logs; (bso#12898). + vfs_fruit shouldn't send MS NFS ACEs to Windows clients; (bso#12897). + smbspool_krb5_wrapper does not tell CUPS that it requires negotiate for authentication; (bso#12886). + finder sidebar showing question mark instead of icon when using ip to connect with vfs_fruit; (bso#12840). + Winbind stops obtaining the 'unixHomeDirectory' & 'loginShell' attributes from AD.; (bso#12720). + KCC run at selftest startup can fail spuriously due to a race; (bso#12869). + winbindd changes the local password and gets NT_STATUS_WRONG_PASSWORD for the remote change; (bso#12782). + rpc_pipe_client memory leaks due to long term memory context passed to rpc_pipe_open_interface(); (bso#12890). + CVE-2017-2619 breaks accessing previous versions of directories with snapshots in subdirectories of the share; (bso#12885). + dns_name_equal doing OOB read; (bso#12813). + replica_sync tests flap; (bso#12753). + Selftest should not call 'net cache flush' and wipe important winbind entries; (bso#12868). + Old Samba versions don't support using recent ldb versions (>=1.1.30); (bso#12859). + pam_winbind fails with kerberos method = secrets and keytab; (bso#10490). + race starting winbindd against posixacl test; (bso#12843). + Crash in the reentrant smbd_smb2_create_send() if the something fails in the subsequent try; (bso#12832). + spnego.c passes the wrong argument order to gensec_update_ev() for the FALLBACK case; (bso#12788). + Clients with SMB3 support can't connect with "server max protocol = SMB2_02"; (bso#12772). + A log message of samb-tool user syncpasswords reverses string arguments in a debug message "Call Popen[...".; (bso#12768). + The smb tarmode tests kills the share dir contents; (bso#12867). + Fix for a bug in MacOS X Sierra NTLMv2 processing; (bso#12862). + CVE-2017-2619 regression with non-wide symlinks to directories; (bso#12860). + manpage/index.html lists links not in alphabetical order; (bso#12854). + smbcacls got error NT_STATUS_NETWORK_NAME_DELETED; (bso#12831). + If a record is locked in a database, then recovery does not complete; (bso#12857). + debug_locks.sh script does not log any information; (bso#12856). + SIGSEGV in cm_connect_lsa_tcp dereferencing conn->lsa_tcp_pipe->transport after error; (bso#12852). + smbclient can't parse DOMAIN+username if a different winbind separator is used; (bso#12849). + Related requests with SessionSetup fail with INTERNAL_ERROR; (bso#12845). + Related requests with TreeConnect fail with NETWORK_NAME_DELETED; (bso#12844). + cli->server_os not filled correctly; (bso#12779). + REGRESSION: smbclient doesn't print the session setup anymore; (bso#12824). + smblcient doesn't handle STATUS_NOT_SUPPORTED gracefully for FSCTL_VALIDATE_NEGOTIATE_INFO; (bso#12808). + CTDB NFS call-out failures do not cause event failures; (bso#12837). + net command fails due to incorrectly return code; (bso#12828). + Fix building Samba with GCC 7.1; (bso#12827).- Fix duplicate CTDB_LOGGING params when downgraded and upgraded again; (bsc#1048339).- fix cephwrap_chdir(); (bsc#1048790). - Update to 4.6.6 + CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation; (bsc#1048278).- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb; (bsc#1048339).- Fix inconsistent ctdb socket path; (bsc#1048352). - Fix non-admin cephx authentication; (bsc#1048387).- Update to 4.6.5; (bsc#1040157) + Specifying CTDB_LOGGING=syslog:nonblocking causes ctdbd to crash at startup; (bso#12814). + vfs_expand_msdfs tries to open the remote address as a file path; (bso#12687). + PANIC (pid 1096): assert failed: lease_type_is_exclusive(e_lease_type); (bso#12798). + With clustering get update_num_read_oplocks failed and PANIC: num_share_modes == 1 assertion failure; (bso#11844). + contend_level2_oplocks_begin_default oplock optimisation doesn't carry over to leases; (bso#12766). + `ctdb nodestatus` incorrectly displays status for all nodes with wrong exit code; (bso#12802). + CTDB can spin hard on revoking readonly delegations if a node becomes disconnected; (bso#12697). + Printing a share mode entry with leases can crash in the ndr code; (bso#12793). + Fix flakey unit tests for eventd; (bso#12792). + CTDB daemon crashes if built with clang; (bso#12770). + smbcacls fails if no password is specified; (bso#12765). + idmap_rfc2307: Lookup of more than two SIDs fails; (bso#12757). + samba-tool user syncpasswords doesn't trigger the script when a user gets removed; (bso#12767). + systemd: fix detection of libsystemd; (bso#12764). + Notify subsystem only maps first inotify mask to Windows notify filter; (bso#12760). + Allow passing trusted domain password as plain-text to PASSDB layer; (bso#12751). + Can't case-rename files with vfs_fruit; (bso#12749). + wrong sid->uid mapping for SIDs residing in sIDHistory; (bso#12702). + vfs_acl_common should force "create mask = 0777", not 0666; (bso#12562). + Ordering of notify responses broken; (bso#12756).- s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1; (bso#11822); (bsc#1042419).- Revert explicit winbind %{version}-%{release} dependency. + The ABI has stabilized since (bsc#936909), so remove to fix cross-media dependencies; (bsc#1037899).- Fix CVE-2017-7494 remote code execution from a writable share; (bso#12780); (bsc#1038231).- Update to 4.6.3; (bsc#1036011) + s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend; (bso#12743). + Fix for Solaris C compiler; (bso#12559). + s3: locking: Update oplock optimization for the leases era; (bso#12628). + Make the Solaris C compiler happy; (bso#12693). + s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes; (bso#12695). + Fix buffer overflow caused by wrong use of getgroups; (bso#12747). + lib: debug: Avoid negative array access; (bso#12746). + cleanupdb: Fix a memory read error; (bso#12748). + streams_xattr and kernel oplocks results in NT_STATUS_NETWORK_BUSY; (bso#7537). + winbindd: idmap_autorid allocates ids for unknown SIDs from other backends; (bso#11961). + vfs_fruit: Resource fork open request with flags=O_CREAT|O_RDONLY; (bso#12565). + manpages/vfs_fruit: Document global options; (bso#12615). + lib/pthreadpool: Fix a memory leak; (bso#12624). + Lookup-domain for well-known SIDs on a DC; (bso#12727). + winbindd: Fix error handling in rpc_lookup_sids(); (bso#12728). + winbindd: Trigger possible passdb_dsdb initialisation; (bso#12729). + credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case; (bso#12611). + lib/crypto: Implement samba.crypto Python module for RC4; (bso#12690). + ctdb-readonly: Avoid a tight loop waiting for revoke to complete; (bso#12697). + ctdb_event monitor command crashes if event is not specified; (bso#12723). + ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'; (bso#12733). + smbd: Fix smb1 findfirst with DFS; (bso#12558). + smbd: Do an early exit on negprot failure; (bso#12610). + winbindd: Fix substitution for 'template homedir'; (bso#12699). + s4:kdc: Disable principal based autodetected referral detection; (bso#12554). + idmap_autorid: Allocate new domain range if the callers knows the sid is valid; (bso#12613). + LINKFLAGS_PYEMBED should not contain -L/some/path; (bso#12724). + PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for trusted domain; (bso#12725). + rpcclient: Allow -U'OTHERDOMAIN\user' again; (bso#12731). + winbindd: Fix password policy for pam authentication; (bso#12725). + s3:gse: Correctly handle external trusts with MIT; (bso#12554). + auth/credentials: Always set the realm if we set the principal from the ccache; (bso#12611). + replace: Include sysmacros.h; (bso#12686). + s3:vfs_expand_msdfs: Do not open the remote address as a file; (bso#12687). + s3:libsmb: Only print error message if kerberos use is forced; (bso#12704). + winbindd: Child process crashes when kerberos-authenticating a user with wrong password; (bso#12708). + vfs_fruit: Office document opens as read-only on macOS due to CNID semantics; (bso#12715). + vfs_acl_xattr: Fix failure to get ACL on Linux if memory is fragmented; (bso#12737).- Generate and update vendor-files tarball from Git + SuSEfirewall2 service samba-client only setup IPv4 rule; (bsc#1034416).- Generate source tarball directly from Git using OBS tar_scm + use version string derived from parent Git tag and commit hash - remove obsolete vendor-files/tools/package-data version ID + explicitly generate ctdb manpages, needed without "make dist"- Update to 4.6.2 + remove bso#12721 patches now upstream- Enable samba-ceph build for openSUSE and SLE12SP3+; (fate#321622). + x86-64 and aarch64- Enable librados CTDB lock helper for samba-ceph package; (fate#321622).- Build and install the html man pages (bsc#1021907).- Fix CVE-2017-2619 regression with "follow symlinks = no"; (bso#12721).- Update to 4.6.1 + symlink race permits opening files outside share directory; CVE-2017-2619; (bso#12496); (bsc#1027147) + testparm checks for valid idmap parameters + add new krb client encryption types + support for printer driver upload from windows 10 + inherit owner = 'unix only' for improved quota support + improved CTDB event support + new primary group support for idmap_ad + idmap_hash deprecated + mvxattr added to recursively rename extended attributes- Remove chkconfig requirements for systemd systems- Don't call insserv if systemd is used- Fix check if we need to require insserv- async_req: make async_connect_send() "reentrant"; (bso#12105); (bsc#1024416).- Force usage of ncurses6-config thru NCURSES_CONFIG env var; (bsc#1023847).- add missing patch for libnss_wins segfault; (bsc#995730).- Fix vfs_ceph builds against recent Ceph versions; (bsc#1021933).- Document "winbind: ignore domains" parameter; (bsc#1019416).- Add base Samba dependency to samba-ceph package.- Update to 4.5.3 + Heap-based Buffer Overflow Remote Code Execution Vulnerability; CVE-2016-2123; (bso#12409); (bsc#1014437). + Don't send delegated credentials to all servers; CVE-2016-2125; (bso#12445); (bsc#1014441). + denial of service due to a client triggered crash in the winbindd parent process; CVE-2016-2126; (bso#12446); (bsc#1014442). - 4.5.1 and 4.5.2 updates + various streams vfs fixes + various printing fixes + ntlm_auth: do not map explicitly empty domain + various stability fixes in smbd + match file compression ReFS behavior- Add missing ldb module directory; (bnc#1012092).- s3/client: obey 'disable netbios' smb.conf param, don't connect via NBT port; (bsc#1009085); (bso#12418).- Include vfstest in samba-test; (bsc#1001203).- s3/winbindd: using default domain with user@domain.com format fails; (bsc#997833).- Fix segfault in libnss_wins; (bso#12277); (bso#12269); (bsc#995730).- Update to 4.5.0 + NTLM1 Authentication disabled by default + SMB2.1 leases enabled by default + Support for OFD locks + ctdb tool rewritten + Added shadow copy snapshot prefix parameter- Fix illegal memory access after memory has been deleted; (bso#11836); (bsc#975299).- Prevent core, make sure response->extra_data.data is always cleared out; (bsc#993692).- Don't package man pages for VFS modules that aren't built; (boo#993707).- Fix population of ctdb sysconfig after source merge; (bsc#981566).- Enable vfs_ceph builds for Factory (x86-64) + Package as samba-ceph to avoid Ceph dependency in base package.- Update to 4.4.5 + Prevent client-side SMB2 signing downgrade; CVE-2016-2119; (bso#11860); (bsc#986869).- Remove obsolete syslog.target; (bsc#983938).- Honor smb.conf socket options in winbind; (bsc#975131).- Don't use htons() with IP_PROTO_RAW; (bso#11705); (bsc#969522).- Update to 4.4.4 + SMB3 multichannel: Add implementation of missing channel sequence number verification; (bso#11809). + smbd:close: Only remove kernel share modes if they had been taken at open; (bso#11919). + notifyd: Prevent NULL deref segfault in notifyd_peer_destructor; (bso#11930). + s3:rpcclient: Make '--pw-nt-hash' option work; (bso#10796). + Fix case sensitivity issues over SMB2 or above; (bso#11438). + s3:smbd: Fix anonymous authentication if signing is mandatory. (bso#11910) + Fix NTLM Authentication issue with squid; (bso#11914). + pdb: Fix segfault in pdb_ldap for missing gecos; (bso#11530). + Fix memory leak in share mode locking; (bso#11934).- Update to 4.4.3 + Various post-badlock regressions; (bso#11841); (bso#11850); (bso#11858); (bso#11870); (bso#11872). + Only allow idmap_hash for default idmap config (bso#11786). + smbd: Avoid large reads beyond EOF; (bso#11878). + vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" is set; (bso#11806). + libads: Record session expiry for spnego sasl binds; (bso#11852).- Fix NTLMSSP regressions caused by previous CVE fixes; (bso#11849); (bsc#975962); (bsc#979268), (bsc#977669).- Revert shared library packaging to comply with SLPP- Update to 4.4.2 + A man-in-the-middle can downgrade NTLMSSP authentication; CVE-2016-2110; (bso#11688); (bsc#973031). + Domain controller netlogon member computer can be spoofed; CVE-2016-2111; (bso#11749); (bsc#973032). + LDAP conenctions vulnerable to downgrade and MITM attack; CVE-2016-2112; (bso#11644); (bsc#973033). + TLS certificate validation missing; CVE-2016-2113; (bso#11752); (bsc#973034). + Named pipe IPC vulnerable to MITM attacks; CVE-2016-2115; (bso#11756); (bsc#973036). + "Badlock" DCERPC impersonation of authenticated account possible; CVE-2016-2118; (bso#11804); (bsc#971965). + DCERPC server and client vulnerable to DOS and MITM attacks; CVE-2015-5370; (bso#11344); (bsc#936862).- Fix samba.tests.messaging test and prevent potential tdb corruption by removing obsolete now invalid tdb_close call; (bsc#974629).- Obsolete libsmbclient from libsmbclient0 while not providing it; (bsc#972197).- Update to 4.4.0. + Read of uninitialized memory DNS TXT handling; (bso#11128); (bso#11686); CVE-2016-0771. + Getting and setting Windows ACLs on symlinks can change permissions on link target; (bso#11648); CVE-2015-7560. + Sockets with htons(IPPROTO_RAW); (bso#11705); CVE-2015-8543. + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystem with no ACL support; (bso#10489). + docs: Add example for domain logins to smbspool man page; (bso#11643). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + docs: Add smbspool_krb5_wrapper manpage; (bso#11690). + winbindd: Return trust parameters when listing trusts; (bso#11691). + ctdb: Do not provide a useless pkgconfig file for ctdb; (bso#11696). + Crypto.Cipher.ARC4 is not available on some platforms, fallback to M2Crypto.RC4.RC4 then; (bso#11699). + s3:utils/smbget: Set default blocksize; (bso#11700). + Streamline 'smbget' options with the rest of the Samba utils; (bso#11700). + s3:clispnego: Fix confusing warning in spnego_gen_krb5_wrap(); (bso#11702). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + s3:vfs:glusterfs: Fix build after quota changes; (bso#11715). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + lib:socket: Fix CID 1350010: Integer OVERFLOW_BEFORE_WIDEN; (bso#11723). + smbd: Fix CID 1351215 Improper use of negative value; (bso#11724). + smbd: Fix CID 1351216 Dereference null return value; (bso#11725). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + docs: Add manpage for cifsdd; (bso#11730). + param: Fix str_list_v3 to accept ; again; (bso#11732). + lib/socket: Fix improper use of default interface speed; (bso#11734). + lib:socket: Fix CID 1350009: Fix illegal memory accesses (BUFFER_SIZE_WARNING); (bso#11735). + libcli: Fix debug message, print sid string for new_ace trustee; (bso#11738). + Fix installation path of Samba helper binaries; (bso#11739). + Fix memory leak in loadparm; (bso#11740). + tevent: version 0.9.28: Fix memory leak when old signal action restored; (bso#11742). + smbd: Ignore SVHDX create context; (bso#11753). + Fix net join; (bso#11755). + s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add; (bso#11755). + passdb: Add linefeed to debug message; (bso#11763). + s3:utils/smbget: Fix option parsing; (bso#11767). + libnet: Make Kerberos domain join site-aware; (bso#11769). + Reset TCP Connections during IP failover; (bso#11770). + ldb: Version 1.1.26; (bso#11772). + s3:smbd: Add negprot remote arch detection for OSX; (bso#11773). + vfs_glusterfs: Fix use after free in AIO callback; (bso#11774). + mkdir can return ACCESS_DENIED incorrectly on create race; (bso#11780). + "trustdom_list_done: Got invalid trustdom response" message should be avoided; (bso#11782). + Mismatch between local and remote attribute ids lets replication fail with custom schema; (bso#11783). + Quota is not supported on Solaris 10; (bso#11788). + Talloc: Version 2.1.6; (bso#11789). + smbd: Enable multi-channel if 'server multi channel support = yes' in the config; (bso#11796). + build: Fix build when '--without-quota' specified; (bso#11798). + lib/socket/interfaces: Fix some uninitialied bytes; (bso#11802). + Access based share enum: handle permission set in configuration files; (bso#8093). + See also WHATSNEW.txt from the samba-doc package.- Update to 4.3.6. + Getting and setting Windows ACLs on symlinks can change permissions on link target; CVE-2015-7560; (bso#11648); (bsc#968222). + Fix Out-of-bounds read in internal DNS server; CVE-2016-0771; (bso#11128); (bso#11686); (bsc#968223).- Upgrade on-disk FSRVP server state to new version; (bsc#924519).- Only obsolete but do not provide gplv2/3 package names; (bsc#968973).- Relocate existing lock files to /var/lib/samba/lock; (bsc#968963).- Obsolete no longer existing samba-32bit package; (bsc#967625).- Update to 4.3.5. + s3:utils/smbget: Fix recursive download; (bso#6482). + s3: smbd: posix_acls: Fix check for setting u:g:o entry on a filesystemi with no ACL support; (bso#10489). + s3:smbd/oplock: Obey kernel oplock setting when releasing oplocks; (bso#11400). + vfs_shadow_copy2: Fix case where snapshots are outside the share; (bso#11580). + smbclient: Query disk usage relative to current directory; (bso#11662). + winbindd: Handle expired sessions correctly; (bso#11670). + smbd: Show correct disk size for different quota and dfree block sizes; (bso#11681). + smbcacls: Fix uninitialized variable; (bso#11682). + s3:smbd: Ignore initial allocation size for directory creation; (bso#11684). + s3-client: Add a KRB5 wrapper for smbspool; (bso#11690). + s3-parm: Clean up defaults when removing global parameters; (bso#11693). + Use M2Crypto.RC4.RC4 on platforms without Crypto.Cipher.ARC4; (bso#11699). + s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703). + ctdb: Remove error messages after kernel security update; CVE-2015-8543; (bso#11705). + loadparm: Fix memory leak issue; (bso#11708). + lib/tsocket: Work around sockets not supporting FIONREAD; (bso#11714). + ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ..."; (bso#11719). + s3:smbd:open: Skip redundant call to file_set_dosmode when creating a new file; (bso#11727). + param: Fix str_list_v3 to accept ";" again; (bso#11732).- Shift samba-client sysconfig data into samba and samba-winbind; (bsc#947361).- Simplify shared library packaging; (bsc#966956).- Enable clustering (CTDB) support; (bsc#966271).- s3: smbd: Fix timestamp rounding inside SMB2 create; (bso#11703); (bsc#964023).- Add quotes around path of update-apparmor-samba-profile; (bnc#962177).- Remove autoconf build-time requirement.- Update to 4.3.4. + vfs_fruit: Enable POSIX directory rename semantics; (bso#11065). + Crash: Bad talloc magic value - access after free; (bso#11394). + Copying files with vfs_fruit fails when using vfs_streams_xattr without stream prefix and type suffix; (bso#11466). + samba-tool: Fix uncaught exception if no fSMORoleOwner attribute is given; (bso#11613). + Fix a typo in the smb.conf manpage, explanation of idmap config; (bso#11619). + Correctly initialize the list head when keeping a list of primary followed by DFS connections; (bso#11624). + Reduce the memory footprint of empty string options; (bso#11625). + lib/async_req: Do not install async_connect_send_test; (bso#11639). + Fix typos in man vfs_gpfs; (bso#11641). + Make "hide dot files" option work with "store dos attributes = yes"; (bso#11645). + Fix a corner case of the symlink verification; (bso#11647); (bnc#960249). + Do not disable "store dos attributes" on-the-fly; (bso#11649). + Update lastLogon and lastLogonTimestamp; (bso#11659).- Prevent access denied if the share path is "/"; (bso#11647); (bnc#960249).- Update to 4.3.3. + Malicious request can cause Samba LDAP server to hang, spinning using CPU; CVE-2015-3223; (bso#11325); (bnc#958581). + Remote read memory exploit in LDB; CVE-2015-5330; (bso#11599); (bnc#958586). + Insufficient symlink verification (file access outside the share); CVE-2015-5252; (bso#11395); (bnc#958582). + No man in the middle protection when forcing smb encryption on the client side; CVE-2015-5296; (bso#11536); (bnc#958584). + Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2); CVE-2015-5299; (bso#11529); (bnc#958583). + Fix Microsoft MS15-096 to prevent machine accounts from being changed into user accounts; CVE-2015-8467; (bso#11552); (bnc#958585).- Update to 4.3.2. + vfs_gpfs: Re-enable share modes; (bso#11243). + dcerpc.idl: Accept invalid dcerpc_bind_nak pdus; (bso#11327). + s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero; (bso#11452). + Add libreplace dependency to texpect, fixes a linking error on Solaris; (bso#11511). + s4: Fix linking of 'smbtorture' on Solaris; (bso#11512). + s4:lib/messaging: Use correct path for names.tdb; (bso#11562). + Fix segfault of 'net ads (join|leave) -S INVALID' with nss_wins; (bso#11563). + async_req: Fix non-blocking connect(); (bso#11564). + auth: gensec: Fix a memory leak; (bso#11565). + lib: util: Make non-critical message a warning; (bso#11566). + Fix winbindd crashes with samlogon for trusted domain user; (bso#11569); (bnc#949022). + smbd: Send SMB2 oplock breaks unencrypted; (bso#11570). + ctdb: Open the RO tracking db with perms 0600 instead of 0000; (bso#11577). + s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer; (bso#11581). + s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(); (bso#11581). + manpage: Correct small typo error; (bso#11584). + s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them; (bso#11589). + Backport some valgrind fixes from upstream master; (bso#11597). + auth: Consistent handling of well-known alias as primary gid; (bso#11608). + winbind: Fix crash on invalid idmap configs; (bso#11612). + s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle; (bso#11615). + Changing log level of two entries to DBG_NOTICE; (bso#9912).- Ensure samlogon fallback requests are rerouted after kerberos failure; (bnc#953382); (bnc#953972).- Ensure to link with --as-needed flag by removing SUSE_ASNEEDED=0. - Always use the default optimization even on pre-9.2 systems.- Remove redundant configure options while adding with-relro.- Relocate the lockdir to the /var/lib/samba/lock directory.- Cleanup and enhance the pidl sub package.- Require renamed python-ldb-devel and python-talloc-devel at build-time. - Requires python-ldb and python-talloc from the python subpackage.- Update to 4.3.1. + s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows; (bso#10252). + nss_winbind: Fix hang on Solaris on big groups; (bso#10365). + smbd: Fix file name buflen and padding in notify repsonse; (bso#10634). + kerberos: Make sure we only use prompter type when available; winbind: Fix 100% loop; (bso#11038). + source3/lib/msghdr.c: Fix compiling error on Solaris; (bso#11053). + s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket; (bso#11316). + s3: smbd: Fix mkdir race condition; (bso#11486). + pam_winbind: Fix a segfault if initialization fails; (bso#11502). + s3: dfs: Fix a crash when the dfs targets are disabled; (bso#11509). + s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs; (bso#11515). + s3: smbd: Fix opening/creating :stream files on the root share directory; (bso#11522). + lib/param: Fix hiding of FLAG_SYNONYM values; (bso#11526). + net: Fix a crash with 'net ads keytab create'; (bso#11528). + s3: smbd: Fix a crash in unix_convert(); (bso#11535). + s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bso#11522); (bso#11535). + vfs_fruit: Return value of ad_pack in vfs_fruit.c; (bso#11543). + vfs_commit: set the fd on open before calling SMB_VFS_FSTAT; (bso#11547). + s3:locking: Initialize lease pointer in share_mode_traverse_fn(); (bso#11549). + s3:smbstatus: Add stream name to share_entry_forall(); (bso#11550). + s3:lib: Validate domain name in lookup_wellknown_name(); (bso#11555). + s3: lsa: lookup_name() logic for unqualified (no DOMAIN component) names is incorrect; (bso#11555).- Fix 100% CPU in winbindd when logging in with "user must change password on next logon"; (bso#11038).- Relocate the tmpfiles.d directory to the client package; (bnc#947552).- Do not provide libpdb0 from libsamba-passdb0 but add it to baselibs.conf instead; (bnc#942716).- Package /var/lib/samba/private/sock with 0700 permissions; (bnc#946051).- Package /var/lib/samba/msg with 0755 permissions; (bso#11515); (bnc#945502).- Require to install libfam0-gamin from samba-libs on post-12.1 and pre-13.15 systems; (bnc#945013).- Update to 4.3.0. + Samba "map to guest = Bad uid" doesn't work; (bso#9862). + revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes; (bso#10493). + No objectClass found in replPropertyMetaData on ordinary objects (non-deleted); (bso#10973). + Stream names with colon don't work with fruit:encoding = native; (bso#11278). + NetApp joined to a Samba/ADDC cannot resolve SIDs; (bso#11291). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + "force group" with local group not working; (bso#11320). + strsep is not available on Solaris; (bso#11359). + smbtorture does not build when configured --with-system-mitkrb5; (bso#11411). + Build with GPFS support is broken; (bso#11421). + Build broken with --disable-python; (bso#11424). + net share allowedusers crashes; (bso#11426). + nmbd incorrectly matches netbios names as own name; (bso#11427). + Python bindings don't check integer types; (bso#11429). + Python bindings don't check array sizes; (bso#11430). + CTDB's eventscript error handling is broken; (bso#11431). + Fix crash in nested ctdb banning; (bso#11432). + Cannot build ctdbpmda; (bso#11434). + samba-tool uncaught exception error; (bso#11436). + Crash in notify_remove caused by change notify = no; (bso#11444). + Poor SMB3 encryption performance with AES-GCM; (bso#11451). + Poor SMB3 encryption performance with AES-GCM (part1); (bso#11451). + fix recursion problem in rep_strtoll in lib/replace/replace.c; (bso#11455). + --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install; (bso#11458). + xid2sid gives inconsistent results; (bso#11464). + ctdb: Fix the build on FreeBSD 10.1; (bso#11465). + Handling of 0 byte resource fork stream; (bso#11467). + AD samr GetGroupsForUser fails for users with "()" in their name; (bso#11488).- Configure with --bundled-libraries=NONE; (bso#11458).- Adapt net-kdc-lookup patch for post-3.3 Samba versions; (bnc#295284).- Remove libiniparser-devel build-time requirement.- Update to 4.2.3. + s4:lib/tls: Fix build with gnutls 3.4; (bso#8780). + s4.2/fsmo.py: Fixed fsmo transfer exception; (bso#10924). + winbindd: Sync secrets.ldb into secrets.tdb on startup; (bso#10991). + Logon via MS Remote Desktop hangs; (bso#11061). + s3: lib: util: Ensure we read a hex number as %x, not %u; (bso#11068). + tevent: Add a note to tevent_add_fd(); (bso#11141). + s3:param/loadparm: Fix 'testparm --show-all-parameters'; (bso#11170). + s3-unix_msg: Remove socket file after closing socket fd; (bso#11217). + smbd: Fix a use-after-free; (bso#11218); (bnc#919309). + s3-rpc_server: Fix rpc_create_tcpip_sockets() processing of interfaces; (bso#11245). + s3:smb2: Add padding to last command in compound requests; (bso#11277). + Add IPv6 support to ADS client side LDAP connects; (bso#11281). + Add IPv6 support for determining FQDN during ADS join; (bso#11282). + s3: IPv6 enabled DNS connections for ADS client; (bso#11283). + Fix invalid write in ctdb_lock_context_destructor; (bso#11293). + Excessive cli_resolve_path() usage can slow down transmission; (bso#11295). + vfs_fruit: Add option "veto_appledouble"; (bso#11305). + tstream: Make socketpair nonblocking; (bso#11312). + idmap_rfc2307: Fix wbinfo '--gid-to-sid' query; (bso#11313). + Group creation: Add msSFU30Name only when --nis-domain was given; (bso#11315). + tevent_fd needs to be destroyed before closing the fd; (bso#11316). + Build fails on Solaris 11 with "‘PTHREAD_MUTEX_ROBUST’ undeclared"; (bso#11319). + smbd/trans2: Add a useful diagnostic for files with bad encoding; (bso#11323). + Change sharesec output back to previous format; (bso#11324). + Robust mutex support broken in 1.3.5; (bso#11326). + Kerberos auth info3 should contain resource group ids available from pac_logon; winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC; (bso#11328); (bnc#912457). + s3:smb2_setinfo: Fix memory leak in the defer_rename case; (bso#11329). + tevent: Fix CID 1035381 Unchecked return value; (bso#11330). + tdb: Fix CID 1034842 and 1034841 Resource leaks; (bso#11331). + s3: smbd: Use separate flag to track become_root()/unbecome_root() state; (bso#11339). + s3: smbd: Codenomicon crash in do_smb_load_module(); (bso#11342). + pidl: Make the compilation of PIDL producing the same results if the content hasn't change; (bso#11356). + winbindd: Disconnect child process if request is cancelled at main process; (bso#11358). + vfs_fruit: Check offset and length for AFP_AfpInfo read requests; (bso#11363). + docs: Overhaul the description of "smb encrypt" to include SMB3 encryption; (bso#11366). + s3:auth_domain: Fix talloc problem in connect_to_domain_password_server(); (bso#11367). + ncacn_http: Fix GNUism; (bso#11371).- Disable rpath usage; (bnc#902421).- Make the winbind package depend on the matching libwbclient version and vice versa; (bnc#936909).- Backport changes to use resource group sids obtained from pac logon_info; (bso#11328); (bnc#912457).- Order winbind.service Before and Want nss-user-lookup target.- Remove fam-devel build-time dependency for post-6 RHEL systems.- Update to 4.2.2. + s3:smbXsrv: refactor duplicate code into smbXsrv_session_clear_and_logoff(); (bso#11182). + gencache: don't fail gencache_stabilize if there were records to delete; (bso#11260). + s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid; (bso#11186). + s4: rpc: Refactor dcesrv_alter() function into setup and send steps; (bso#11236). + s3: smbd: Incorrect file size returned in the response of "FILE_SUPERSEDE Create"; (bso#11240). + Mangled names do not work with acl_xattr; (bso#11249). + nmbd rewrites browse.dat when not required; (bso#11254). + vfs_fruit: add option "nfs_aces" that controls the NFS ACEs stuff; (bso#11213). + s3:smbd: Add missing tevent_req_nterror; (bso#11224). + vfs: kernel_flock and named streams; (bso#11243). + vfs_gpfs: Error code path doesn't call END_PROFILE; (bso#11244). + s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used; (bso#11284). + ctdb: check for talloc_asprintf() failure; (bso#11201). + spoolss: purge the printer name cache on name change; (bso#11210); (bnc#901813). + CTDB statd-callout does not scale; (bso#11204). + vfs_fruit: also map characters below 0x20; (bso#11221). + ctdb: Coverity fix for CID 1291643; (bso#11201). + Multiplexed RPC connections are not handled by DCERPC server; (bso#11225). + Fix terminate connection behavior for asynchronous endpoint with PUSH notification flavors; (bso#11226). + ctdb-scripts: Fix bashism in ctdbd_wrapper script; (bso#11007). + ctdb: Fix CIDs 1125615, 1125634, 1125613, 1288201 and 1125553; (bso#11201). + SMB2 should cancel pending NOTIFY calls with DELETE_PENDING if the directory is deleted; (bso#11257). + s3:winbindd: make sure we remove pending io requests before closing client sockets; (bso#11141); (bnc#931854). + Fix panic triggered by smbd_smb2_request_notify_done() -> smbXsrv_session_find_channel() in smbd; (bso#11182). + 'sharesec' output no longer matches input format; (bso#11237). + waf: Fix systemd detection; (bso#11200). + CTDB: Fix portability issues; (bso#11202). + CTDB: Fix some IPv6-related issues; (bso#11203). + CTDB statd-callout does not scale; (bso#11204). + 'net ads dns gethostbyname' crashes with an error in TALLOC_FREE if you enter invalid values; (bso#11234). + libads: record service ticket endtime for sealed ldap connections; (bso#11267). + lib/util: Include DEBUG macro in internal header files before samba_util.h; (bso#11033).- Avoid a crash inside the tevent epoll backend; (bso#11141); (bnc#931854).- Remove the independently built libraries ldb, talloc, tdn, and tevent and the post-10.3 renamed libsmbclient from baselibs.conf.- Drop redundant doc attribute from man pages.- Update to 4.2.1. + s3:winbind:grent: Don't stop group enumeration when a group has no gid; (bso#8905). + Initialize dwFlags field of DNS_RPC_NODE structure; (bso#9791). + s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields; (bso#10016). + build:wafadmin: Fix use of spaces instead of tabs; (bso#10476). + waf: Fix the build on openbsd; (bso#10476). + s3: client: "client use spnego principal = yes" code checks wrong name; (bso#10888). + spoolss: Retrieve published printer GUID if not in registry; (bso#11018). + s3: lib: libsmbclient: If reusing a server struct, check every cli->timout miliseconds if it's still valid before use; (bso#11079). + vfs_fruit: Enhance handling of malformed AppleDouble files; (bso#11125). + backupkey: Explicitly link to gnutls and gcrypt; (bso#11135). + replace: Remove superfluous check for gcrypt header; (bso#11135). + Backport subunit changes; (bso#11137). + libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation; (bso#11140). + s3-winbind: Fix cached user group lookup of trusted domains; (bso#11143). + talloc: Version 2.1.2; (bso#11144). + Update libwbclient version to 0.12; (bso#11149). + brlock: Use 0 instead of empty initializer list; (bso#11153). + s4:auth/gensec_gssapi: Let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors; (bso#11164). + docs/idmap_rid: Remove deprecated base_rid from example; (bso#11169); (bnc#913304). + s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case; (bso#11173). + backupkey: Use ndr_pull_struct_blob_all(); (bso#11174). + Fix lots of winbindd zombie processes on Solaris platform; (bso#11175). + s3: libsmbclient: Add missing talloc stackframe; (bso#11177). + s4-process_model: Do not close random fds while forking; (bso#11180). + s3-passdb: Fix 'force user' with winbind default domain; (bso#11185).- Prevent samba package updates from disabling samba kerberos printing.- Add sparse file support for samba; (fate#318424).- Purge printer name cache on spoolss SetPrinter change; (bso#11210); (bnc#901813).- Correctly retain errno from Btrfs snapshot ioctls; (bnc#923374).- Simplify libxslt build requirement and README.SUSE install. - Remove no longer required cleanup steps while populating the build root.- Remove deprecated base_rid example from idmap_rid manpage; (bso#11169); (bnc#913304).- Update to 4.2.0. + smbd: Stop using vfs_Chdir after SMB_VFS_DISCONNECT; (bso#1115). + pam_winbind: fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Make 'profiles' work again; (bso#9629). + s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"; (bso#9702). + Make validate_ldb of String(Generalized-Time) accept millisecond format ".000Z"; (bso#9810). + Use -R linker flag on Solaris, not -rpath; (bso#10112). + vfs: Add glusterfs manpage; (bso#10240). + Make 'smbclient' use cached creds; (bso#10279). + pdb: Fix build issues with shared modules; (bso#10355). + s4-dns: Add support for BIND 9.10; (bso#10620). + idmap: Return the correct id type to *id_to_sid methods; (bso#10720). + printing/cups: Pack requested-attributes with IPP_TAG_KEYWORD; (bso#10808). + Don't build vfs_snapper on FreeBSD; (bso#10834). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3: smb2cli: query info return length check was reversed; (bso#10848). + s3: lib, s3: modules: Fix compilation on Solaris; (bso#10849). + lib: uid_wrapper: Fix setgroups and syscall detection on a system without native uid_wrapper library; (bso#10851). + winbind3: Fix pwent variable substitution; (bso#10852). + Improve samba-regedit; (bso#10859). + registry: Don't leave dangling transactions; (bso#10860). + Fix build of socket_wrapper on systems without SO_PROTOCOL; (bso#10861). + build: Do not install 'texpect' binary anymore; (bso#10862). + Fix testparm to show hidden share defaults; (bso#10864). + libcli/smb: Fix smb2cli_validate_negotiate_info with min=PROTOCOL_NT1 max=PROTOCOL_SMB2_02; (bso#10866). + Integrate CTDB into top-level Samba build; (bso#10892). + samba-tool group add: Add option '--nis-domain' and '--gid'; (bso#10895). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + Fix smbclient loops doing a directory listing against Mac OS X 10 server with a non-wildcard path; (bso#10904). + Fix print job enumeration; (bso#10905); (bnc#898031). + samba-tool: Create NIS enabled users and unixHomeDirectory attribute; (bso#10909). + Add support for SMB2 leases; (bso#10911). + btrfs: Don't leak opened directory handle; (bso#10918). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: fix keytab array NULL termination; (bso#10933). + s3:passdb: fix logic in pdb_set_pw_history(); (bso#10940). + Cleanup add_string_to_array and usage; (bso#10942). + dbwrap_ctdb: Pass on mutex flags to tdb_open; (bso#10942). + Fix RootDSE search with extended dn control; (bso#10949). + Fix 'samba-tool dns serverinfo ' for IPv6; (bso#10952). + libcli/smb: only force signing of smb2 session setups when binding a new session; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + socket_wrapper: Add missing prototype check for eventfd; (bso#10965). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + vfs_streams_xattr: Check stream type; (bso#10971). + s3: smbd: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + vfs_fruit: Add support for AAPL; (bso#10983). + Fix spoolss IDL response marshalling when returning error without clearing info; (bso#10984). + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279). + Fix IPv6 support in CTDB; (bso#10996). + ctdb-daemon: Use correct tdb flags when enabling robust mutex support; (bso#11000). + vfs_streams_xattr: Add missing call to SMB_VFS_NEXT_CONNECT; (bso#11005). + s3-util: Fix authentication with long hostnames; (bso#11008). + ctdb-build: Fix build without xsltproc; (bso#11014). + packaging: Include CTDB man pages in the tarball; (bso#11014). + pdb_get_trusteddom_pw() fails with non valid UTF16 random passwords; (bso#11016). + Make Sharepoint search show user documents; (bso#11022). + nss_wrapper: check for nss.h; (bso#11026). + Enable mutexes in gencache_notrans.tdb; (bso#11032). + tdb_wrap: Make mutexes easier to use; (bso#11032). + lib/util: Avoid collision which alread defined consumer DEBUG macro; (bso#11033). + winbind: Retry after SESSION_EXPIRED error in ping-dc; (bso#11034). + s3-libads: Fix a possible segfault in kerberos_fetch_pac(); (bso#11037). + vfs_fruit: Fix base_fsp name conversion; (bso#11039). + vfs_fruit: mmap under FreeBSD needs PROT_READ; (bso#11040). + Fix authentication using Kerberos (not AD); (bso#11044). + net: Fix sam addgroupmem; (bso#11051). + vfs_snapper: Correctly handles multi-byte DBus strings; (bso#11055); (bnc#913238). + cli_connect_nb_send: Don't segfault on host == NULL; (bso#11058). + utils: Fix 'net time' segfault; (bso#11058). + libsmb: Provide authinfo domain for encrypted session referrals; (bso#11059). + s3-pam_smbpass: Fix memory leak in pam_sm_authenticate(); (bso#11066). + vfs_glusterfs: Add comments to the pipe(2) code; (bso#11069). + vfs/glusterfs: Change xattr key to match gluster key; (bso#11069). + vfs_glusterfs: Implement AIO support; (bso#11069). + s3-vfs: Fix developer build of vfs_ceph module; (bso#11070). + s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer; (bso#11077); CVE-2015-0240; (bnc#917376). + vfs: Add a brief vfs_ceph manpage; (bso#11088). + s3: smbclient: Allinfo leaves the file handle open; (bso#11094). + Fix Win8.1 Credentials Manager issue after KB2992611 on Samba domain; (bso#11097). + debug: Set close-on-exec for the main log file FD; (bso#11100). + s3: smbd: leases - losen paranoia check. Stat opens can grant leases; (bso#11102). + s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting; (bso#11104). + doc:man:vfs_glusterfs: improve the configuration section; (bso#11117). + snprintf: Try to support %j; (bso#11119). + ctdb-io: Do not use sys_write to write to client sockets; (bso#11124). + doc-xml: Add 'sharesec' reference to 'access based share enum'; (bso#11127).- Update to 4.2.0rc5. + Ensure we don't call talloc_free on an uninitialized pointer; CVE-2015-0240; (bso#11077); (bnc#917376).- Fix usage of freed memory on server exit; (bso#11218); (bnc#919309).- Fix tdb_store_flag_to_ntdb() gcc5 build failure.- Fix vfs_snapper DBus string handling; (bso#11055); (bnc#913238).- Update to 4.1.16. + dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl; (bso#10993); CVE-2014-8143; (boo#914279).- Adjust baselibs.conf due to libpdb0 package rename to libsamba-passdb0.- Fix libsmbclient DFS referral handling. + Reuse connections derived from DFS referrals; (bso#10123); (fate#316512). + Set domain/workgroup based on authentication callback value; (bso#11059).- Update to 4.2.0rc4. - Add libsamba-debug, libsocket-blocking, libsamba-cluster-support, and libhttp to the libs package; (boo#913547). - Rename libpdb packages to libsamba-passdb. - Drop libsmbsharemodes packages.- Enable avahi support on post-12.2 systems.- Update to 4.1.15. + pam_winbind: Fix warn_pwd_expire implementation; (bso#9056). + nsswitch: Fix soname of linux nss_*.so.2 modules; (bso#9299). + Fix profiles tool; (bso#9629). + s3-lib: Do not require a password with --use-ccache; (bso#10279). + s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control; (bso#10949). + s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses; (bso#10952). + s3:smb2_server: Allow reauthentication without signing; (bso#10958). + s3-smbclient: Return success if we listed the shares; (bso#10960). + s3-smbstatus: Fix exit code of profile output; (bso#10961). + libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does; (bso#10966). + s3: smbd/modules: Fix *allocate* calls to follow POSIX error return convention; (bso#10982). + Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute 'supported_extensions'; (bso#11006). + idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo; (bso#11006). + winbind: Retry LogonControl RPC in ping-dc after session expiration; (bso#11034).- yast2-samba-client should be able to specify osName and osVer on AD domain join; (bnc#873922).- Lookup FSRVP share snums at runtime rather than storing them persistently; (bnc#908627).- Specify soft dependency for network-online.target in Winbind systemd service file; (bnc#889175).- Fix spoolss error response marshalling; (bso#10984).- Update to 4.1.14. + pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/ Tools/perl.py back to upstream state; (bso#10472). + s4-dns: Add support for BIND 9.10; (bso#10620). + nmbd fails to accept "--piddir" option; (bso#10711). + nss_winbind: Add getgroupmembership for FreeBSD; (bso#10835). + S3: source3/smbd/process.c::srv_send_smb() returns true on the error path; (bso#10880). + vfs_glusterfs: Remove "integer fd" code and store the glfs pointers; (bso#10889). + s3-nmbd: Fix netbios name truncation; (bso#10896). + spoolss: Fix handling of bad EnumJobs levels; (bso#10898). + s3: libsmbclient-smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path; (bso#10904). + spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905). + s3: nmbd: Ensure NetBIOS names are only 15 characters stored; (bso#10920). + s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921). + pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932). + s3-keytab: Fix keytab array NULL termination; (bso#10933). + Cleanup add_string_to_array and usage; (bso#10942).- Remove and cleanup shares and registry state associated with externally deleted snaphots exposed as shadow copies; (bnc#876312).- Use the upstream tar ball, as signature verification is now able to handle compressed archives.- Fix leak when closing file descriptor returned from dirfd; (bso#10918).- Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031). + Fix handling of bad EnumJobs levels; (bso#10898).- Remove dependency on gpg-offline as signature checking is implemented in the source validator.- Update to 4.1.13. + s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984). + s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984). + s3-libads: Add all machine account principals to the keytab; (bso#9985). + s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs; (bso#10717). + Fix unstrcpy; (bso#10735). + pthreadpool: Slightly serialize jobs; (bso#10779). + s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0); (bso#10797). + s3: smbd:open_file: Open logic fix; Use a more natural check; (bso#10809). + vfs_media_harmony: Fix a crash bug; (bso#10813). + docs: Mention incompatibility between kernel oplocks and streams_xattr; (bso#10814). + nmbd: Send waiting status to systemd; (bso#10816). + libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL; (bso#10817). + nsswitch: Skip groups we were not able to map; (bso#10824). + s3-winbindd: Use correct realm for trusted domains in idmap child; (bso#10826). + s3: nmbd: Ensure the main nmbd process doesn't create zombies; (bso#10830). + s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers; (bso#10831). + idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837). + s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call; (bso#10838). + s3: smb2cli: Query info return length check was reversed; (bso#10848). + registry: Don't leave dangling transactions; (bso#10860).- Update to 4.2.0rc2./sbin/ldconfig/sbin/ldconfigh03-ch2d 1752584489 4.19.8+git.430.a10fe64854c-150600.3.18.24.19.8+git.430.a10fe64854c-150600.3.18.2gentestlocktestmasktestmdsearchndrdumpsmbtorturegentest.1.gzlocktest.1.gzmasktest.1.gzmdsearch.1.gzndrdump.1.gzsmbtorture.1.gztraffic_learner.7.gztraffic_replay.7.gz/usr/bin//usr/share/man/man1//usr/share/man/man7/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:39674/SUSE_SLE-15-SP6_Update/aeeab13b449b36a000127e6292fbe0fc-samba.SUSE_SLE-15-SP6_Updatedrpmxz5x86_64-suse-linuxELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 4.3.0, BuildID[sha1]=ea659ef67053251824ff96be64addf6ec4a86961, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 4.3.0, BuildID[sha1]=244e6143c2b4e453c90b4e054da0aee8f95eb1cf, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 4.3.0, BuildID[sha1]=72739a4ae1192d4dff0c4705fd805314462eca04, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 4.3.0, BuildID[sha1]=4281c686d8cabfdc3f9d0dffff41a7f69025f79e, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 4.3.0, BuildID[sha1]=5614a9aaec396bc4fc18901ad684acd2062b760c, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 4.3.0, BuildID[sha1]=17eaaf764daa39ecf87de576a17b6378ede6ec4b, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)troff or preprocessor input, ASCII text, with very long lines (gzip compressed data, max compression, from Unix)6i634.RIR*RRRGR(RCRtRRRlRRR0R$R RRRRRRRRRRRRRRRsRBR)RkRRRR/RRR'RRRHRRRRRFR#RRRRRIRR*RR(RCRtRRRRlRR0R$R RRRRRRRRRRRRRRsRBR)RkRRRR/RRR'RRRHRRRRR#RRRRRIRR*RR(RCRtRRRRlRRR0R$R RRRRRRRRRRRRRRsRBR)RkRRRR/RRR'RRRHRRRRR#RRRRRfRyRtRR.RhRR7RRRRRRRnR0RRRRRRRRRRR-RgRR6ReRR/RmRRsRRRRRRRRRRRRRRtRR0RRRRRRRRRRRRpRsR/RoRRRRRRRRRRR,RARSR"RRR R3RERRRRRRbRRRRGRRWRR~RRCRR RRR0RR|RR?RhRRRRRR`RRR=R RRnR5RIRRRjRRRRRRRRlR;R$RdRRRR^R]R\R[RYRZRURR&RRRORRRRRRRRRRRRRRRQRR*RRRRRRLRMRKRR(RrRRzRxRwRuRyRvRtR RfRRRpR9R7RRRRRRRRRRRRRsRR@RR4RRR/R:RRRRRR_R RRRRR#R}R RRgR{RRHRRRR6RRRmRVRRRRRRiR)RRBRRkRRRPRRoR8RRRR!ReRaRFR2RRRDRRRNRqRcRRRR+RRXRRTRRR1RRRRJRR9 =§G5Gutf-8d1b010afeee7997e300efb7dc02a7f523f362500a8cb8652dac3b84fd7b7b966?7zXZ !t/]"k%2_fR6mH> >H {_;g,0 r UH:&rrD:!WՍ7qI ވ57© ,Y""IYQ*$l[, Ⱥo/pnbΚD[U ~SvƟu!W{ $ћE[6:r2o3XѕyB-jǝBGzbJ>nB.ScbAGDdqqfwJ-Ohl-rAU4^Af#x#xWm^V&>֊G0hݧ2'z9T=Oe[n-]n˺.u!a uLl$7]pO X $+LoY=s{%&sz|ri@ɺ|~1v7Cgs"N5-po"Ѥ MpWEhUK(%;,LLp{ =c.ot԰Kؿ=hSdIioXĠ&G ב=s3:+%‹ ZNpz W݌2,ꜪǓrNܓ'Ň)_͘JW3L mr b1=;i>^~1OkIU[أ` L #*!ʦ(<`-yW&a5*^N=Fݴ8ְH(V;+\ T0R)X} $ y6e f7z<;Dܘ ǫ3ZWdo:EȐ8!Νwt[e:JqÞ:&\SbQQ%aO$J@IUwH ){z1z]41EHoci+ o(&rfWvkm>5]u&JoVD#H>kG>x6 ODvL8}^Ce+y%C)l}XܐXD(J> Z`*Pvɞb}^9!Z9G%^ўŰ/jOju3 Cl?lfZ zה=t`Mj}1K6U}JV-(2YmSc%-v^[]h<zr&׺'ƱZBPD3zQ7GyxzT0YnY3Wտު -W"\:Jtḋ]+URS#릍d>7 F"}!TT\-15,^-U;1N Wt/CfIvlѣ9o[]U`h\g|&:˨򃄟ehn)|#Kv掠s:oC8*E慜YÀR,ְR+ENe4%Z@M^=T~+'n aO%lﴅ;FiLݹ ]MI$@ ~-}ٷ ςj$MXSRk 5SB-Sk1bNrgP-hMLĹ-~)8wF#}fb3f1D:!,|EΉoX]>{0Ei~DW+0E;-)pZ|tf}Ng5j1[^5ƪͨ}X/;h^{GZ+ k8NR ^lA8fDxs<iR5Q\:mY,"؃͝ERq-ӂ:4n\`X!=Mo)'o>Kwx­2 TG)] &pٹCz*jm3B\܎vFeFmH0$"V%&fQp6OkZ[ЀZ^dL 1d`6`}2Ay\jְX-G=A|W9|y|h /RPqmv7w6Jj%4Bu0v4W9SYAXPfpWPoGA"-T;e듋n%k9 PniYY6̃WYܔ yJgmڡ~zà+D'HZA1$|d6i|20)u9Qf#k->EN0~h6mQ KKm@)8$0)LA{_ѐA2.c]+i rj[j'7htWPPDjͯF+eW2]V |̀[ vb3\'Qú)33E|+ }Ӛ[LY=35&Pj( fZ*SQ9*Z<ÈM N^X`ɦP%Wchٝd %bH@H`ܬn> t+߀{AұbOmg^=@y; JOl ΝX5Ù]*`P$AFK>ߕJ+uľ~ʬ+]&b3+JP{1 A#L{[a7FK&3결\ݘI9D ⇷t*\ET7\ 5L %x 7;HO2e@:" N-S^nSoiGwO8~k(UCǒ; ]֯Q&/-8i M> )>% JG}P\c@djO\P7a&F9{Z1b< oHq3E.cq\ a8].c%:+T/57 ߬0m_MN@?6&F:RfmٝqB-ӋMBH`V~%RӕPT)^ٍynFj0!ʌNfap*fEϔ7A5f9>Ӿ{gCZ9?-E ZFN?fd+|Q2X,Rm=t\)M=x [o;#;r2Oē*{@/qVhUԙ?'yR0SfQ ?QIOƾ/3E?XM1@P9E08~47Fc,b~̉lf<  i>E.LG99h . Z")\XZjolOle:&<"UV'`k Vh:1)e wYD^ PLgҲw-/vUI-̰kr8=uh{Ym˿|Ec)x#*;nVΧ/a|ߡsZzb c,%%Լ-:RoθɥTP 8fSsD.{w}}Ձߊ-UIU—L ;(xogho1NM:'^]χ[蠚 jnY`OSܰWC}[T qݙF$QԖ;8J>+{&5:1;~^/s^d(@ Г@mܫ+=lK0ycNcnֹϣ#@YwɾaRn[}!=o}/@x!۔Y~JdQLk!}͎\|E梮9<n af'r]*C(Vp}Y!bI5{ʿ:&>igzIg!QHAOn(ig"?WXN)W҂i ! 7Ur[{[ͷ,e-Q( 1@CO7΍Ug7^8gB)[[׼x#,aT mTn,b7\Gw&J$1q|*qrgWmevYz^v )w.2J*Txp>! ^sT,iY=.Wz=;aF gs?`El#a; 01O; AHe!bƫvC ِHx7gd2 gsISG'뮙@~L?ߑ$o|iWB'#?(NT/a VP$;~ő"qO 1 ()p7A6f%tF:q7xhJ#{/&ËLt|~84a) s9CL&q,%Q֝sM$,Sҽ?ɰSnvz)'ܝ[羞ut"܀z'"DZj1P`hnF(Me0y&W3,? RWnu~'~?D.|-1lI)76)l\>X+zoo})M]3}`u_m\19FElmb49naykFN;^mߨnc sGB Zt'f+T&AI>M*a,i2pkѤ }CDitL De`^uF (,;x'yBJi w師/[O)#Qt "#X-r*x:$=z^Bw?`x*$oJ:Qn!>e$K~0/H)#q~s6VKci[jűm1G,Zԧ@ZxG0KѤb#ǯ}2 0KSfZiY(en]5 sV"om{v2PCM/zxC-TAߌ|$SImm@9s &hKV_$ >)~ Vg-?Kۦ c0v?X&TiNbuX&gѵ7+%YBN=Ad+gh=( Ʈ9V![Y 5֜uQjFgx[{hQT޵ 5էܠ4+94oV$o1aA\M'TM3Cx; *5AE06ˆ!7bq%G$4!fK:V` ~ȓYuj7֌j'^Ņ 7?q)jT!mQ~$]ɮh̘~ Yd0qN=4Yp̯Rz׵ˆnn-Y5]|* Kg"n2J!5x`1 ҈] dY]@(/hw(סh=♑y;JsBBx{hRv,ԾhoctA1fvg+JlPݽzj3&1-jlű/w864-:贑>Uz!Jiɛ_ϯ&2zt~ҤKߐ-'.fBuwuNAat r' 7GgXJSFnTSdΧB& K0,6eL^jwE,NB/Sۈur+#5#ԧ{'M7Azllg)ԉZ9ːs.FtΎšncTys?R ns1Z*)'[!&RlŗOA>1!$ZX%b_轼MyT\Odl <|~}nu9FWr4ܵ ilyC^XNʌ,*WbcE[wҸ3+mf}3TdER{ۊz/%2 ||ZyNlTVeTŕxJP^@sC'|;0!x֛NiIU(9?,{_HX$'>’W )|EbmB69jWAؼ 2[jW=ZĻJ) ӻ[z;Pk^eޡ]pxܧtFMsY>d_3A18|r;g`1 X~Y\= Y橻/V%Zr Oh52},,~Gzo4@{~?n>@Q4L*J1.>@ (㉑ig| c"o$xsFu 45"$9xic) @DQ*@9R%| .i2Pyuy޽ `%Rm1|UR(AӂD-hUh% Gn"9[F]_2$a:$<*(tC[jvPNB݃foqب|c <.vO=DleLk(ٺu%M/!40>:{\"s?1 om3ABxX]iE+=MeGqb|*kTJHJKxVЉjb0IObaLWu4xRmr̉ P#OaSd˱ Dx<ϤY޵5 q;9\ ARL8r7;-cp_S4B {32R:l9RƼ"v,Go0V|bKKӨM-EX纄og}x9d]:0/{+*AP= l)V^7j](&B%@61Rj8xUBMSwZI%5EvGݚd}ZBzQM>]m lC#V@xIe5deQmO`}$z&:)Yi4s4\㥳Fp/HsZhH4<%!8%(4go>PZn;t"oF n-2Đ^miOڏDyO]fQas=l : 9(GdТndn„g̮J͊k%;c%ePa"bIkV5=V1 u pWBpܪ+Q  'hr^)TPnQ8TAD?M_rviKYdxE":쪃?;"l-4"=oN4bPcib\T:6{c-C~ %3Z_]e:!e8>Kӕ Y=cK ̴}k9ZTy4DF$UfjAT O Pv:)Ҟဝ@gw;< c$'Lr^8%mXT*G ipqM(W֜"<մ֒oøر&zmVGj"S,! J}ag,T-HS}i`-ףم H|7<},7qB$ c{x/̧Q񋜁O&Z3& c,h .s'Cs6&:$btB.Ҫ8GXi8GGY=.q'4pf"=^,ډ.jq>&|:` 1 ü˾l:=1nokm&#ەɪ ^V~L,{4Kx)hZJ@Ҁ&'6'RAw*X\"ڕ57K|'I<ҭ-$t*BÄP?@N< Y븟yCbs,hqz+Z!+1=n ^P7{n=ZGhA(cPywK~d '5nA;t&\v[SLg_iiHSĝӯMXC=ܞ6!Yh3d !EU}e4үG`3޴S&W"t6d(/d8Q4=0psukGŽٍdtXHΩ,:'z?궂˓~][oW^ J"!5ќLY"β)!QXW# @:i:Y}}+\'Oܗ L!!I5fSF6>)2+/ )0tTyTÀ?ݦ$GCڄ*aq9>E]喏MŘ@:|0)G3/cESb?-R E#jÉ#>~Frj) Z^ |9gHu]/CKMαoʽ51R$4)s=٪SlƉlTfr2x BroP@VSgJ\hnh:>o_Lo4^w*HQQ˃} ?A"}ul[ /ϝf ! (ш!ɖP|ڏoj@gl]qs0yn$chP`a>ux:%Du;-m`IW̙%קapWX~$_Qguì^H s$ d3(<4ŊЃ548zy ӛ{(i7*BK%ChE_lMM& 28ß|wÖwInQU6}\AG χP, ސ- W/DZxc@f~gW*K:_L}} Fqn`R8(ka S>V~"f#`9xHv E8o@Cs9Bfq)cNRYx?d3v&#,e%Ĉ5Wŗp ,r;}-ˑXo%i-K{&2#I7:F;-^K+gqQ1qKږBg~ OLx*&b*%qE&Hg+W aN{ai<3qn 6:R.0;sYsKpsߘMn'W2+O; s_8>B`_3-_d$-7`ɶN>vmfkKi/{'egx.I>8Vڎl%#' .-,5,%'E[֥*%FS&[x=\Ur1nw /qE $1N1Ļic(^Vۧv{1d =$3DfІG}1<];hjua?zco0(.92( ᳫxwrYvfE},nxnS7Be@+ϓ53HghҞ3y蜑ycT!/mFyARMNtQ1AY^b CL_-^;A[R$G 5ӣ@P{Ny5,x9k#2ijcJ'8ir @7hLX34bk3YV\| sF1c❛#ĠpqҲ>~##RbkU !i坂hV4͜iF@{mdy]z"l_M:S*M&%"7LaΪD5 =hƎoV&ʔs3Riz߿̋6XgSc31Jr =v<ɳt*j=G: 2h]M}|\#a9u4PC-ȡ vo/Q῰+ILg|'W(˟`[;JMvt~IZ."d;E3*`ξ!)4I:ݼQ`'TP 7'^ vFqսfڴ٦TjMfϞN5Gqs֮1ENSbC#)|!/=󸰰69 ȝ4rjJP :~4BsD6nt;LIZy~ qWWAЙF4O~Yd ꉗ(vqu 1CEw+RUuYۊ v,Sk+S1:7|)) wή qu%sY}s@(E65l3 w퉔!, D@|=`IJg?\|?bZtAW30&ٵhJVG.v5GA-4~$&߮71+>0v\룦P[)JZ 2T#;MC]QqdSbruWte '`|FqlN~dF9N-Z̓ьEr@B/BǗ5YC \>+oq8nM F2kM;*wa}XN3k֜1GPxy&?\䪏שNzƅN&`pgy'tR3!^G!(Ć},h1Cv cBp'  =BDEr|cͬ_:Mx˞z(u܉q H%K߷|S%sr#RKّT=$}zѥ'q\Q1F//CRqUb J5(=KZ'5Ub-z E|KDڢn$YF~`܅:df.3-sLՑ-(}(AK&ĝ)YpM{jI+ r0GX= /sQSPN  ߑLך]Y';@C׻T-;:Pb"FH_`"f/{+n XcUȾAÇQ BRmhS#`G\+cq,*~k ?~Fp{䥽*RhWӊƏɸQy@ r$6lMsӶ VjkJn' oJf՛Y~e!o/ Kh>⌌ ϠCpUG @)_ՙ1QYBOl΋kütXmy~ST2-ZHdz&UM9B׻fT /Dq ۧ_t`ѥ'܏Zp2_VϝV{=)Cv<${.ꓦ71\ rGN:͌kYIndžLu3O^|,Tq(wfSjcoz[+z⏔sOF:D^ii~V`0:J5"D}u<t k3'A3QU%P/|*̻a0@^nWɎQq8:י-'ъ=rY VM "l tQ5o'Rj\hM'5l#4wbXɳdeO[$@)n oUÉZi*-liC՚ D]^}HLIty0UTE֨rvx Ar۵ ՜Y@ܦf~> _9h©Pv=|OWt2bn29Pό-5WXc9YK97JQj%/UT R@)pJe7/ lMYFMq.>Y"'+02 \VBG7n|~|w?JG\g]fVp CK%:|lhϟKvmbRwk(&ZR㡥_^ mTvyĨ]T+_1 XNp8|1jC~~]uC?'_ȧfI \Cʮeu{$nEwlٴ;FgDJe@CC>b{+iR&eNv{ߺx5O a`fovov<~*$cssRCے9Ö!s=g-}z&p)ZqvDL69ZK1wnJ4j7"wS}X(z;)~X9 ~p-^L9 nW;g#V P$.zCO`̣dGyf40dI>r\s(N> H Fg$0  00MR O#Y4x`،p㩸$ۊew,+|!gM î(ju7U.Dcŭtȱ{H+ZbL7F&Ɉu=~z 驪f[ Ǭpri"UI5?S~v+ρ$ w]K c$xiij "po2*Qx"TͰ)8x[7/-"?!Q>rJ}pe)٩TO{͵Yįt^;'oX&V{"y<`#վaa9n&}CFrpeE{{-ʾ{IZÝ(V6:fg S<5oJddzz6\YՄ7yG^TV2_@#[%`r U#+:9@txȩ#Z}y=NVOm?l> C羕CQmZ0)QOx=4SRu)~),x) (`/ЀDD o竧qҹЕƯظc⽁MEg$#K)Eޑ.?~6NФ '],=Q_`4Aq&6uߒxmgh`5[iYl[8Vb_g1ց>etGRXZvti|Z]8+2|">Z:7S W #?sY3pT'sҘ7'>Cr~!Lj b|m3}<(ĵ[/9#xYru)Yߌ'^|5i%}(Pmrh>&eTM _#>?۸C+Lw;I1[كIp 36(HhODC݀($1X;eM $ KSCD7Rf;*+fX[YS3*E芺'Z<6 d#w梘GKxֿuq.8yWȩ9kYnP74 aFYU9ٖz]O7'Z 6k9@0*oLVu0:YEόIߵςlP9 i3NBtԔ=eӴwQ-7=a>B4QŴJ^Њ'ĿRD{iA*fe BZ"/0_4Y!g լ9Jc[vCU^Mr5/}5guoV]qR^E"ڪY5h@, &xܜ'x&QXdzSE:C0C~LXW3ahN{ί,iS^=-eVOhzJ<-J'-Ǐ'P&'f*AMƘc yB0Xc9w4˸3t7zxL)2|[\Gfv{`M!V]HB'*8ViXu(9ǩWDoG%J}27rX5L'}=j"I7&d^HP+exV(Isܩ^$ڟ8,>q뿋DbYh?MRG?e/s=>UOQ-:o$5ge02&N ;'vߊ:A3gN.q> OhĚKC,0Pf(1R{۩l'Pf20|S.;RTT9݊_nfSڪ/Muyה&!#Ram@ѢHh#*翈kCN`'ޕ_LA;%M"_xBp n*>]9MT(]ns{.v`S$Ƙiyӊ]?Wr8s3^(r?!znVaT7P|T֛ffuUEa;%} jUME!:;C!2WhT?v3ά{j'v^ٕwW ,7*]pz[܅m4=zۄY _d=1@{#x志 `MR:F '׸Oz\dj舘 hn,X E4!ބ9A+ Zͧ;ha8R$l 쾱ONJy~~m;Q)3CgLSkë3#c/kp<]c7ϜtɊjDц_yw?7v'^י+I|<&0Tڈ(祁(n 0 ĺ,AP~K>2%uѾyl햰}aO.qV6KrZttT+*0^#b*TAA2nmU|?"?NEi=(*B9qޘyX> b(No-z]&Bmr-z(`@ >KByqoxF', 8+tj&6`[/Q=Q߈*(ٗpӌC_ 2~p$/A$1SG'}'"If?-~ >ϬbyzKVDRB6-puZ%~I+?T<7e6`jɳ_"mPRzVEhSO\~PV 1[·MQ.N,R~p3KV+a+l]$0A&d}Ej^7=h, 6NބVKMm5e،R]n%Kfc,yDrҾBϨ}+g N\62g;ڄud{s@ѬwkCK0ђ`VMH4"k;}9@x9?Wס56-V`#b&N[ @Ԃ٘w>IF/ugT/8Y-my9En\<#INn(Z9> Cjmn H owbnr=L;@ ZE.8=|x["N܌0:~3Dłx=_4ΧYokT vr,y^E!i.A%{D݋T])@&G.QOc)Et |6:V<-Zx >w2 kQ렔&mpm]Do43کDk#M~ ApR;ŒrK?73lO anC79*NC?=x\ b Mgf`-mopfY~~>|Ye͕F,ȩr<> 4phZt T%tO=HLO(`d4zñK{bn%ON:(g[w skv- a -{ .NqƑ_U}b)v (XHg DQ3Q>0&sh5\_˴eqrp" /[ 9uLa2ԞlQs")FEgdզAQ#d/_zspf{;5a \ 8ACۧ~bj^xtM==㛐QcX9,%".A; *IG'_0mnde̟ zaClX4rl;6= }S7ڻji$|n=fUש@g=z"_=‹Z@޿1 -);zIi'쭞aD- Z! -ߠ?1=Nfy_[20 "Ύ.E-ţm1B1'bp8w!srkVk7zˤo2i|{SYL@S0D3Qb/ ^$k9@;j_-)f;oGښ,~ XP|O`tP)Iaӆ‰Yhu|%f,n~>8CUrmV3+ZsK?D 旜0ZLojnT~ok_$ -iP<\jN,aTd3-e OjP;dq]2f+hP}j>fyYwmoz9iu K [>%'1'дt=%bұ)YΪ "u|rz|kJ I+eߍzu_G:٦gԌQ`VDqIDT8%,03}hˉnKЈJEwhp8ڲEp:X) G#QB+B*ږhg!c>a=mc0Ay ϳOarIXlhA'ц뺗J-mVVW/¡I=X<=zUY@r}v<⾨.RJ0-my:q3$M.ծA[oqw@;Ig8J!A#5hMNW֊6z]6ʵ {Mړz\6SOP "E'ҧ: q 罭#Bß~Eŭ7oEw*-)X^K~-7tP9J/%F~]H!~˪rѭdhqD)Sw ϐcgVbܺ\YqRB-D d|"@kL'B.vaΰ-ǐaz K9 4m-e˸X\x֏TL&d\O>I[5_ݴ)ǖ{UE< EkɼDs,@@|h0J@`[hE]а|Ҷ՘ 1;+jkNϨ~_گwUtթlm8}W!Kw)l3(P[޻z ]ɀu=7"or,CBO Iy IMW 5$;YaFvӘ*8 Y7'wiHJ1{V&kM6-Y3qțHI Ag]+TΌ+YҶ~൤uVļ&*ڕ3s$=ʅQ|D3/~iMR2g{:ݷ=rC]-2w\Eq@; ۢ2!Krٻ^$.d mA٦K; |;P`Iyw)TՇ>]BGgeKp1 0hUƣl^ӪF*zZig { 6N4j[z O[ԳsА(;%ȏQuG2ϼ۷nف6Ӂ'Ԡӛ34_W[z^j9*XScH?ˆT3^ h\W|DfK5.UৰVE_#EX|Wsh`ՐZ6}b*Eclve7RЄl94o  7H54Ԁ.2E8҅1`0[eNԟ &p<+&_"(Z#Qopi|$p֩2(S1SBp9#rथ=?,cWgc[>Y ?2} 窙W^@|i|y~!_X$Yj$zùs brʕvp " ʡ҄1x {(HZH+;b5wL'—Qm{2=t-44Y'u [@PL]O:V'j =gކV?b`JNY 'zw8Y˴ZH9|)#0ީ. zapЄ+瞘iW9 bnं[G2="x t;݃F( I6P%,ӗrѣkfޝw$m 32·78-]8OӑWŌ=7C`<XIcþiewGRD#4Hz4Bt'vlYx ̨ r&h1QqFrhفhl ~R e6b_Vw}]<BF Y{1rѕQu9?`?x 8*s29- xE䌨3f(PZr͟л9sptzbD FxoN|&jEPc&Q` -Y쿷腂 Ru}I]sԀ'AOp38Cդ- W S N9l5>_. L'fvi*f~ XTߤӮd'x4M>+I!>z=́\wh hj)ZU2) .]Qlqޝ 0b 48e>fRݕp!*K]XR΂ \TbaV 6kU'' / 7#43Ln.!&*b 0ujC5#jrչYJ'*O/syUw| (GK-~ }_*d(v19<]aMd]~'G >uFbS G.y*/CXl!PJc0guKFnu~,ƍI7'ՀZzbɔ4z*f5hI5GIP?ы'q{ܚi-‡8NV}Wlg(bYdtqICz̈́:R|l;i < ?*${ "uD {'Y@{Us kɩiG:~H=YIxJ/r t4fTV SJBRWȪ"wtsRM{m#  UJ>"`N 6fNFV3kW䅑Vȝd7 bS"x^Zw%r "ϊ W& ҬeZTQ}zPjJ wٶ%4";&|گ_-^ݥQ En8vguv]%|~rJgQ.^Y$1-j~1L^U%;]żvTa WZ%p}QC>[=xG.|TZ p} l޾%]EN ڥuXЉ}"̓~ߍB'%^RE9`̹I%ߥuԘ~#̮AOv͌Q?_i@<]ݓk]9uU-H 2n>dt+^geƈsNUtMFCe5 n{EĐWg,;])I,bGl2]s "CT3I1UtLoIrF| غiN \4hwDbRdC" 3'P[Dv-nZEm(_Lҗxy,i5U?^=޳p)=*0(tïz7Qcϸ*|ox{)o 4Wg8IDœP|s `SIЕlA 2a'ݶx0ϛ5E߭9?I+X(_b0L}E&:;@IŢ#6Igfn]|Fv,S"#mF ghkt߾\2TmRt_tHw<5#_bAT"fvᠴRc9Re)}`,gL.ax#.8S<"4qT]EЖ@?&Y4eo.[Uᩒ(˗eɬ͸aq5eXH -O dݫg.^; Iٸ+at.msϿ*̈3, VIND5z= El؃"Co]&[ޘ]5;]߳Ԁ6 R[Ghsv$^q%%@ug67ypr%B >A[U 6mN#v!ڕ͔yDH,j/Yq ˆo,сx}Jrjkez28y%cE{bHI QAsuQ=v/#̇Uƾ2!<HqUmj%h ?v; Z?Q&L6sNc[gO޻l u<2=⵫[f]do  ;cWZF%_O48?tG߱JdM#*Z\rIU:L7_숣#jOwL;ٌhQ_pwm[o0J|Nc9jklfCu@3QOav=:G_srD#Їg!X &iw7ୟGňeX?Y`_)^El>3f1ѰXd&D;eOHL2_թ@6ݒKo]\Kߧ\g8ΫҊM[JI hut\nlp8zX,7?p ==XE:Y2C;]BuD;׈ȃ80Ueo3_6Ws3?!&l44H=Un:4R\? ^K1=IVB"o]ֵ] ߊ+c,P(;ƏzLgQ/bTxdwo`RU6z_zmJ)']pCp^EI?s}٫huz]؍SV4EȚNaNև%us!*\aEoNXp !^є|+XC%j潣&JaD ƣpn]>kcGL߰T_ v]>,wfo с20ta~@Pj-R)ֆl#Cv`͏:W9' o eн/~ _E XQ7Ұk*/g~t"X'*Wӓ["[vHyϙεU؏yّ4L{ER.jc 4#X6텆Xgoc򷉻:\v*2 z_<ίc>=/~DdF3¤nlw6 'h 8 |e Yg-GP<3XpFK5nk^<6oIE 7KcԂjG 4=J, 2CY+=%G:it½LW,nVu' qi.8B] / ]oDˍ􋖃YifN;J ^M* u֙7t4rhpo_Rg@#I=,p2ԣl.A&K^@RChT=f`jc@NA[gWV):`;aZAS< l6fmω#~uObZ5oָgw]IF{&*Q8mf̹Ϳi<_<7S@y?e7o,2HwQb%W6XmL7+L$pӬ}%I!Xt!d΀VPG-rcD)3UP3gXzH~UbP<7j-5[+:4lEsވt+֎$)> 5ZbqJ $P]]+ 42OJYpÞbc,X49/Ty8 vE?²@9r0RF5bn.^aX](Jb8]= {nQMhL?yV%)8yXt#Klz'ochgCZ\k?dG/P{JC澄1G~mYb]Y{i;>F>YaBW@07+h"u1*SEiS[o5@m(U6Xt7 y~kd2TOVYe}w<# fz($i?)b fi^uYZr֫1_|k5{҆]L|oÜs;/^ayFrI P Uu (7,]<>a8'ʐ_-\ liyfv֦dy~,S|^Pr~ؖ$ \N [eU²$.>TԗԆfk@)ɒŪ;ޠ!|wȜ>%k-xr>p|5(CM!,V^k omYyukf@3/Qf͊Y1;(ߥO6!8Uo-pnK_m1'd!{\'8"w^7lL eKFW# vꇝjX e~繻ĞUbH#:f@FLcނFeg@\|F`jRo(:Ĥg r_INLg9IЧ FbOLY0#/P[eaS38pÔ3k**h TҊlPf98V[pR40,)P^ZD9#Ms`y:qaq_g|!gKI[OUݍ`:D+ H$?yz sZxVE]BiS,'@;DHFDcL_{ΫW5oE)n׬Q8@H8ppR w. 3Lܗ6kF<ʖ'uͮogiKhhVo:lɵ78M-rKUxic+[>i#xtǀZ E? 3xQ&}̧)$otH4V5V#&hs"!'޵HF ; V, &{Q-*KHyҼ?5)C&8 ɍwN8  =\F!ncZm7H)Xae,Y>%S7r%:2Y)d*V.͇X?\J0Tu䃇j1׉)9lJ9h]ϑUexN$!yamtmoOqau`tP^9hVevp ꠈ|s#l%Z`/7ֺ )g_ܖG0?8e"=Zsŵ!-io,^:QN֤=IexdͯST[1R㖲C~ezٯ}#j=h=S`g/IYs>Vh>5&<&! svf\$=w]B71%8ncy xEŖ";/yVN'|r&oVcx'Ǝ!kݘ; 8so=БBCuWwjyy[..:Kw!;^TUF7qs|a^*ُtY@r-f$d\T4]bB^zp7h1Dh9+/3_'!;9( ͍dg?=(EwZ` g/(yA35j3]*Tɿjk}M{_Jj8>p{dܙݠ@ZŬVލ m 8fB?PH+gSٸDDUeR.N^=U>MK:w'4#BSm,0L,}ޑM,A?_ .mw:B632)A R7 Wo[hmY.\:9\Oe۱d!cz¤*x |f%i +{VY LkjM\X$}!1d o^:>l>]q VrFV*:j`k_, #{=\Q>%qAB ȐH2(a|8JwNHۀ$g1 lֽGJzoݪ/EϹ*.MG`NZPke{4Ϣ11DG :APUM^8جT0{ R/ 2ѧhidݲ=1(Qn ǛO(QJl1HUC#}V◑[?+S}f6gG 1Kp7r, c9YQpU2viBDz7Xj7 > l5B҇ꏁ.X$`kq_i$|jO0_N X;`Cm[(r]LpfA}*1׎h5ea u~! LzS˽#[fU=فDZ[qE5ݵ|W=YF|-Ōq#rNBãMB.8G".qV3H-A G5-oV+#rlnk=2Vܷyzg o8Lg $Ǚ+N,Fܸ]px7W-5$x50NxNDO)ɎHںFIG /TGƒ )#C5~ߏfEpWÞ DA5hY!՝19v^P!*R5DZV|@WC "x6@xo|u#53%5EQ[YN߇Լ߆ՖD7}ҟS?.Я }kʋ m% 4X,CFР5fVObA5|Ѯ 㛅::FsɏBVųUJՊK#nQqzc޴Ч;M cz j;HqJ>7f}lHC&n /"?̽4DA n']Pr1R!$qU:urJVq R ]LIOxNYh 4_erv./y{y:_:z`ɵ-/ -sJ_`Ȅк`7b|ÿ1!gOM(F=ps;`jbv׬apg`mv8hN\u?e~bĉ[%|+_^h:7aP4I.8^qsX{"EhA޶Q_1P2^UYk )dg?=.'d ȚJR_oIև$# oa!E?o\8g!6l;snްq 8}Y㳀Tx)E͊]W:o1 |Ne?th.[@Ǥ[$*Mtg')0/z27'°l+N,)zk' ƣ6wYֿ.Oiª_jBo& gŞIzT XC¤{T~%m!I]0<7AĞ:ؼ(RkQ_ <57hӊ.Жz]yo"a뺷N5oLTO @t}xFSw /$^?xevm5Zґgd.@8"g{ե[֚ر3ChWY嵩xj=Oz^u-@ c0ij0-_OCeN=qYHyY[d7+5ݜpKGbpC;:&` hΨ)+$<dAڑJ ~LRAő+Lw|Q$kyCW~rKuؐ^_b .[gROEՙ=9Idii1F7)iPJ8JYW/n:z$씼>>/|Z2$qIDyAW2JF^g8az4$)7jT8^"9A>`TBXȊ?}L,[b(-'D6Xzzc(Z̒Yi&lWe{v|BEꌳuha'wV;<^1c؀u*=~8gܿ2Tqq[ᮔ1&+{29; Fj* ۚvBj0Ұޖ.pCqW^xHg1⍚H*0vsl:INX؊  #}7&IѮ-QUܢ#%fu.z hry A(u,bՑISG80^E7E(kW{Yh~D[6xck[ LgHES~iuƱ)Xjݞ\^JE~ZA^/PbF34WmKNG꽝\?tE+SXcVC_?0wԝ v-d79Zb tA(sn'\SRakKWYH"-ӰSn٠K-zuM*菎ؙĊˋM)5#w :.ҡK7H#g]_>"Үt0v<~hfvqގ9YY!eƼ ZZu@,n@ɴX: &YRgo{D2jRnS`[ͮ:):Y'0ʆ| w3*K 3&cVuy4c6}NF||?~FfZ]x,u6SG{!QuU]/Ȭ'aLu}yŽ#AG:R~94)+wq4k6-o `m,)cI?pL{Cf$\G >h k<ȹ)J}Pw5p=0gq#DO&;[p.%`uHD<9h+Pem癃¥>]lB|s^38H 8(C4I9I|FS\2gL~? +\fK㓵$zNJE%OthKb.WJdg4o粜Na|wJ"93kf⍹&"GRD^ae^R[9ZvkSj5{錘1цr,qa>ـ{]0݇7BӛF%ZG Z8TRn|qLq97r7U ˶#521[ imGe^;kRmy(> ξ㠖ϞyWv˘$9DsOMk C~D oHCߍdOiv]m~X;dgo,} ^HL9 k:KF ~3ߺvFNqdx6ȗ<12xO9y!P`%dO&4O+ɳf8UBI8< 4sm_^C"f)],0u#kCvžՖEH誇Gg(]  ] n@.8,ͧn fJלL(ߊ-5a(9IgPk hإO[PfөZd"GԢ|KNa"JPݷpBMJ1Dm(w i^$3?Fȩ{\Uyx˲8V͖-L>JToGŨ$\^usv<G@Duߩ3j.ez%s,>6;SpG mX4kV= hT( iAZ?k@7)|?*^;"uyJL:"|ޛR'yk1~Γtc&%g A"ʤLlDbk Fb*YB(?^pٷ2Ju IhY˰Vo9)l_f dKF!^,.h6XggJjRe5^{ [_il4O5o¶`: -./g0no-%ӠML_f~f d&O=Z ô~HFVeB'1} |l&  +ۺM hq65*L;}Εzaj0w?T⁹qW;"nd'WaO 4X Y7b@<٠UoѢ[ZbyL7!7$,ĥ!n9S-|d*|A/Ӻ< Г5 Mޏ4cɬ8POOMƯKN7Ff:u{7TGr?tW/X! o7Mw&LyѨpb/3m@"h>E(˺jLnNeĶ;BnL{bTq AR3LVZz/\2mo&p5.-k*W_> E (I` >-T,Ayǀi75X TjT/\3 x|ͺj_W_uBr^!Yhbmm:qKBɕ@j$גjK*B,'S6y5duCt-8V2 F9Z) ʧTNT#HQMbA߫usY4)[KTNjFe=we"}#'=-]62CpKԚLp}q24mz6mzOZyUwdњ %EMo7.Na,}T߶Qm Z$pɇPria-!8o׈SA4'#\#Q7%[CP ٩3,Z9_8,d9Ǵ  Po'4z34{\551hQ߯d)M~H;{ez[Sj)Mͽ%B[<@D(B= tP^x64V̂OAXG&搯RPY~;RRX= fD9`B. wQ}+{>Jk%bw2M`Q2gхb(L:A"Vh s*Ye-0Z7fL{/!ANtS"G9pnS#/ #Rݜ|vgik[E% ~äO4Nr$] l)!>!$ x`9LjXKpNip2@=%+Ox]XKwYDZ}YGb=NN'9L}EcHVY?f"A\COܷqӔ1F3 /veW "KXI DiH;cܺW ^I hmM~ kFpTJx[_MO2W|E&`J+Pr]IDYҥ7ӝD05% uk[{ax M_0?[q%'wr 7m,3kvPe 0'=Hp|6u1TCW-aT{$FQ 鄉iC2ZUO05 830G,J[D.k zo͠{Գ&W9%6 ^Cm׾ք\B>ԑS8oMfqFg Yj.̂b{ @q!1YfM+iЫʌ̢9f>J;Y=1~r=^"K>/+[ 2Gk$ Spêxn٢' |e=(!RQ^W[)$H]s0=Ai#Q)~ ^R,=S85U"h3K|sC|<2J{Νo.B=u &SKp2f77JDҸWy+_~#Y⩸F-_.DDmz_fݎ&olgSFɌjKڣS3'`쫑x"ƒl\DJH#|9K2T^xf  0lt:F%4흖گl oI/.$:KBӖ'VubțRlH'je']-Vmd =$.0Y )5 [B``g#~yqEǿyIA-X ^9|3W^ijB7"[)Caعw>C0+|;enki'1 &TqV˵sƘְq1? JC0T#w?wɚ@,DDMq{ tx@,$/2 01 Ťɒ fg9璎80k )8xe47!~ظq|t8<]lAq0mds{Gc lʪf _+񩷻xnw,|tjq>vlt]߷U{4 X>)V.O.BtPWrD2bp`_#Jm<H6r Dcp8g8ֲ={9J7 >ZK2 E+'~tiO咇_YR۷NΧ)W J81圴8^gH%P=(,Nd:|.ZnGjNJ-\CepĀ9)fC Qn 0W/f^gM[ej8 8^4hao~ ˤ_3wSS70YH;w?Y/pHTG!W՟-U0C=$O\ocL4yԷ~A?tɺHM&cL{zb5FaePj!@2>U\Nqz1>8cl+A* TJ\߿o~ەt`zMDHUf^ǃ)Y2~ E Oh U}Cd (":%Ƶ4;dD U@}GBw6] a\:`obO+' #pHx6 pRHxd"m73:Vu4:#m=^>\DTwym|C8/MҴ_!]AtL1'pFa #,W2٤}3jPw dYLDs\(1/$wZy=PQ)xSW?ƈ;t{cA9唊zJQ: Ү@< #ߌ+cH  / *TOꋨ$jHn\Kؐch{j\gXxXX+;%f.Z4?HC ޝ|_ _)vWBGRcG&oD쐋]pu#/9걢0_yk+!GqGs-b/Nӻǂ\4uЎg H!YVBZ{‹q3e7w<ph B ԇӼ{ݩ .mvFOcvmRp@x2&g_#=&`|G(3BN y@~?L`lr7 *:=fV>C )c䨳'в@j!@%H*3yjBZ(%;v̍(e ƞ~9_L++o86U.n*ؔ*{2j RTWh8OmOݶn؃[%JR44`lFK^ć壷qFAlL)ׄӛļ)U.Vo=J`Fa?5ejO++ F@ |Gٺ5}lʡ#vSmߠ._xW]1Ψ93ժ|8u+4hb focP3:^Vd h5>MǪad@DE1=}!1pN4H d[MRw'=ٙd`x'`7$Ï_B ؑ)FN I7lk? r–چ?`RPزS%As0 ,k ǰHbR6.XM=[$N_+8'n4a uD"k@JgelA "ihXآ?Mil٧gt Aum BVq]!M:գ7\,Ʀ)o7s#+#R'6H%!w-o+#u#9IKYrkGuJVpbdX֌z]xͬl ]SQ{v:-,a1en'Ph #ٸy8ϗS M\j\;v37+y2/fO =ݼ].ˍУOf- S.[1wY>yKy*oNJ;t9Jm`SX6)@h,HurdRËIEF+h*k8Pgށʚא?Wǒ d?B$LmMsWmeӂ 3z-eb:gψBH#Ӑg:z7K1O}W4#KA~G2%dC^knQȸfyP6QB]7 9 &à0u3;< 4aި9,̭gaa/ͭhָQhɍBoqf.X '~^{\9qmޒ84.l.ҷg[5;E.mm2xy>|qd sb5)N6B^& Y$0D)dS;}-{SܠrE |/YT46L牞DV}~ruWEӶ՛DcFj@fhO fw_=52 dY(-})ȟ1~mw{Tuq \{+"!16@e^p ҧ=*QGt!>Kv)m^n vfVvʀf2 w* 3EKh(k `R璀 sG~բ00Zoq+oUıNbr?LbyE Q#1 rxDk'#$TT!k iBonTh@ҁF{ߐUts^+VQ:6 yPLLxsaE&6A6 ?:!<ƥFr).׋jwV8D~1yep ޵Z%oLNt`8/_X/,Wozd mӆIAeն#t0mj;66k-|dru 4)QG"x =$5^ u\ծ)bCg.Vzelu V|ڲzQEM#NWdG³Iaye\b_|U'$:bYNetH-ԁ6RI0v(JbRhG&fGlk݄gK3˪ x_\B PeUG-}r3/UTWu2n>5h'9@:L.r)LVR*~>Az`riC^Cۓ*zm;7OyfKs\Ԏe ՟x6%,ő<&ijJt:r6Duf3%hҴ=g6!لhݺ4ED󓱧SJC6g>ZEM(Wѥ]: VHYpVKF*!K.j_(85* iwe)/P?َt]$ ppچ>gꨡeJ16 Gͧ6vT}`S~{>I+ L;IǪ|Pϴj73Y<=ItƂnk=֮дnr>Jy5|n#,5ō ʆL9& 1|T)(qPSNv3Wˍuߔ']x]dAILRBErCDCEe!!!:: P~86ڑS2Uk,~P ; 647<+w͢I0¦;n~#@f1K V6Ō{s(=s R  pNϚψ#@'cKDODju!H q2<drM~7͢C ǂЖk#,7(X cKjWR~ w'Ra UO0=} ަ鞄vOA&$UO- vQW[mfϿiq5qDG<W2n4IJ | u%Y@ثܢ{y'ߘ,qI+_KV֣w4qW[l.M#4̺$hеT,d!v&Ҩ|8@Y=z؉^lpfIn)[[ޡuj@nzh1U`Qx@lJw'ɹud6hGϩ}1yJ .BJ)t#NqٟGGt"Zެ`ܰ=rG\o9}Seyt0bDk[c@8L `Yuz+eߧZ>pUrO.܇H0xPG 85<37I6 4qpPZJx'& X4J MDIe zP7mR`1 #H_¥;Db(3@+2gHD IWx9v6B"2 U/R,#1;|w`r/&z^h5p]ywR y"A2V!0\Kv" DoLa_TPbu;J]/$FָkSۛ.?T"-:%j.7#Eyj?3# kο2c'"^i RL]jo|PZ})Fcy*:ŊhU^Ħz(ޯpj<@_17&,g-nX.y$/u1qؙ,3܂{+AɓZq@a~:/Oyk1:](%pK0/paHeO8;5xOd tX%42Z g @OSwbY^Q{n-m'Bk_&f6{6sI|E% ܳ\ HL`kD>R./C" 4Zb[Wֶ5uݨlԶՎf;BݛJ8Xٲ@,[b 8  ͖(D>5lu NoUG`?({@NmA;4Q>wM8z Y?au3@Jrnԝ{5m2$#XC{dJhT&i_/(pƾX (t XY´3ݞQOuy:%OJADv.H BjzB"+.jgGAu 0nyf_&Ӹ%ɸ_KΏrg6i„Of;rw+Iefy ،B}6 w96a&3z !o5i"Q$|&f-=nyFk_\>ʅ ~Ɨ 8vS&Ա}=ZМ:ZvfcQa8Fy!f/`ګG?)A"%YLεۑLஆgx@ȁUA< <H !m<{5;_J*Ϣ>%V货3^'[x) aT8pL"ӥeאoraAg|ٻw/6 9C$\쫱ijw!yWҭ3^D^N14ud9URWWY`mW7h ?M /A}FbZ9&SGHۗ2OM(,f]@G- w{5 -΁Dz97T 0~rcg62!e ^LlapT3_"7͊ߗpK; 3;f֣9'~m 52hL(3ŧҭ;whŸ TI48h@[d*hH0G-VO~{U nsdxQ+E,5fij@[z,o]MXRSC/D#+_ߟᡘԗα`N'n38A#e1.x4LLwFO>Q}B +!nH+xdZ)}^#k,ғ&evbD1a&‹Jx*\:R pY+ {cTb͑ ⻐Nq9l3kGϓ4հʼ#ߎy%Cn$>hwk}B#MCAhn͒h[}|NV!.q(, EvO3r5F8l|":5.K5@CPTF>ZJ)q6,BsC L&ea{;BNpyjtEwWp.Y5jKov$V?+l$ˢ .?ۢ|JSq<֊ZΜ>HH G)9$o6/L?CŗK5Ag.M bz׺oG}_ggU5û^= 3r70Yp 6!g9{N'7*}rn+m8ʛEҥlbҺg=J΢ۿ"9m%VшsN6yMm2 Nw66QsVrJM O;[%H!f, V:#L^ qaEeM.%kP7ļ,?^f?&HdГr|5AuW}wn#TYxwPGMZ rjK笹hvX&?¿*5.xTjU87~)RMg!^*jRepq"Ȝ'W$#8i0mY#rqlk@nn6XSyv;4K )" `ȭi-3 ?^;<WetZMU*(K]ie92^Q(~^y*wMɓbT|`H|3m@LUĘE*U0tn-g)F[JRRc#6&S!XؕZLT m(e?ޠ!N.n ֣f_)kP2E'HG^0FCۀ*_͉tWM ]_WW^~n3"h@rՍ<\j:{&b4^ڕ*a=4 I *WW.,uIɪyl)tߚtK#W5H<@sX h%<LNf ->Ѐ9ܝ*(b{a ANhuAC*Ɛw>S:J>nR?Y##mj9 ^{((3*Җm?mGO.C@0 QXmn L361"MIuW佘E4))UmJ3ҲyDL Q-Jq0sߥ*D;h|Ro];+jf~NJϕz`E`[O߼J텁Ԕ4Oh[,3)}Z9 ?D5VΘ FAez)km?C! \Md!<^ʊSzՌ it9޶QK)p_;ӍD|OI]b]5M\_4ɂ2ӡ0GE#F-%hֹ(PoAyЌmBG,WYtx2yN"W=SIA￷ & Pĝ n n䋈>@@#}FHAjB \DReҴDfCq=;]aLm?4M\pAn?1e.u3֋ۑ 4m:/\W,=K6&D+a97 #HGp bM1A0/VQ/Th^uĻMq[TK/w(h[K`Svu:PEJ4gn۫H`t4q0Y*vk]C> {"ѼsǷrމ겈=vZhIGD.G8g !7U a+t<<[2>?ڌ` wǕ1M'p0Q5^p1D?@:kﳘBѱc#Q j0F W`e6OdpG:݁%w{z6EuQ# \>6$ùfKDrQUál\">i KMkʿ]zHbu_Ǖ:3>-- >%Su<5w 3Aj02C-xzӈ6ý&xMRX0_H=%rG|3W?uVXo+_ <<4TL>PAS# MK߆d)b-. @%v5o{K+e,뭪IO-_RFd=p>YV#= r4Ȧ7Lys4xH\%otv^%,_KSt ǽוus2z~vg4uf h)8@Ýc3;xYy8%= H|.KYm)>%!hp L]-fȐj9dx@"ԡN/;#z̮[~NENHg*K8Ֆ9UFK[<#egEyTy vQj뉙G&&t=dn֪cįVfgO;VX\˹Ma$Xzu3lۘs`h - KM}:<* 1Sʃ[QF'2aUbTxu:?c>Ʈ_^*!Аb=7"fx/d]Pv'v`T)):+U"+\UPU )$7R~G?TZ,% 65㥦Q8 Io/1xS!ķNNB$nտ؛DZ@iBfA֬obP“ H2 DٟzLjV[i4<;9 YhܦƅG'b֯ 7aR÷oI9l05DctTևnSq+8Ӻh,h_W?Y* Yi'zVAÄ*Lύ#&S9JߏDgc/Mq65?U$0q.dii2c VO,L:iY0kGF,%k N:f-1FmKΚRF[2u(; ͷa'aVi|4ۢg^RUX_B~bA]=%:zJˤ䊖`ʳ{ t|Vg`bW.[?jJ^S:F"1H'y+͜}ot9[K_4ޕ')fjmQ ;lbWx%0ӈ{qmsj[MH*ʴjFYgooG Ab*l3_*;2SM_6\id5 7F1kT0n95:W_VA!DZ^V}o lz,#Oǩ& BL% D;h a '?vF-`A] `l*[Z$ⷬ0Z%J./d2 5yT(* /%Jˠ6VwLױ>@DrXu6Đp<"ݹ`b?bٚtwDvi.ŜE<I0I1նTh/@ͱ'-8;́˚*=yw|/xAaT?0$>{k.{mpL:3.kOi~2)uT63o| e r~-sP|o1wA8L؃&Ebe5DwȲpW)ڔ93UkEϦļlG'|8H^Uj(1#)Le<=>SGLહ0[O7Ko8_+.Ʃxh z۷ۀYO3o '/s%*vN Ek"gQk*AL*[$>]c#ǐ 0-CjUAJD˾.uNrbM"+d{7/ -Y+duup>ȢX>ȿRxu'CR[{YQm vEK1gJB<:Riĸ3N(PcGZ8&P9͛"zPٝ,ܧ6LJCP+O 㫽t,w/kJm')rhaZr/8n/9gB= j ,4*"'[mUW_ c&!nGkvzaKE% š*:IHib+JY|ԍZ7=_ҟb`.e"H PVg\dsNxU4Ɇs'O?:x-]d=A\)DV;#.AT4x /2q:e0f.e]Zq{K!$QHݗ.#6D<#>@Um5nG,\06^$<_KI0j_Nm$4Nݳ [i7at@ (s6ns{|.u -f),}=9^4r_#@|VC!ŀG7 `,ODE>7 j|{0"o5-|4kՍmNuTzxv 0YM!<|wy(Jk8eS<߿C‡>n"θ9P-w NytzwLsXW7^Z9ixxaJ<1T&iz>k"2PIR@9'I컧gmȝ8'k7@ۍYSz9x<\VVM0 ֕@іWr^ H9n!߅ߕ7-LCI͔OAvz>w~;+Nje<12.\tZ%#\}W;8C14߿ߞM=YTt9fyz鹒T񮲕|cb#=aO^/m|\M]eq>IW@qC >_GcF,OH@Dzt@u*p_&w1ۦX"}@((Lmi4iwQͫp*$8='KY;=!i(QHaGq Gta˟NLM;#.A 61UEݾW.{>2-}So=UN?tۭÇi:d(9&s;o}uVyuzxbb=/6iY;D$ p8]EWpG>羻M9̻DG@Tp~ar([6U[‡٧ tDz?GNl؀*pEy}B"&=.,AIUB رl."΀]D嵐~N8PQSTOgPCxDM\QᢀHf"AVCI^|P@ @9 3=袪cD44iPK7J"(>x!ESH`@vt k!Q6E5UwLȨ7TM*!P(qPr)Y/T=z/UA8x>"ۃHP?:E'"&Z RD>S~D2@CyFusO](]GTAt~[EA> @$&qP!'UݦAV8DdDH]U5R\mt>:ՠyP,U-<u=GCF zxDdߑju8YpS=\4u}?DE:tt?2 %ު5qDNu8wϻ"{8vl 6тc`4b 袆|(aA$mf]g쵀LB, w^!ߨt"$_'D7D5XqmM#t4n Z"{(Wm]˱wSH=BE62A !D~d>76 '^ փS҇s_@xʕ|t&ws0hҟ=mN4;|o.n70zc,e*+E(75 fD.qI=#aV B=82+#TLOdllP~sq{$v ~~"O`vKg;ߌ jQ IDK;W<.;v٧w_E{g)( V۾.\VxOj^XDN"*@D88;=<ڳ'\v A"@A@$so`њX4W~("y#NQZ   4.q*K Om"ć˧՗c<{x,|镚p !}ؐK0 _?Si*9DW.Q^V |9}c,!D`t= 7VyW"oG͙'ƅwу}m* ϰ4˥;T`d5an$䔓ᛠ"eQef"Ԟ&wk}ފmG}7CwU.pj7s1_sS[[%6(C=+vlvnnWپ| yY{xv>w[SwoUwkkbT[wn~[/jȱltn^!ʥDz<*u4][~Zf:4;& 5ΏQpNOdԡ6z3TWMyOﻍ'j7[W3Us+}NRUn]Ioߎ^ymn{RuԤp^BK\W 0]ӊ`p*`ia L&-"ZfxZ~WʠϫVp"9gwULvP!<7|0S\HX]q^EPs]3=f[90MbC:fPTAP՛nȚڞ5ZTE:Thi8#-#.8- aS+?lg'$6\U&A9 <`$  lط>cs][}"G1=ʕ}m8bZ`x-nӴ?-Zm}vnn),՗WӅp][qX@v`9Z`HAUК (ijs0.<+;:z%afE}= psOq+_:ls'έ;Uu'B΃`@c[+*H4_bdv;ժXf!0oh䂓glTOk8FmYߥ~~4X}Br5D'Ү'F]~X=7j82#*90t*7/D9 b !DD@@q.Kݱ hK!ʛD5wf8!OU*3 uvdmdD5hkT@U%f`1Aƃ*É>;2@BL[n幎W/ŋ-DMh_ G-m򇅄Y_/"Jeÿr:N Qn SQ%Li܏ar: )~9aPNDnn>An8P yj4SJdP.f-!$2dA Ԣ8crT]Z֕ƥ,!ҹ*G AB2ډHT*\2yM4#d]PM,2Ё`dX. ujcDa JL&O$:v_\m1cnW 3F :RaML/ǥT{.Z"?G^iAzRI&'GD# xpuQ^Ss3 (JN5͖KgI@?fU k#= @w'Hp:&=w2_?rK (t"'@p4qGu`4YOޒk˧,q U@03)X<́N΀vxSZ|`alf>8pFٓsZ(n0 :" (X^ϵP޾E'bL w I6Opi4Z:?'F 7OȝwX`{r-lxIa!$#2ɐ"%LL1"1Vs)|yx_"`@\\m@>/+tQyk{0b^}|z5s}.KX7lUފ P ~ywr)PHd<)@ !6F Bj-i'$v:'#ܬ78@F6>~!21+dIqݴ~ޔA٫~ 1Sڼ RCఽm zBݱuYG1;1ș}z_ ceʑ zOQ"9 P5t66ePy%(CKF:%frWшXjb Gh۴oqf_v6ЂoQc/:U9&jH ^Y<5ѢY) % B "#"*YKh @y)tk[Q,pgm,hWr)EbE`*ZW $T :w6ךgR90z3uk )B[Δ0#M0_FHP} ak/J2AU6pQnr dR?naPX"q\p<.Xm܊u^:<- huk9^/ֿrBDP:gKK HP`bqJfuFRm'iݳKzKA0UBf*}F7f4L|~ҔZ ƃ]p?#2.&Nj(E@`s9f*O!H3j;omNrFVVicYޮMm`7ߝ0ݼha);_z@ҷ :Pw-uegu |X@"C Bv)q(|"YYHοwzvp|܊+\:-"1m9Rmaw4kBw0-ǡ<y2*:ol[ݵQ/QGLd+ {tH>QL#{_=h{@.o'3{}®O1M9MS|v*_[b0HDvO#zp$`,P-اNͶu"zYA楔WK4.Gv"KEdF+P 5QVY􂍩`c**(A~<&}|}V6.ce2M.ng&:6 =%ENUZ.ejdX JDy%[)'Nޱ "[uhxOul~6Fz'EϘȈ#-.[μjb%֪5+ i@gfFnTcP㈋6= nm~QJ(ӂoK+Ds [@n-/t:Ҟ1g\9U3 12R ; m> FI6KO5DguKea"t%j4]_{1x'nJD6^z\gX/e70#`тWSh jzhڇ]3$+Wloؖצ0 <ӎ367[:&2 8fx`j- Du0!u.UϽ'ƙW:{/݁K@FVnqG^Nx@Dʜ&n.\7dfY@Š.=,sI/@+64Hˠ(B}6qrYrg9` drNDw ̊(jJmu{|_h柧a:t kID`h<cSE0O /߫Ѯ:OizMO9xo ިk7&0~ݯ yN(N)*--hmc픫RG~ӵnwYĘoPkhuK"`T`,` 35LߩgI `0 F\$-^Bs S6utce4&XZD QAGTC|U h!QUw=U DFD!"*@ "% oDuEU@ \X `(|a~- T);yW^cXDI#ý)) .\P1KWyznHT nh:$dmvB@VΊW;oW+@#G&M!iӆdH&^ vH60z,!"+`eg$Uw8vgQbI.hAHnA.claQ n$?8g6Y6L2l ﹻœ$l7v({XhXB0WѶ526Bm\,XϷ++]d / m߾:8RI ?}^_ ^Z|b~yT?ݮ.,wWljuW,vZg@b9:,7f󯠷Y/Mܽ.gوur.h\!%]3rͲFKX;]Vg;J":V}Z2te;[ِsV5{w_Gy.yXB*ZlCPIo(tZUI?'=B9/oj~k4Mfě8m(d@%鑔ځd"6 1[.T@mc0#RL)tCbZV^l 9,gE".bȢzB4,$5҅ M0LVζm߫sl3 -&pe֤kv5q[Ő7% 9M'V"0 3 Qg Cs\/'30X/_#]b4YhG(c~v1*hYԊW G$dS@DASE8m( ;u#uLxmqBifjN%d:h&E` WD?ב 7uBpvpSkOys825BPɣEU"&*#^N;rM.IGLK(aøhXp0 bD2YOr26Mǿha3a jid}PB8pwhCrߴ=3V|lMmd@G2H2K2VAKH}mVK7_vf8ͱ Wei.3 ]S5k$QQw>lei`'cV%i mkk p̆:(t,c;6f K8.JX4߷m͹AdKG;ɐ9ـtA@ڈc6J1 ,O붨 BJQ))[C0.^vG-5 aN7Naq]j/t`l71zh6S s+e 2! wg+2~[^YpZ$ai\2K0qô$ R`{JrBO.MiΎK8 N;hKX?Z!sl`M+,L`{1&uG^%m1eAq$܉Dx ئIY.:= `G 8A9Z;h7hRm6\b(>KSMYvˆaA}HƵ1}]hd ID&hFYZLi)Oi"78T| dl@qX,:8m,/5*VZe!ENaĸ|#w鑌LD>m: ]Cex@R|I!GgNte} ad@aH)ͤ2!'Ԍ_}rj,>Fip۱Z!Ʈ&`> ] 4@a}OT7z=wYB!814m]Bq0w 窲 El뤻#G6x:j^= CϖpBW-3*Q(Q#Yj~@oON͝[&ƴT&[->XʆxGn~߬T9+KBg?;Jb_OBP歷8iZ5Tu+OhE;u 9ntU,';=/%PTPBzRVpOg֨_!,̃jC[k>LE9B!鴚Ō5gt9jW 1 i#=@??S|yɡ8h Q%R(R h~UD^Q( >~bW?u]-j| &ڋ2_],onJ;8p©uxJ_{b晇5._p5`Oइ.!PEC&q%հ e<+_M6ܿy Fz0 %iӥrXCsT4$Ng%׮bJ?V'Ymz(P ٿ6^990@!r̢i]I銛~1XϐL~Jb]E$Q#G,E #Evh?[wJwF7\NYBuNl}h2kxC=OW %1f.\ksk;e_G- i }'"_Ixr6LmMP,#Yi( 2<|gG+6ϖ+8ӐN` l?ezײ#?e{m 7c)5VWgyq3VC"JsaZ}ɠ_T&P¬tVyvY̴ K'f{tڃ7z ݤ\nVop YE]ijA ,~/pd{њ6 j |ۄLe&nuii?ž^:Ed,Gd[УxQ%0Alj~Ske<y7;Njy\&qkZӖ62_kajMK:G5/!o͚uwiLY1YW{ݤ,Ǧg&rgZnq.ߛh^w;y/H9o5OGm%^j* .cun[3q{K/u>G>}4苬"5@pCʃCQEb#b*5?0`h'N(|(&DLa؂ \WAN ֈ*PHsߗˌ .4Os1)t~X1 jp 206L2[R/_`#Z2#tQuĈ"ZT}Đ?:f림O[ |Q(BF hpQjp trK CƧyJ IɰwUIá~*+9L{A-)jWE# 8sW/D6 X+W>%DvBA(n(D?-< ӔP9?,@89msG5,܈ fH3ӎMp-z(2!BK d̆ I%%Qj^|vsA 90*%sz`;t9sbh3hG@N,Vi5;<|n5^0h:>( TgUs cDj@9gX~Ic? [AfNq?:x鯀Â,͒pDw 8Bfl1 8e;@'ZT\AP bXIIaH<𡳰ըR5!wkI)92@Sߐ|WM=X+=pptwm oIN1n=硅QS`0=Wg~? Vbg{B켍8uR2Vo $frqV U809ww7ay5aT-v]ײ6{Ǣ؁ioL##&4$D?!Ynε@"61WܨN稲oVQP"Р)JaA&["7 yTF×sEͿ|Uەv/6_n_~x<}vyl*7r1@u^VVa=L0]L AY3gub]e1%e͈ԀZfHap$6vhff@6fλ0Bb ~H*6'Eq$]+b\V;>*|ٽ+r/}L?tOfn.|xIjcؼ{g!:VkE\vX /v\}?qriIz>&{䱘YȊ0 M MI5EmBd$TӪnX)PÔWþ͠Ac1@GiEŅ۾KDI h)`(3K(A? d*@==Hb?3>ב@CU]@<1E.?wP/^&FW^4\e[01)si1Ʋ.) zb/1c!gwڴVŶ|<1,URL9"xuL 8=o "=0H|g}`i+Ã0Պٓ"'e8z(§ۭ ??lec.eۣ woc?_8?͎ȹn_(T mԁP+d2'Q unܾ {E3)MhUzqie8C:Out :&cnqg#*p&@L4 _kWp<=6sc<ǜ 7a;`\r3Qzc&(*r.ÍS3W6el7=>M&NGAMfq쉮BtdCr1D| DD-7qP: -*~h/ۂ!c )3(Tq EU^(P/T^8v1U F6Q:+ z n5QFVs/uབ< QՆF2}@KwU|m3o](9&?S 欰D|'[p3Uf˴qt m",!L$7V'<θG.C #^'wqiݧiΪNo!~a,(P1EJabBMk Hكm7ڤm& X^dN1q;x Uّ0#A(Rt%83z%ƅ:(FXc|5>wgQ xEy7Ɨ? CZ轑h^aPxEer{%e0 YQ1ӳp3IRJ $`),VlGҐsAEҔɥ!qB00o4Rj`^HdꎘLb(LHX2 WKj]'Sv١=L^gE!u\eDa5Wg,޽|n~ :gAV& DSiC]Z@Ch6|}w=tYTYtk2V GI;W8 RanW}mTr\Mte󌋀@~FTV߻vJ@aBu}"PkC X*:ϱc-Z(;{Qa k2 4}BijȬMB(D fbY0l@@]ѣ}]"5Wk^t=ULYfR&d=up׾Ygjl@fmZP:aXÆ԰* xB__'Cwk5~aϬ/)[HĠNܘڎAa<`5>ǜl*Nx p&Hc{V0m ZV 2vEW퓺;X@/s1L("Jo,ht eo-"hqKzadKA7yV6f@8 i`TmD^Y2| *'e8dQ l;'Z̼W4Ҥm99f!N7@t'&wH~$M}XWd2#29_#$x.cIj3_wqfmSݿ`w5 Wor{wlYu}Ss5vv[J]]wG@zÚNs K 0 W޻i}V-t괽Ƃ=!jD\Qϟ& \AO m7 һA@^^?YQZj7z{1C͟@>fg/'e@ªLdX3 _:d. )}r˜lP!wdr!˹ibEQ?*¿``}Io`q."ܔ~8;^{''j ԧfž4`; !X tA$,֯%:C׹my}6_w T>-4'/vl7/ѿrwޏFs9'85KD$D<o`LO!$ `i&Z[6={q}iMP59b_.q<,L Ύt.@3:qi4;J89Po5 Lpyy%¨W"+ѻߠL/45gd@$` Y ,d @ q,K9ҿPcgoLA8W}Ƽ\ Ti{ȆiR P 1B峄d!j~;m~Gӌm>=o*T "ACӲ00L>&pAu_"񎰬YD4V,i4a^D'2Hp$-s8Mys X^ᝎ/bm 3ΙHoL-$4=C!$V@)ϕ@4k Jfsփ"ƣiS[>W<=\wł*gg,&7u_ lΈi;:1>Cd I'xnSžõi {:Tn駺K$^_߫˗({LZBXS񛰳Gb^f4ߙÙbF =7-640~LI$e+K7DOj%x?ԪC2 !_(UP9UT(F"lQTO=q`~)T1@nTW-5hDSK@@pʊa/,#D5т/CNeU<55X[!a,T?{*K ݭ:k9LZvgd0#@0AE @ϡ 2J OrN*tfZP.TG~>'{shGVJvxTCo'_Lc)/pų0qܮ{C98g#s7 87܆F8>j3h"jtܷ^9onl * h,=L&Sٽ1V]ZY,uY35,UZ]PlHl0)L]dlޥ%uVgCSi6ݼfEw;,@<&Ct zԘv2z]{^y:!MdF! i&IZ݄jQr n͘MԒsEƙZ+;?_ pX.jU-甆xwL$ "[ƊAq@z\}O)r筳n@޾_IzA pP?~~[h ''|Gnֻ[u'RP-+>5vIP&2%:[nʥBDO!zg䯓zM>ljfpU[L9e Tl~?Kl;"mAB @ Úwޤ)Q<(]e~| T@.8#G@罦m=/ѡYu :uR*9r`8 OiQ Υ"3/gپC]C9llќ)H:j=]\4Zb(a p'1m%X63=Sz6{l ˞KXzvl-[Grzuz2T,D̓ɯf{G $;2M4yvǕ])f O U@,P&"US@JDDRES("T( 0^ȇ<0'Sbͣʼ6oB3#!^:~;%{0O]yVs|xfE8Q`i{.hIw2.& @;3&@ b-/>VD #>eVs;/ P@54'H\a寭pxuiZN|9XKL23Dh H+9_iȹsz9Z$I9òOlwO5*='pڂH8)}VmFz8mk-@eއr`WgZLhl+lG!7 #Lh!#)j$AͲH\$ǒ晃4*QR!Uc?B8>]`ywdӱο nYUcC=BXk*tG2 UKpsL?WeaD@%@AWV%޷ : D@(Ed8`ABdB~|:(ao_<**NV@mqFztQ!$<*T:\ Eai۫7ih#P6#*)D¡VڷQ['?m,3=S[P//ۖ#yvAIGK$" ps, __>>lTb*v0t2*, tTb% eIY̽Ώgvʝ0nPێn5QFt3 yjY0 SWq d.&4 f[Y ;xy&':M͈i!PHB@Prp!~ U$$Y d0J!1٢H iBųnťowi3;kqaPe+X1e(u(X_At/|u`r] >ŴbS8˗گ}?<ź#PW30OĀuz{km4b?`.SĄI@Ѻe5d$͡E; U)nmԟ[ bPIM`"e70!c/@CPQbE$odP.#h@9h*@uȧƒ$TD|*Xi'T|dxmwO}.<#Tڽjaꭼj1<)/*쿟{i'=#S{z`tX11l@C{ǀ#OCA4ߨ2*pPPMw==Yr! т}HoMXSx υjok,9uE*i=MS2 Tz"VO&u\Q{4FR"#;)@8"es>'a36y- W'(ݝ!OϽ_ǽq?Cc|\CW;(uKcw߉&8q:^^=ǤNrރ)Bg[d;/}i?DW${4<Ü )_b:j>l];'G_uەl+`GӖ۞/7P\74Z!n~~P=<1 Ȃt060>S#vR.NiwqM<[B 40!z]RFX): 9VZ2FdVU޴M)1n8TrpZ`FDFo4lKWn9Z/< cenwLqN߹~Z(chV~ cP#XKhCu^29'R>7g1ƃc= ~6W?ۜ%"RUS17"nt]O]ѻ/˳4,/F̵O/I|t0I8jD$=Rn|rq蚜|nk#˝͵lgWw& ŻH6o>!deBVqZ{h[W ˗V0k+ +qiL'h<!94!\<[CL?4s0R܍t+Xk9T Hpq"7*D$Y$˯ѣKyDʠMFJs(sV<# ~t.S3lpsuDv-\Tfu4'V~[`Q:9"gUt=-.MiMl! ;^mNeQo5AʥUfwZ/K2STc:6q=}j;_Dzm=zϟEZb^_6Oҹ0]ǫ$#>}a\)jf^ov}z5aA,o{CZ ?1A!HQ$+dU[f;jeAhA 0E?0CTxZ:,:sڌMzNooE FH5^,=mAn ~!e"gq#݆1V5qrdYr_?SJܵ² lfc! ٦`-i_)9qW.?]=݀v*%AU""s]^Bx;7mHDg}#=A8e?g 00zG]:7_Vm $H&Sp?28vWubpi=:l`wXρ*).gvo]|SyXGv6Ǜ#ʍTM*ZKቌt;~wz:uY 4 T&lj]2X(ÅXofwh`$3z~~3_{SuF\ m>]60RoIWDַZs6 3 'лmqP 0hj֛i\K~C#t݃20@J?KsGZT$qSn^7ʽQ^g f:"xviHAoa@J!uZqJݞ+5+&΋k=_iv]+!\7BޭtL ``>]3TlJFn 0|рx叐.j y׮^Uw),f5{ԤWw`x0<5O9i8pCAy]Uք~M1vcaz_U lmo3K3;eȷ]%Cp c'#ݘ/W9o5JnEw (]KE]_9@= @1H @U-@U. | Q %LqZ9AG$TjZq2Cijk-ASABpF0M*Lۥ09?Oi̿tw+ 4HhC j86oQ}WU[FܣP{ VV%F7jrrut}*|nX%sxkMFve,?[s4y#24%>x-i>1s[UD9`` FbH>n^tQ.&HASra 6a bP*RI0De(4,KADž(!=Ǿ.-xl6lU8HvVFk )Q0T#^,֊ŀd3˵mZ^ɬk_7|n6;(<֡HoFd%i01*`DYF t0"N1Eg&K^T@Rw JFU9>CUb h0ATObԷTëC~Wi_ǰ,މ|/2?-ժP뾋 M`.3Mr DM=wouv2^?[l[-}/ۀ~fj>޴V r12Nv*Iq6V?)sZJN%W]z1vU:۷VT*e\ E@֡A'J9"0D+ND$nA@5*~k+m{*ka}G)rvı[eCWWz -I:^湪inŻǽx0 eꛓc,4|lKx;9T$j i)372OHCHI$%)TtAJH_ I |mRu6AtW{̰8v Ң?d%EttՀ5E0d 9x 1XO]{+[/X`koM ozێdCG2U$Ejڀ+]Y/H T ]GacPшUe$@Ǩ4ŝzomkKR\gOC"9DRd;0(*(1gO`+>^Q~|"FW!>\~<'r<Ҁ&:%B-@!ĨTj#|OǖL2BEI6C/}U뎳|Vd%A˚9Ipf>ϋꢳ;Ϸͤ9@d"l|Fw͉#4tWN{Λ~|x C䲀>TQ -)"DMsb;pi.7)CU6VwETo U D ՁdOM'[KؓgWrHG0H l12'w CTZJuտX*#LU"[;ENV`TAC@Ծͮ%aW Uˮ vN7=7ڈxwoNw,F;7ʜτo{î0A WG8tX <Jk|\3E )@8Hک@.,n"Ej:n>뮇a+>Պw'e!{0t[rN@)+.jd2O\^=CU4~]*%!~m_8穀@8}>nD>2Lؖo(F+)ىr̢x`귤v\eζ9Zmg\Xm]q"3e =Oݺ f #qK>~rSǒ8ήE@*^[TL5uKt.:KXWa5# $)7l(+7gGrpW:&+O +|]|| =b}{or\ΜA(dX-lC"I󌄜-Q#B%N1e%ߵ^CðOY (}Sŭ/[F|ߣb?gGkÛy!G<Jw)DQejvNg.V&kQnu+ڳE_SWXI֍ffL稜R.xL*w<2¸jI?õVtgax?DfB3d;sXmy`A$mgX~lļ-.eΟ-2WI@1vND?::GC9,O1,@yh!Ɍ~KS:gr[̕*y*=׍滽M>v&j2HN"wG O!EQDJ\tL0ek8ݎ|C28Aʝ7}oWvc˛Z^?Rv`Npdk/:W$,//uFY1F$\X{sj{+(yV`ZӼ<)vpt OnZbܿ^xżZ9y~Q+m9ؿHv_7>%{Wd18n›JOs>=xRFvp$Hszbv^N#{Cxho2MʠOe_h_9ܥM_)Z2AODUh}*IbD{@$;= j %bQy6jTE`1D*B VIQԃ=QEC@PAOq~{]$.!m2p(0ԇ!ۊiHXtIw 8lVCtb;Htj$3HXt˭V&\%"g?2EF *Z"̙!ʳ"%2`Zě؀VPhxQaK1|;ν4Ay(rU kǶ2A{1{=*:L!2rA!-7Z$Y9Z1vA:zQxb`aI ŷչ>'\%r﹀/ u %<%%بI= QO0B8"_DB>q%.HĴ D.9psr:,3vmn@9n%(yz~wsQ*AV ,* H1TADDTXaX#"(QE DQEC*-"y}\5]PX-9-4{{a ͐& %~ >wSTU5M'zŸ_75'Vλ;K%뇦@]Ҝ|_*'O?xvC5:f> mЁ1$$!LHC-@ ]9,AAY(}a , c9N EZ:#3qKI NwOxlL$8ht+ П'BCkQ/GBph-0^PSM_ocO ZN04Q8o䭙>ׁ {,)tiR`} fX+RN]!'Y$d R{} [k}XKh-lwKz׽ڮ6] cf`4yvB_҄'[b?&Tk3\T ftR0dAJ։[#M#.`sžՂ!B)#4ef: ZmU}H<;@Ag*) {y^dkZ7c+/]B')xAN&#s_+w֫L;U0-.ʅgk{lfPUiYs?~=6WQPpiɌr~xps_XxHD . '* mHZ( ȉ N=èP&t4('=Iurv01ʶK^z]]A@&>.8$kLTpN~jdc naeƐUd%"0X_]WcGb +u,?N}Ճ> G uV6ޝZn(>uwܗWjwMNkv/9əџ>'}u?Uy8qnt1զޥwȜs{4tk6>cemDYMmύ&["+ ϥوԣrǢUBByX 1 T #7u2W$=aA9b=\1G``E{zl B PƁ4O0JFb̌2|.,G?[mӒ^v>9e6.9c\h;I/n|6BLIZRPW9!H_uĚ1*|̝]dֻ^{]5338'!yFˍ֔_E0f1y1 mg>+%7}4M4iA/m5 ~]ғQʳ^QY:e| vfrфt^ |2)\22tM,̮>bQ,^*21̓L6hdE#ddkTBԻݤ6ggt16`[#pR.E c8\;1Swd,ptΦ.ߢyy#|Xȯ ,Ǽ\d-}SM ($BV0DAESQņ2EHbQIW6AT¶ ߊ3BEQ]1SIe lMگ;݊lkTp͘umvO;ҹj3(G÷.2{[:ҏ4!;YTd"!1 Ң%7qfVpN籓C۬G$d] ")%fZPl4V83⻡[ҢJsϣ!YE[6kgŵR ID#qw.[$Zgbv#&ݛ@i @ _1Ph(upqH$ zL Le#W}/[HN] LŷzE挘 h:YŚ.F[&y?}i݆FhyQ*6p*1Qz݈mMGnܷ1Tɓ}%z|ن ߫/Ò.ݺ!sns2SL"93#->%n&^/5,\QV3~3[P:=l:_Cl b΃3⋽V3HamFC=c;_&^P_Au\1iO1h$kprcG=_2dE'bZ:DR ٝE5ɸ&J؋G;W2>*g͋U7M:;OK7q2yYx;}34r wHwwGw+9nuxvgѯSWv\':,}^WƦl~1:YsSpa7 yDcGq`[hT7\Wz$߿]2J-Yg#44mbͼŐdr9#] |;^*O_l6#LTPJJv[\%ފmKh$ ZP!E$,K>wݷ.o_ cBs`t}Te ںz% mr3,+(-P7Rqk*¿‫wbI⧝/mvہ8OXLA'~q^r>SPf󷚼>'zGmc#ׁ4O##2@H8ʫ/PHEpGK T/Gh&@ ӝUnvkcB0 0y'ѩ6grL'i;Yʳ?X8<,ʏDBKCK_f!dI!W]`M=X*JigGǽ})G- )4u* 1X& ވ{ di~cpt|ꨓ\%e$d)or;YϼNׇAҔ<0naqX)ֻI"heab׳x+&$4HOPI  P+ڃ|Z{T1qlӑ~^ +|ÃR(=$w7Vs`R4#V(\T"Jf R v"Vg[qy˓?͓.ejݽolWwrr  ձ̿RjF5~ztz JٚsvKu>#Q}aiiCe]Y?vR6Vxӷ٦}G-VRxؚícqw>7¼@Hm¾(jtQ,;/)CR!ޤ$DA#0&":r<7)Rzt]ޖa9sVdJt-o2v9y pDZ10␨bv9RQ3x~ơճE*.[]xd[(h?]m??cF^7~Tً'RbN,m7"  ШBd2*p'wR h];mmza7P\z&bZ&ϕ(nJfYRj.z΀?;d"Za2~ZD` `EbaIl|ٍ|*x;PBj1gt6[Olf3H4*dVC ^+xLC^k*+BrۨLO; RzB  w}f~S)x @ԃ]Fp|^`/1~I%+7߃]fZߍam)I &$A K'c2 }c᭩aOS /\ClPd۳.4d&x04 P@7Օh^x?S'wUi0I$q`7F09W T$pHhmfRwYR2;|Gk(f9mp7u=cꂁN`f!Y ٣ml3gc`..K7~]XD)m-s!~/V%lYIʁl'Mod?W\wœc{0:ZfS.8ʨgeD 1i7=t0K)mszet[BȖB Xu.I1chDjXw7tl E(۷(&׺ Im3h.ѭp>2}Կf7 vaUj} DbY[{PYݤ=ZEm"] zէZ ǐVH4aXC]cؐ#[8Q(إ}l۬Mr(s :\1CP۬s;W:v]UE( !Nhi2ݢ/WaDV\1prtGeK<`a)Lܟ'Sʛ2 BiI(JZôCQ+ ~vvv; |heh>4{~&hWTl4vzëVmQSeOVi׹DY|$&^w=\t`]]/cϔsQYOpG."5f\]s'ZX9&A&A$?f݊I-|Lڤ| 0嗥A9t@.VoXHId6>WzlR m"^ 9oŒȬ/)Ǡ@2ZE9WFLmk(zӭ'g{_PW/6͐~#׆AeGcb]C&ߍeL($GϐdDTAyŃ.+xD@ ) MsNmM^Ay܉mZqP\ЍR)Qu&Ak#Җ aͲm.qm2m՘uјs~sf̝ÌRwv=7vaۺ$!eARч*0, HA-r~-rqM}Ts%R YŕΒ)_.+A'پ]!OH%Qd]BQxv!=yLzK`z# G38J=m q|y_'9, LT>Kh4^#|> =4 djf~f\Q_Q`}HDbRSǔcc&>|#<{иexW2T5A7{vdH&xb/tytCRkbvb(&Lah!x ڦ NͿ (2'u(k ˟O߽Nojk* )aAhbT"c9# s4 B5"$\*ԏ xʀ-=>A$HoLMq|Q"߱ŧ뽼!g*Oj<)*~ $_}0' # TeEbx^bczP[v?Kļ _ze6 U}LGsjl#osMQ3w^}ff+ 5w^'*FĪ JВR_XۣĨ yWNX(<G;6wMHWbKKD`83U$mgRle|6@otwl3mZ ]6xK}պwy=vzFw}T=c0~ķlT&?0Y1 n )aSa/1U5M䪼WrGӌnIXƀ9-E#rMFt׵yJӠ;!`XbhKbA}̫jH %X8W*J*|V\Ȗ<ȧ+Ou.#@ 8x {){ܱg {/Zo_Eވr ID۟<ۆkY]?,V :pl>k̸^Pg/(6?8nS%T6e}` ;{8DA-PZ#Q@#-g=96I55\%P3qzd+01ǟɯO'FH~u-!%XZUi-F+lDϊZ &鮛 D/fgX]8 D%>:Ȭh |B2 kLInv/~o)@Lz*w[d42MRH;8߭ ;ˈ.$z`\ 6å/Fn1ȗV JA(w9xjtw:y]ΚsnGH%Kh/S~JBq/K79#b!௓Uz|7k;AKs[B g@gDW"p9ms]aHآLn1Q wAx%VƁuz-b_ r-;|W83^nblű%9GkI7n֌yfmYɿLzWk R!qscul ў۲f_+L~61IMnEmS>UݹX;Juleٝ;E@Af~ үg3YŪ4ϋ-@m XLL˗ (]\"@$<1&=uhWY%*QWp! EL7w g@ijReɊHf`QDRLi-&w@ j Tg$**K[6F#58#[4Sf"IvRp̋ .*94$ߎMs*PS.Ͻ"(raUJZ֦MG y^ۗqE 7.~6+y'l&cln n\џ\o^0It9 |]ONS7'G'?οϋGN}jbyQǟә{`.l4kЬXP4\}VsrI݊zbY;R3Э"DdaT@~Sj鰟X)o~sE0j J人{W'i'={v TCȊf誶8%s 8/?}YEj ɊI d}ぅY'V(7{g}Wa69OB: <"%5ůAE/M{OhO?pNs9@zYsRG61ֆx4!w:'hH!һ9~YO$'skiYAXX [;afSRBݢVz.v`wRVK HA8 .? 'چhz≮LJ?w>97KyWkW+[\6,Sw#UA uZf )& g.Zp *#$DF 2hy:``aU峤ܭwՋ$Jt&[W٫̫cW*MQgHXU}ߍz=@+d}SC ۮ|cC@/T4 sB"EEE  "EIAI/=E0*"*!Dq~n"PN~״Sz\hczSZ5i-n&dmﹿD6‚ >ZKBƓ[q9a{lLUr֍^Y&uHEBEPX"n ]Jnw &v% mP[#}k`a:eW#1a(] bdRֆjRPB8My#6A9E=6ƹrl>T>7 Y.{}E81\n u%64D gB[u1QEŮ9B1!4j]=ݚڐMqY$T$@N`+{]}NM52 %\\p懹BS%,E{ک.2|~Wnl,cxAf.ve t1WSdr<\P%X8X־_*٫+WҾ3(ߣɂdQ  7d)ty]{/&@N^z_S5U w%$!mS=Y$c}uF$bȣc$#9| v.υ=PJ= ſ9_~~!^tB瘆I1E4vx_APR2/iCx߄d:?+6eGpTogAcS@C۽}9Hx\ݚz?>)%QCu9P~;$8춆[DfMyw%e88BlEisuPP~>'lM[96w*#:" 3RB7"*vBtФ„ަ&% rWExL_3412c`@ gb "b@dQTLJ6w't[f0`4q]o;NǺ9u4 ERE$Lq+jq>K} 8o 5ZG k+k E<瘏}F [EKiܶ EלxJ%I_N"iG'CE[B_BmArU+v͓RXJoY{?o#ghHFU"mIYD<}]xm$!$dI5hgz߷cKE`1 8ʐVP#Wq[9}9=q=l|=9 /q:z;?ܙ}PX3 AM1|9hUft՜q3m@qƓ#l1{Y=V}'C42S9{O8姏Bی3kх!vU@Kz+Hq8^h`;:*6A^o5eFh8"g** >W=}c<[-1Bv(((ZQ6r/3O(r9";YH H@LwDrY 4 \3P/sӸb8t?=sjkC_E usL2pA0+^~IsAPEpƒ[-(1C9T=/A \˱0{kBc;Xts!jyBGkEooSn/c"54Acbʷ(Oz/O_45Y&SAT(T3  h c6Һoy,H~ nm㇀4A|/fh|R<Z}S!PjS`1ڏ=@ݵ& qiN^1}<D\ew9/.B/B30]e.YuoWgvQEh׵|64eL%(I뙹MAeV'% ~65MUnG#r}DUm5p4fG E,u\xlsKؚ0QθA'D)kA0]9wz,͝w< 31 ,21GWB,XEQ)Hx'gv9K"ɪ%01Jfz׊A3GA* KUu j`0ݩ/;sg;pw\vġɢaEBЊ,ESIҞɞvw(`a 1todVmpQ7ZY_ ZLAIr8:gDbQPM61E5key7&>?c~24+XF ߗV \!+L)b) {?~ 7wWZjzBCXfhr1 i?>i^Â#tB ~3M2bx{(d<}[~ _grת!?'E5oI/79>8 5'Ÿ3aKI=I<}݇( .;4loϪ$Np/țMWg":oE %Ө;LH3䷘] BVȎՑ"rvjk3/Ùvsv 8S:oѱiZaXQ@*"11,!! J 1=Xip6+0JD?nru zNL\vhx1O](1exSv_!i{//jHRp_sZ/{[a~|? $bC#g]?zeY'3.Yv-rkX|c .&-HJV p+ٗC[Pfʂm~-GAol_KIg& 蔬*W< 8T:G;X,)9y@#=_eJ5]_bf7 `r2{Z kqWa|kQr@D"$n>!` x0#ڕ"Q8$-֝yF Q(A}_J&,4R_zc|_UFӟwd+tL|id(Y #X@D:& lk _;fKrK{TFtr<!k^fA/Jd~)@踄zd?efq>l M'Pj:A9P0Rѝ E|!0 A8\U"֚#ǜӑCwn\-CSIugd;1XT TJE*Y;T1@E+ߧ 4Ai *Ր@8Xr畦4c=2;?.LsibPœⵤ:#9rDy>lEb%%,DK]\˳dlCnX[V') g߾rEP]=.0Ģ <cպPwv~ }cuz@x$ ZpB(1FP<96A}NQ\q.fZ!gߚkQM6.6tx1QudnI(LkKHAHEb6q1{z{owN(^/=:Vz*EHJ3q1#Z҂=?/tjoGzXSYC>cGLaT`I7aoݎT Sbu(2G>NKDaK (zq9+HVdb EUSJ CB[V/rNϣkUgy_5X}\stXē ﶹ&\C#a-d:@i2)';<,mt۞#%oa_:ʖՍq(WF.a]7`Վ/RcL۪d _GC/ iʴ/m7Rh]64G3E,бo_Pvq.2!(Gcj~_<.$0=jL(MQ)Ǡ+!{aP,Jf;\umb;(eg<>,嫏5T ei(f- G"YA00MOV)|][O6G,6Vu˻(4_?'>k;+4ty[vU ىb@VRx!eڢH0$A7FPuz#G0h =Nɢn leULnN-Y6>r0ʺ?e7s7ɺY07fصʼ'avR$k! >:*pװ|Wd1;,Kxx]}/ۿ'3hOv8mgPm˹tIM;Eeɻ(m@9h>(g23|/&0aJ'{S-— KL\C9ݎ)0OjEnᨻkpOKE)*BV ||¤ea㬟) GyJW!,"$m0(CANJbygm|V!x[>j_Nw@*9E" CtWQ9ćg&,=k7E -(NV=˭bY ݚH"#";c.Yp|Kd, {$0k8UD;JC+yOϋt] =]ilXꍑJdq1unZpAU~lI;ו۫soMV3ZՓV)lR*Zڌ9L×.|:um!b%\ IGN\ؠ?lH2.Orz "X/gEJQNCsR¿%VsK Zxd^.Oqf߁C!E-HODw l D =IMȟϙ֐MHHR1o_zοk+P (/=oak5^'#TyƋ S)=aS#El 71b] ^4+) v l@0G[ W0`(LT>6oj!d++xO18$,M6X~/ot0lgvdZ_ѷMgkÁ`#wxIC$F$npAÈ bH'n݂T㇚s {,5a B@GA 9n N)L= H>Y_A"ۭ>|yg~6l s \(YT[E 4T?Ve{de`xYݟb}7;}N7Ml KzzrUfvt4kԂB*-}ұyմ)|]g +t&ow6o0}l\2/8/zЪ(1– .YWsY]i~_Z$L#]Dd-?ҺqݬM]etc)b^2>d G?MDA"g:T'4N֭2o qW}_^؇iUHcGEqs @UǤJxZd;táटxszػooјwȻ-V;nk2$&*C_ Ĩ0X'AZ@MJ2'7VaT,_ԇM.onlg\rₚ #da !  }ἜVpovW[>_=rN׵Mu!x0(6\-3N.9Dxv2z霬FVq8~C=isoxP,X1tCaV?z$눭Pg"iogCLG(w g ԞsBI l}ZEiī+ , X J ŭ&rs_ ?uwT@jn]Ys 7=6‰ gRDAj%uP+^$I%j {CA41*vz-QOGg~g}L2_}Or%{~ sJ¡˟9cƈA<,83$Z!ڰtzZI~eӏ>DXWVn(Bb2=D $:itjLw߭=51%֮Ҷ aUVDZcun]iK@rWȖrٴ U8n*{5a:[ņid/"<jݻvQC+qg @`)! !LBſ1H>ʵ\@/8خ>nh(HWS;ڊw\?GM뱮ڪ:^ǩ>&o_DlL4;65*B3+|1({T [Gweo}8({V(k[ϖ\ZN g;[l&3jIZ՘CYɑdYs@@v3*q/𚿘Ez`ٜ>),_y:?< *HL nIۏ+Zrwh'xdG=\TYM;mx8$2EZ#;w~&]nJNXqgO|^S}.fbEY=WeDSR@Sֹ$$gI@U>M&d9Y\ӄҦ%S;=mCoVuU>(5BXM{Ѣ2C(&4Iho4C]nv8 RRsǦ$>DG/<^YvqӂE [Izw(?xu)g_Zzlַ];z|^nY>=nl]k1ÿ!? >?Yd ʐ"oF܏aOͪ,Ј .lǤZ'Y#glP6l9i_:&Ϟn!i}c }Ck}t4¹ \wv>{ '*xegLvk\/, {͢y%av8C!Ԭ0<ãsϨݾ;o{NEEo\ل;zkwz\տݚ[aF;σdncrz[ssx({FRCov-ɬ^cuS'e|_yD8:iFgUBZ6Ba'Y iu*Znpǽ;CIES HJ_N=M(oNF]v̄4g 7m v`ZYl3κwkːVSkWv2֤`qN*6:Zw9sN1'e\k7Gao@ŊoAJO׋#GUBIķM$dx6]WJQ6geK> 7}-x|~{M!f`b̨sfGǦ\v͈ czd_$2թ#~kym]2Epz)oD,jfs[/lJ{]suXb$[ߛU#A9ҳ%C98Qpz}$*N7UGJs=vֽk.أtAumBAZ҈ L; t h:88H=@T]J7M$e>+HG  ޡCq DI9~~UYзt2SǵO-?js?1%TRPSir29DGj{oY{{כuiGŅv-܍MfyOZ" HRȋ;3ɏ'Wş ƗIn] ,EAw(5-|^]\]\VLsR/aQ'o$wO?[!u L&fb[ W5ns#L #nzנ&s}8 ݎS׶x%~&)(?^;dT  @SZ~ZW'C$h[ekzӭM0 78 A,!C$V˜SJҰI!ThJ5K G6/8v:DeГiBtqt<@O"5p^̡R: ! gj<q$w|=\~ߥ0 H5}4n\ίYďu(\\E'Sznkvb0(*\#Ix_]q*n9]"Pvp1g&X/].S ^oߥ'7Hr BX55&JG4ErGqk5Ef#a1j~?jd H}X2mY,lm Yֿ;(%2>K,گ(?ѳO{V'"*! q]XHNI'?R&W@e8A!& _Q\6ލ )A1$ uQ)ӣjUGNT@oP&FN}D?^[QޯqmV]MQW|[.[z] ~++x8OuAW,vTO8L0WhNru+ =Jy{fXXM(72툔 BҬeJd\:Z.]n)%wXw~Dj[ [U3Hy5VVX0 #3d$jB=cȯ WXmv| x݌\ގ4{;N|\8r hR@$ HnkCJǕ~oD$9T!n9)ϫ6|rxQb"l.b4?Fޏefz\CFכr٥xHuniw`@cmk7LF_{h*asውnOf_fGە,u3Zir6w:~+ھ (4Bh#"1=-DžumMi{CQd@a&jkţmaTU|dNy4tmmk#VsYBX@**5w#tuljȫPP*FːJ:W#h!vTDkʎ$-2Z",KV ۻuᠠ:2]$a5n;$ϜqVM&@JٶkIFh3sHS N^YXԂo+t :`Ԫ޿( -614=l{rg|}i^)ِGئ bNަ/bbH0,)qswK!՛J5Q3)3HCJ]ʾH{:Zta f.5x|5DCeLƌCtE4BVŖ%/,Xk]dlMR|xaPZSH|d:%tP- F, QD ?!M_m/ &DTsrAO)$]#E@X<轤gޚ;W}"  y n詍!CARl@0P/ _D=*{XVGf^(`~7@:[Dõ׶R&sY;=ֽCk; @Ӣ!C\y9PdITTh,7;[ю{r5u`h"62DI1/,/M %UaP֦D8 TlL-I d(Ix$ քXuvC;+Hs˶ɞZ@üELa;p O(_殄EǀЂ XK){UOFAG?#rVV .bd<Ņb#11) ~Fz<c'NL\f1pTX34)Y+gwND Tn}vкiam)ΨCV$ @!/PشGv/+n=BEH"=Z?Z/ӻ,m8tv<_\ 0t_v8D9cc'[(Q DX' j{idωʀrbPZB6KN |0t6~`̱M;hٖ a&$q*q'Xg6!XLC9U<,~-wq˛' f$@ EY dTu@Lױg1K[霔F$\Ҥ"nyOYj)sEcamj`<*γղ.`ᛥ z8MPHU2X7O!!SA޶uv(X~]5^cٱa&lm˔Q|;D7~\xQL<ڄ ( EǺî˪V\^ \HMCy [ ۑw#{}$^hPEs(gY}:তsv9 0U3%?`Gbr ៾\`]:]- F/#<硟;5yi\䬾pf,?">nGfex^Fo<r@8ȋmάc| E*EP T,MEݧ{<֩n9f A\jU M61_%{{Bi h(SnBjj-8;Zex6lQ*B'mp"'`U\\LDd B%xY Ŧ2jŮ\YumsIRR&gUyM(o5p^8lUJBzO',*Xy%'*lF 8ʓ7Mm &{Sg~]H.H `”$K\a")z7HDǡﯽ* zf> J`nǣ9rLO]wO$ G!58v)AA(>@8<اrܿ,aӑ ~;o6 @͞) Ej s왹a[g{I C!7$QkZоe02KSߪp$X\+NZAwR3 "Vh>]ۿ]Vq ej (ҠIXt0 v"@r: *xDF+C5cOye6=^S]}xTL_;n U1槃Oޛy ,-A1^hEɆue+ڌ8 B$2erDm!.P,P5 F@5e^\~r|H(,!T웷Pp/2p.LNӅTx^nA%{ { ȗILT$7@_xXͶ7·H: .]dwkόop"YA f2NNL>a$(ǀH[2j !$);QHs[LKj]3Knfj1Q*i"X"2`QZN>tW .D %I ZTR'^XE (X朗Vp'~]cP'ECvId_֩< 80՞.k'ݻaCst0W8it/oYp?hyT$$G+}@FdJ>>Vrrͱ[bfkIS:dԐPl a *$,N( l t[tZ.x\ GgF+46PR(P\0r4Id{A{_gqv} h!0x!@,:Ѝy+Xw b 82u}L_Y>m<< G@Jc*(go<SѝfuuO&]qs%[]TL"#p==|bjmOkjUi֡$j4>/= ]΢&)1F]v)1A"2g6{a{N"j Rm,KZ(+:LBM=gc]ΧǏGRyMB&f{R2Il6va;7Og#Y'hK]nm$'pB Ċfz<& uD"֏E>)T' vA1|}0Q)@ @Hc?@G7)W z'vrOÎ\hm/uRc{&~aiPXQ\ f`B.@&}LD^Ѻ^V7@递"2,Lom2;\60^AEP+-yi׊mT\fE۰[D/AܥO7O'_7l +ҭlEAlnh e*HP(U0[ag.-P(bpêX2m0WO]."QI߭*6X4z-v-h;GO$dF@.\S($h^tJ{sKgdڒML4:-=Wx)DQ$U桕F27.<]~8xXekHeh"5oQ0@CGM. 9j0)paJR5bG P$ 8 ʳ:LJor~- ;\WoL>= ~YŖcIv<[<1-Dfo;G9߇>s׌<{d :d:ZX6<Ǘ Zeor>GCh.a?.B 'f(w+W6; LEAO,H+kR&K,)ež>?>zSCXT I6ku'b%Y_>^UlЍNMn戤֨ t*ĭ&$r PVZZ`33q>TyWS;Ro 7aHI֎>G]Jns%t)dO?SCNEED`K3f Z``@섏K <ާ>:~ꐐGT̄ل =eo>b!l>UqA ~ (Mwln<{-$*hJ:5N/bFοo (I>p/`2 /'k"yAA87d!\teg/W\zud P].G[)28=}<4џAWB&*]dͦ:T=}/AcDEl y66"ae cq {B@C{j]$8)6r`bd l#uPMڬy $5R66"@=DVV8Ę)QVosug Jdd;솓c)Ud–JT( h̬w7\Utjߛ?hJAI!#+mx2~,U>G3Ab/b02[}.M%obl:jŽ!\U3Ƙr .tbu+DS9#"#ϦD5:)ӓ]kSCz:apL{] CG .gF8kX+H+ \h!=ra9x(e[yN U>cE_= v,sYιB<>wsҁcG Ϭ[^yH()Tv5%zU:+qWɵUy4^Y2͗#obT@ڪ8<@ ,xK,STقdsd$J>v6 ?zj"Q@q|^jq_[ D`DT@>į?܊I~5P- թwjjY~E<k (DH#FI1N̗)%+ m B,2mauK] p;tа~ׂj~v8Ll Ra[o^M !\}\<>qOXP,Z7in5o̝ZOOA+9iCW Vs'o|o:(`,gh`\)0#)42qQ߻TxuyMՙVĂ<WuR,.K~{ :~¼ү7Tf pᴬoOwȲQ2LjUH#&e(u?R>6Q1N8 L^2mӧ.3+c¾Ηգ^FJ$ t ه?[ONU1hD,8e2xtB1eZqrf'g @DAPf`P_9bwL2%FDb a4 W*f+"FTN-NNy{6̏<C\}?+piͿKF$$bv{*D b{p0 !ho[q7S`M㑬G1 \uӨ*l'wx9hݽ@ND<>bC'դMT2D!nxGv!( rVN}S?W=|}rgoND/gn6t7ke ePR]Gܪ0h]z۾}#Hei/%E}pg EuD8QfMq" >,iy NܑbcEPBFbdWˍf6ථMr^%20 +sIҵwV~\XlURQA 3TtSKۻ#VrWQE9{#ɈH[ {޵>Mz눦/1\B?30./ x1{A T!#ɧ $P>N5íRȨ| Emkti xh` #+(|y͞lR 6"FP'M~yx}+_1ۧ2y)z?Dћ [hH; 㟉k0oʼnᙘbӻ.Kmr27\ZV+kW{%" AD  Y%&" K߽6DЋoL.^]:gfm.i!I@RA!n7EV*.Gs4I^OC޻Fl^]Cmk6Ҳ cs$Y>LFm'86q-h#*_ڿrf[6Ѓ|'w%1,^p q8Kz 肚W*Ȕ),$@n-eT% e#{X'Xi={ R}eex~AeUAkS!L_Ne|T-z cR *A1PUW ԗd]mȇ}l h<*L QVTz>C7)B-I^]xV.-&۽mH`*A&]g# [x .mgPթ0ŧ|.TwI?A$*I cTs@@r'^L|eUO$,X*/A1Wfmr奙KiEoq)K#OwQh׋vZ,[JZuvGtQV"(rx\~7/S3b/R_[$ȺVUOKOc "_c~g.j\YDxUÜ]hMFYfE=}/g"W4h:V $@pĺ3tB*", SbVZxdzm_h`U~aoaV&A%hH!LU-CrK\ga!Men\b6yv<~뗒DL:{&PJS@[Bfmjc|> !ָ-N)ag-ZhײmC0㤐A#RRQMj8ݡ7eddbzW$o:BWdؘpT353]ɲŢ4ۘ,=N,jPV}Wl岻qe ;E@+!1y.q˟yv2ܣ?mM8cG᱘8# ɉ].I'>โm T8\9Pu@ؿ9+s"ӯAz% i%mL/kKN7'T^=saؾ K^?^&Cu,ədnpl'r6wz<^sE04F0im Za5voGdz꿱G׳gB(`,=6 s;y6e7.~5w'J{ykϒs߁V2{lL_$}{`*-4?sVoSv0CzH}@Dzm.z1 idVO0$ǨcvX#2M^N;!%D0=n[jh UWFB b6gcҀƍvH^~`u`ݓM@ͪQ$A'o%X_NMZ#d: /P;=(eqG=js.贖ã-ENMco_T>Ghxpw<5Y1̱=e 4`3LL V`Ө3Eh1t]6L2Ȼu 4J.iGw.Z3E%*LZ<3E|M  l3Dי\#g?ͷT䲼uO M;^w~O<Gdg*^]1EQkjtxab"=~% e4vn0$Pݓ'q]st~kǣ:3dÉ`(`P4,, @bWb(^c^7dW^W,#\hnSafJ~LD).e:5U.:㪾?HXb1N4gT!i 4bg&ϯv}V&TSt!-!ϊΧƒݔh$>4a_6&eK 0=Rlͼ8^M6Eu4|ԻrH $ANSpB.6#B57]h5 D#|OT!z_*S%gyØ 4j ֎#uVF.WrjV(e9m;5m$j](ۓ@Q-AZm۔ $E3PQheX2-^zv0uy4%vĭ]buSmFnӂ;0 %;<õ-1>YlōlnF NqP۬1CPxW_;0OYj@`$!:qtv~ *YzYC/˱\o%$FvXSn&kb1:kήh2V8w0x^afY_̾N?WJOvll]Z OgNwx%o夐 .:g5jd ;]]y9sTJ\]KM~/XXaGgMa9G\rw +CǐA- 7HR-ɯ(s^SpYO7Oz9Z}fm|j3 vmڒh0BM-[e;ocTk34E\aAK<BY)L@(!Ti@m=K]A !B@SʪќcjM,gGqPlQD1 WgKXHqF\r# ~-< ~$l)'Nl8O(\bq!Bvxe)aru?{9?qcm(٭Hƃgn#:$s[q"h޳pR(g1F[54a# x.G}J] ?l]mS(.Y~aE&qv0g^$: [,`L{HQ!cbǽ>gNoaPz{f-6L*+ɆXcwqܛ +)wTMr69t2c"*dO ]`t/ĸ Ek2&[.,XDV-ӟLUvYiĖZ5QJ##֊ Y%n}Řhvr\Y}J8 z&"^]^~:hklLyYa}0`ݻK+_D%Ea͵'Ywx 86[ڻ&'oڵI)tUדA~ApV6 ScT9yT&9挞ŹՇ?@YsM%lχqtBc/fw&&s.ݽC䃹zL7$9BIw͏5Q -ǣ "g*SPm.$]<zYB:v)y5SugǁB%,oK$S0"Q<ZВ 5o?0Ab PJR*U 2+bOI>§0CxSqrhmGrWP& Y W&՘NU>Z3BEJIDQc XQ168qtH~G LTBn{6DHgIx>T!4VRm1~tϿ0eb V=YÁmbxqPL!6 9Yl ϫk-%ݐg'q * ȘimoG{  $2PG9+Ǻs:~/|tt,_y4^VZ"3d"ΛVPnh6*!J"VF"Ul~!ë缌l̀c,[12he:{5q!ۤbP{fșB۩ aQuA5:`m3aQ`bq֒{CZIuᖂ0qQs- -9ԓgNiJw_f."+^GZGE,EՁc${K//b\}X/ P۫<)DFRj'w\^.y5Z[pqqW>kTUYm]~]=؄tZQ\/a|-ю6z`B&Jіn cU9o2.C&K6OcybY'>&e4-@( ANU;&f\=Ň~ln[%%v,4!Wms(Pήʏy6jS`76 &xe|2_\Սb܏Ungmٲ*nezI$RPlmW%ZYJ3;pP_苧2g9(,raj.̱:\ Kkf1\Ke)V)kec}$rVat2dÝ,<ƣ:IvDM:zۿ{U.ui^H8*"ˣE+/$(AEI-_u1-V*F7hғik9z,ؽ{}#h+14RqZ3*1O93 odu@j##\QqC3U=-xe_/[Y%w<E"o!b ,[kb`/Z4 $ N0"q(f(4I561LlS% F4mQ"Atu[=~MZ}L2_eD oHq8KH%3J3tB"@QmeQ/3 :f̸v *c6 `Hގ7AWoL̞2|dՃ=NHMt=3PH6<ڑ"h*V^ns*Q F;eD נ rbhK;lnu| -#3޺zfn/^d0{A! #qj 6ٿ`@P'θn`yJw˕0s* 2n羠 =xlņg6B{17w%Jm^Uip:_p8e3Ao2rH R4*_}OD)ļd䲪sd!ZEX| 緃9=|:xnSs%H:u/Zx$,켁K,{ ._U#ۅ|Ԗnm)vGl7] #>&!(zP,[KQhǽ)›}}-ILmdJ݅z"_4pA]#캑U;;(S &8"u~k7i[2ĵm2A:9UQȺ|%|6&VG/QQW$kJF.?#SFʉu7;̷*|!1_ѱv-n eBVK{<4}ƯhAulE:׆.{$;m.KF67i "Zv$N>>:{L+TahKø( D8AӢ$Bk\:qJŖnG u ]J qTq @I5]P)`A)3BN|QѬm˼~NIma{8ndE~P0`dlS٦x4I<\\ ;qtv-+O6KD Y虱N+("`FDrxq+AQ3#݊C;&,X6Pd8|vX7Su% UHiXh>d'ıa6FU JU.ȇ9/I5_Ն /L{K;ql]-svJ ^bӢʙ /kUf"PJFBF̋jrwn{vb9l۾ѵffgVq0WDwa=0H6؞l|рR&ݶ&-:#h7cI_scluň~JhwD$cF&ȣ}%w{+gi 7܅~+8M:~Bc/NmP@0*APv;KFmrre!a5WRD);my{HQ@!v ρx8 lߋd!$ y "Cɼ$ۗ1M=5;cc;zWgOGiz5J1J&G *҅rAr awXzmY Y l].r9!9'=;@0n@ieMöbH\kY*?'7 Ǒ/^7 EnH1Ek@-OG,ow^?F&07' t=۹g^?cZB6{{ls$PGW-ɜ[_3ۤJ$! %FB` kP{"~̢ҤS7xT{ۑ g s;zjSME{ U2P8̅pŽwA'H#`ʵ([c lWopsו/ Ubp'FQHK&B#Wɑf;HϝJ0%rx5#3҈#ad %?rLi9Fq~+cO5 e֭h @:5h: ym~%sN"Rb^=ABT|<#kRѬQƨ;7S-> z7;"VSj{MjK4&Ŗ2UjqI|2(jU$/Ww`d= N--gKs#G ܟ#$;KcglG"H@ciL<1ZU{zC9ݍjZF̖?_'~/j 鼩aEY@ӀU鵁V0J],DhV~␾w ?rk32'.;6*>k8XR9EPp QUT`Ӯ}=c&}g=%Tkw[]BwMwFAJVlj1ï'}ne=u.m+x{j\y(rYK VD  }ǁ<(m7\  D=[Vfd.@c*?zIr6rl̀Іа`KWSM{hcz"AD$V1@W?}xa瘨?DU@AA$"_O٭nX6@%#ٌ:söx=aeaR;:D;/JFwW9; 秱 D(!H; 9"E2 [ZEGTF7Eyv&l'i dd`1?0<"f9@Ur(:a` FnÜ>_;OKH:/ƤC8L&불Ej˭L{ co`Q6V5Z̞[r@1w671#,*c$[`׷??[3UXHRa!UAT n}f$갪( )mB\|,?M X yck܁,u2?`+#3DkDc$$J[LL šJ XSظ" G2ꍶbұ#+BV,&߇ ms(U:Z<[9%i_. ƠF􋍕_Ӷ'GR D7~WoSH=.@77U!Åp'u|ecbwZ!x*Z$S/K쑠4exl)c?Fιzj̛3,. F2x06B dZi /<2Wbb_/_da hg`SYeh([M|IT  Uqƃ;$_srB!G?F.{=FQg(.*]ft"iJanxt {Nۆoɽ0mSØiQvmfCPYtXj$|[?7[0%+ߛ UAew3D@%P(ԫIUM*B$c{3hH>5icX$smVΒ@::l_RW`@:S ཏ%#R lp._U[Y {1pN_!{mςK7iu]#_KO[姴̠Ջ*[Ħ*ttHN.6ȵ}V')fXyubNZ$djT`,] /A{!f"dUϝp %33FHUg{7|O/fp_SL +~.70:e+Y7 8Q! p^|X陼ϝ+H` 3uRB3QS<"JYQ`#VGbND $J\ XnYqA(n,N-WbfϚ$K~y!֦֧>WWe41PdJ5oSţgh`;mݚ_~d{o L2e6EvV!055sL;Ӥ ee7X_rÊ|XrASqw Vbwgߗo{pgVı+I/3BG޺zuUn.5eI`aB7P2pn$$bُA4/پEz P9T\_d5x\}PD{Ywvu܎+0,1jK"Y%ȉtsl4ZjS(t' >E(ҥ k \yhoCwi [OD#+'3 =L\YuG9aU-tߋ׎9ĺ!q I Cɕ@M+l7]huk7*\\2GMm1-)ႵOw <6٫l8@3w2P“<4"S9,^ 0飠L3ÉЙs:bjT[iS˹HI& U <#b2Pr7v:xPs{ב$פiR q\m7N;+U 1m0LaBگ ɛ j~XDy8(5 ~MsUݔZS+7i2Mo=ӦClj]ͭC}v*%Dm1b*ט?M=5׬Oq& 7-WxCIYoӃiC ` %oyrH$ !5Ly};코I,T\k/xnlhL!zg2pq{ gY_lVx:D eeomv-5Y߸eߏ$b[eCzxzÈb"&@Ln,fm5}A I﵁;c7ot{D;z}{B:1%fEό_Q>CU3aa3^ƵB rsU=]`TԢJH2A TX~o9EOT|H`{}b;Ds PFȣqBSMV_d.].7H(`,Q,n #vHE>[@"+}`*ס* ~$." y;oHz^ߗdkXOx*X68džntȀ.hYD!q/j%kOΌ=qSX.ݥn\ۯs/ɂ BMAzLAu <[X?mYmp;?I2yh>^8Ô`,!m?/ǙB^o1@³j%u $ y}1>:ʟ-vMl5bs ZPdȌDG&w)\$ܠ]@q?u{3n$YG7s^kX%y# {!^rX~R@3w.abwr0M(~oo9 ) Ot[QJ盒8,=q^c-9r";}(tDCߐ7C匽ʈˠRA* 'w?NNo+)ʞTb۹C  xA(jczキ}dluC!Lw/=."/c^<:Z&MyVAH$XYV5n\1VW|Ji::}U_\twƢxPo>V z"PCeCgq`X~/Yz_o hQFJd:;6XH&ra,$zvnyQ bLv( " (QAQa@m7}f$"\@1۟%=\=UIeQp?_{>>ON86D.zb9~uZXT@<,1bJ)tĀCZ'XYbC30J-i/?M#> acʭݍq$EURơ qj|֮]:uIGxԏ<-h&ENCGoZ]H Dhi9X#m*"SpݹqR6e̪%>g{$oce\5v՘U3T[|O6ZZJMSkhğn; ғtd@n_ 5AUߙ} ̪SM$TB[ y[룇(^W}ټ]cp]-:d86ʡouh9n0{I??2LD{ L8 -rGQK^ 6,3Òd{ɛl9W M.|f}g/3 gm"29t#?rayy0|:L/Am.yg6ů\; ]AhU$oIDHM>Oũ~gzt|<"Q[MFn/eC/&{[џ5Qp_FiՅDy8ڋEtǫDLLZ?$˭چv#w=RUdwpu]UҴ51)TgC($ |t1x 8lH С_k?67lŊ1 B0Lwċ>Ysfov']c(oO&|BS^vϫPᱷg㹢qI^Y!ef2vvbMܛABNi,ؚ8_OSCʷ(Lۣ2oe*ߑqۏrGfh5(ƌ4~tK&请4:+u\aFxWR|_Џgp,G!w~|0Ja|" >B\ڧ$ur}T@BcAywфӱ3o,h(BX~ kV9ଗX`f Cw΀c{SgRv?u"QVߤ=% QAV KYȨ*E# ("F0F1E"*0d qJ;'|s\϶koDn]ā^ 2љd,~$L&w`j/q2cC;QV<+cToW%΢G{$jMfEu_&@ewcXGu$pNF;{"(fj=xdozNfr&R2wZ,fgU@jz$A?eui.@od\ܱG0cHDA1z%xQ 7ByU~W n$q0^RE ;h[]d`khq}]#rw>DpTIP HCi P8d%6^K&--(bR 4 0Yl@rfZuGMCx+$;s[ޞ&hr_X}'3. D73wos$=forl{5Vͫc)twNERGSB}$&"QBA uxb栳iYSӞƙT@鵁$QDĀ'?Ĥ{OPM ?4$tvw[Du1$xlfOǚ+ݚ>hmLǫd^G{zҵQ;3wB,U^X#́Ӯ=UJZ>XOGM{]x 9^uOq#gkX?9RqLHI ECd}Gnj84-W{],7[>#J9ya( !?`!BM?CabIkt~:+o#یheڮ0vgH Dm!cx̣pf1C  I"2sfUq4ٔi?ZCO<~/K Ra|#-ZNAQ~{v)8$(?;y^i&FE#X|ϕ&d F$R b2 d` Dźt,XDz"ԫDfB~J9c 1g3QX][.+_pf/v5ϲlJhc'ePN17#QC019b@Bz뱢X]RJ(zur5އlmKO+\ (wNWS ]7Zr~"#ejŚay+SQJ:;$DVq9_l=“A~W/q{yշA?Pla ƠD|6Ao_ѩ\nq6HO342[Zkc%4E$;Ŕ)bݾog RC ѕ)@* P Hp?6U ȁܴ%HVB( " @Y !yXAh@?|i-+GOUk!2չ=C^ \G?USM?v9v٪vZ_5q@ "|C@#0A:GilѨP',qqȻ>}kw4z[A)֗.dsjkL"Ls\fkK}{MN^mxgx ԐV"-\aHnFMV._ۭkmiA[, JA.o7+-!IfTEX#Lbn~V@uR.B\6ˌS1ջ$]D\bb`%`bQݝOwYftC`+"S*ԣAA.{go5?Jeu9ӳ=U%:~7( <>xQ*KZ(f*cI@#y8{yvr [^2%E.Ul.P 3Bg; `l@XOV1Y 9@&-wU`Ϣ ܭHVgw I^PJۑW:ս>:oZOU T-_7QjCC{nL{6\cs4 pwXcA{^o"#~պtͦø&"+R/n\ =FeomG4mRt\#!I5 - tv o穠PAP`aEn4-w Gq!֮8`m"D.v%#? &EJ<5t  _ulѭCL' r7fԣ{ ZjdQX{SuMw~^tJu[w)kpG"[,>{` 9d|OeaBSz%>ZKNBd(& $lK6sȴ;Uj$M%H/d54G1:1IFy/c} \*delWV*Iѥy%oAGݮCP-!vlYqcL!ω6mXcffVgc8 S }|#'t9X(t55fȜ%b[l80OXyC_ɼo%8j,_o2+,Y$MЉ bn4&AޫKT41U%sjFiX~ %[}oc\ _f %َك  $K$LGq&mbTF<${o'䍹 HΛ`6ig5!7ت?U{:9@#rĀ&%g^"BӚQh ܪm>! h}#dn"D r[ounV|)6-~I9ZlVíƶ3V$Da݄ûuQ썡-?"\zfu."9]vl̢(o*w2އLF^6q"Z T, Ku8lʌk%Ն13NB`els4A @w. N<rZr:vx6.[_nv;CXRH&O&I"H5g :BS .[+K =eRtYmVn]țFowBYލ=2)Z X"Ψ<. fH#Yrvlb؁`mH\iNl0ngPUՙ#e\ArkevA`dbMJm6Fqa6=p yB,*""̵Ug DH)3269-`m,|FL6ݓ̠+P7,lQ}\\1n!Ka*xQ)4~UIq[6GSu-U`֥AM@ى gݤ㽄'-s %{;<\i9:-r6'(XEzedHL*l^'͓*k#,I<57$6n-Z* x@;/( ?aSYס*VAnUFY, ''tY -@ 3Iqfrc@aȎ|ځ@Og`C5ӏo6E-,~Ryؓ+d3yF~tIͅ|" &S< ]%:_7,?"O!@MpD?&C:=?癏4`H @TACulgm"ő@XATUb*`V , *LJEHX)" A@( )L>V!Lo̻?<IEnɖ۷\; W vu#댲vNzyuN,.6".Qſ;ds /P{B?փSb ]{(Gk>T6;mhuA?}4Y9.$a\ P*lҚ̺{Hu$<A*63٭Z" 0E4Γ gV]!{+bZGqX:hL*~uCrʠf!uJc|AN7bNiiE [Dquz4 tȦ7 ;.˚)A9T 𾒩rKc>΅J:>uot6\#/s7)YsŵfRLgEf nY,#!:6Z&83&Pd) qXV82ԌGݛDPO#*2Y+G@`)oVDieNJ`3oS7GSj$_D.rA=y`.ί$evru+6;gub b}ZżrH\{I>kyv#HGH"$&xB!w"9ׇi>Y 7,mBH=ȴ [`~ЄG!zZTURc"{EA:Ė\ƋmVJ=`馦Q{*nEiYf>o7| - ;lxf%z@n.hك. c/L I~m'.jG1!^Ҋp-,t"L^*MӾ=:=h@D=gROڪ.#8p@ >sLAH QFDEUE$(oTE(Q+QTQADDdAUQTDV#•1A5Z _~?m"o/ũj1r>m·/qd @;>Sܞ9db@.?깾=HP kNDrV}ƾf}`ԑ ulzITQC14" p ;?2eyX|'&r<Ȯm34S+tOdqT{QC CSO79"TqiSjsW>g?7Q{pUuΜ${h1f8L,^VA8( GAAv~dTu]j\zT S^lx cEQ<^*ل}r#к3fL?y"U۽v{vzLf]z`7Mo^EA p/-ELr1Rk}JIHA AfL@/!xBOGbxHGak'1c!£<#Q#^>XU>?lw}% 2dz-4Zmh{gӿBm 0 *1ߧgqW# Tw>1ND39({wCu8gt >q 2XwR<9넗Է5نyǬT6&i3uhw9KuNuQaCj*;U"'}JXҮnk6RTLdjdګNcDɎB2r lD(Y/>AkΏp}=m 7E.DZ } 礭Gn&[D)x<_uVb{N؛|d˳zK[Q}[jMjrYv2|}Zp@$!dPGb( ^ w?Uiz檐 k6k/!HpeIfaL:I0X,@ noFE$<{i^u}WQ Ӈ3`S$C$, He5or蟣;8:4EDžCqhdW>?$CT_vGb;0Nj&%DvBY9B]zaeuC/(.7p^pt*0!!hr&N&sOvOK瘌-3'y%oc:pٳ@,G!@} :\΄Y0_(#Ar'5,CA1-XRz$TA)G_RVlK@=:?K|̓uT(SIE'6@D[ &a9JbMIמ7@BvO@nh˝6(I 0/7޴#{ENEh2sP!9R+ 2H)bwarɥ1Rŵ9wx-Pc&cgp<2xikDZ 2;G1%=퐦'6KO Ղԝ6 2$wG[!BpgxQ@ĪY @_WeD["FnF6VL;q0!GN9B sj\XDPiؤ/Dq$o(T _#&jwhޞק%mbdFD A<}`ٸċF2+`gsC b\O_|Cdlnr&$b qĮ>M TRY=q3W|zTwaEД/ `I$b*: /rLK`@"THH Bbw@KEI,8C҈\UHXiLt..$G29/3$p:)qw 2*K+^oVFy( &o(, a7,7٥X5TVoA\ΡE.*fIFNAK/Ia$,~+~$'_6ȭ<>Lx_kOSmXD VNV~k6i&v2,EDA (DdE.z#PE =c k9e)ԳV%K+zQzaXq+ۤUf45lήm $F/>K/6E 3ws<͙dg`Ykɀ*`\QU3D_h[{SDH'b7سf.UN{qɿ34LYrUP!.EK',#oE/t"vZ ڒv_$HUw| ǜM+T8~cѴKqdf|So+ xU۹RnLʹfKcw tE`BXM EyݻiJA~ ˳y:sUѺ}K~`1Y)u?/!/Mmrgb=_Wbz8+fޖQ]li]r>{Zꎨ-u PU.cHߴ mc&pzSBt#7{0m|@BL2 d B?~A(C!$IG-:DB8A*f%8iBVRRcf?O3D2?([g3lL͍O;w_Ƀq"p܀~lr+\xgs<͌w׮Yș2Y슘Y]!+KҁĪs, 40sj( ""+jjtQNdȞ{Hoq[J]\Lixƀg!ct<%dyfG֗̐nW#G\$r GTءEQ/{zɫUcd>Vp|͠n~~W )E , RaALcw^5d#s:Etﳃ@r/*]ݗ#`IDT2O52Xpr;LUJtW E櫮 N TRDV2_*# De}<+,##:|zsqjY; 0Y~MYĐl82?at]eD9ee?JJ_衟 AcjL"#TZ}^^`)u֕Ywdn;j_jjyss3-bNj:$@@R#H*(@ȪD$z%" DP}}<\n-rJO|?Q()BQiqU :)CV>+WS E-ׯu~aF x,N=ˍ0lEK|A@7`  nKnRܵoZdEйH`R>&gj{z/sb\Fcl}[nh,s2!ڔeݗAL,?c0m0Uq"p4nBD┎+-` :{h`@ |6ֆnm ;82 AhH\+U1!/m&mtyx*iHH Ȣ>Q;I! lo[iuvNT$0BM{#Ohullq|PE&`ۺ։Eнuwy/Y |4F@ |XFg m# ܋T/Q"# _%߶KH&a؏+,4͸[,'W rI"ER惡\-RY2n]Lv죈02_,nlT:`&^ -=v:.yKy a B.F3֔L;7-5!rsr=:R~-NB@3H#"v0b}u $;v,PNH,Vko$NwNش M(@PBIa<N=9eyo휖\iCw? a`Cp1| 4XuAy_.fdz .6\_6 ‰~eėD`|Ys5;{H@Hf( =v8|]<$1> &F ca薟ŕ>O[ZeWsp {gh^;?*9^H@r4!]ǙJ!AKܫGE$lHz͊fbNH3}=Zh-d (v c7IZdKZ&IdHAiS$P( Dov-]n=O{Id7o~p'TQX "+ժ}^$~.ʞŋ>$ gqO!fڿC~RKN3~}}ϸ$;yxHAP d D@A88LWvpW7O/ŋ2l㿇&_fWsNQ+.=ZrԘ$ HNT\; f|ӫ->~ZЈ6H?"Assk0P1izY#Z?[ɝiZvYӴj.k?" -:gXIs 5"2g:GA$aFDQƠl*uVN2MC}G 洛*ܖVt5x3OG#W P) hkMѵT&{0x 53'knw>k?׺-wA+ʥi$e+U68 @3jz଴.+8R- PIsb$| vN !)jBn3#j_W;Y ~ۡ9ܩ˿#l/l|KnX y%M&tx{XZ"K,*QbJТj&Q2l[jSs4_E˱X26# A0uy!*٥G[8!BQ= UA&WO%#0dP T9yqgy :Yw76"Q1p]` SA%H,WHS2ݫ!~H-p▁I /uKv3fGTIWmV;qGAp7#TנW<.\nX 7SUCK*ua,fꥬC`H(c;6. AhTY;'PbY! >^I 0+7pyp\õr%@Q aZ-Uf4s:v{R |8r EMe9aaXjjJn.EZB[vLLi fvmM] e<˼#W`'NgĬ{8jow`қdDj1xI_2QyL+ᄒ uo6!=ǏY8H;Ai#կ35 ^j K^Jw>ʉhig\52>g{cO|c)ɃD$67}Zh"JGyAUw46Ǿ|qQ.:(o٥Hp#(g#Qm]S47*s;#Tq@D!մ9*bu֗4/:ڙU BPDaέCRO%KfU(%ѫE {N&=] ?H#c&@! KqvW }=BOHeUh_`2Bw1Wr]Wg~ez!bza@Y$q#$.zу,\5;a@33zjoc_NeR#4u5O/E8Ɋey@@qPmeᖦ:* 7y:2/?| qa$cfvmz],dmMuUnE^(85t7n1qIio>Gʡ\ënf$w[E2Qk180M1~Ş'gͅ צ;gY~R[ dr s"l7V B%Bhr1½ю =räXhNDJcXf;g1r|ygjtJB.dS:C7m=4X (t}Wnn>66I?{v2g#־Yk|ֈR"J6TV价TPUj[iƕQ-XUHq8i[>M5`"EP)Ss.UzYW?Ρ3-:Pv:!:[!E7J {*(50* g ?̹{^z}Z&vGp!=dMssz ٔT/v`72pϩ6`u^+ߧY=o`׍vg3>ROp%ھ[hⓌqsw9ǵӑd"1 h4g}s cۇ3`QNZ GF9W/F>6 G;tiQCYUãIF dXY4{&,L-& bF@,jeߖqpp}`ԎGVC;RC}'6Jg@jE$2%xg "H5{=,Di#+JM <\V3/Sd10x X(~4DQ,5L)WţU}mk'{obP_NV-EU~l~ahq_bNfZ|,, əa 9k֋vK^͇ӱl4Spz:>.[0}WщY4IS*%m+G ꕞyn{ zoS~*(H>qoQaW!/]{Bwdv’P.Խb__:t[S0pb89͛E} &2ɐG!նua/'vF42 }=Qeim*Q ˕61Ptܽ1 $n\G_msv~Ӕuhޑ3 p^tZAy =ar{kM|^wnscunf>| $%pI ճ^ aOS@`W0h+ ũ$X2Di:4Hv:DDp΅G<_ N c\[뿮:>Uy[OLb9I)⳰hXiz;$%Nw2p>GHf_txQm.:<b~>mѽxl-U-T5{Wj ]H>&a1TE9pĐ>7wx' 9:tíy$ٟڬkϙC 6SxN1(Ը"  kχ{]ȣʗ#}; PxuuϕPѠ[@4[P{J<ݚS=_NOvo1RF+idcmE+l ZR%=~CI%Ed@g hq!P DN',m>cH"}YԖSN.&B;w-K6AxcI@1.B3:^e{'ه`bNe FOuLꕪQDueaW@g[bn:o#_oog+|E=ᑉ~GwUZC$rf6 ARk'a+z)8#;PRFDqGd7>s{@ncb2Q71ؐFAGdmp!U:CI%cTf qTBR#w\kHnptLONM 1}CPbs*|_b#/YP=~-Nw!J:3h& H|fuIsF6qgc670a:UӼ?rs#uQ>Q[Qbc(tui b b]YeM'J;U7{oZ.W7?氾'C~a6kA-{1i$)O;=#fStD89bDkV\A`';1c17jmzVCs9*ǫcWۉ~1{OE׸}E/7X;-Sv/e%hgͦFD96vTM6ۄǍbTAB P ##E"݂k](,Cw'6}m'LDc^Ɓ(R6r d_R:dh)Q.)OW+0+JaQEysykH 4ڸŲy>FVF j^,pcoE2m^mA0\?yzZ4kY2>r:&>yb=|b9Y13<|UT)j^ٷj}WšZ3A4!6g3W ę֞>;&>Ȳr/jnjD-فgcZŊ˺JyUsEPSК;& *="!1ʽ.r--u‰iL6/Sm8"'gw~K{"H# ^u,"/՗4L>Ar~1{{*u'2hy"!5x4HD#Lnp&xv{.,6OOXd?ÚS?0a rcݚ0J"Xy"rU [dԊLsH&N^PH ?Yv 8wd_'?~Yux\DF.X.zϋ~~z3@d+$Eb AEFDJDU"+Ȉ)$jzM a}Mq҅Z,7u93PR!YY*TƢkx~ۗB@ T mkV %edbEbIX(DX@I$E lDm,- 2"h,(VŊAbb3ƘUZ1 墰mZkYmAPUV ""l(T1F-j6*UPAdJ`DDe+F *0 mTDRҨZʅkRUnZ ʪUE!QcU0d"T+*(łŌU"E*2I# VьE[K""AJ5kZ I "* *E1TPQ e" bU h [J,X,X1E amH%e`#%kҩiXkiJAH *mQ*"RQ JW)* ITb"bTmYFEYZȪ#7~_N#$4,APDXJ#AA`XVT (J@EA,YZ(vlQTTV (hV,UTTHTF1Ab"D22U`^B@bT eSk{~!!7usf'Wu=m>w mqd?xQ/$ׯɵ1p-Fv _ R (E$Dh\ P @dD!Hr_VD$dBD90* ߠ@ y~f.D)?&~@2$#gWݣ&C! |A F00`Fj*iIB-*m012(:>yq'y%aԦnkv3g=N("QYRTc D``1IUPBT2Tb1FISvJc%DR+GWm]adB!ޔFHRQEj*DVFпQŏn %"& PEe+ Ŷ-%dR*%f@XWm"X9LJfe 9 VB *"Nv[fKrY[rx? E [XTME1%CE08QZ`(dEwan̐Sg2FML C"RDPifC(:붜Qॊ?ajxx^B@w2))Uk!a* Hv&%T3]n,2 "H!șSlCDl78Y+Α0x* +EERRy7L=^X{!wf‘>C!&*#4YAI(# ysAbp1q4,` TA:8!tq^Ex0RQQk+Y 1bd M^MDY u1Y8i xpTzp]࣑/* njUX*$Em-k R%1K' @x;#wѠ"+Gb8ҰSlX 6`` P6ZXYD1Dp*e.ȟ?6n5%[f +u<4.Q:35ab;ST6wn:q .pR$q+! 'Pw5xF@rA3C (Y x d4bAX"U(rONR)d8!)" ;ך l[8'a7*&Chȴd)hu=EXiwtT3Y:[>A~N,K~]aWƃ7r7mC( BAaWV;3|Ƹt6cybgYo(ts,C<?ٔ^oiXwS[VD `XD B1V@IUABA1TdD"1@#d H$PT$`XD$$QA@VAIPX dTQb(F*+TUR(ȫEJȌPV(#"(XUXA"( *'N{}o>Z!=SV_Ch7pN/œ| ~Z ҵue/㍙4bm䠌 D;F҂ Tgl]FX6FWd%K+#|.Y/ÏLYZDq$a,[ϙ}/k\ZWIdKa*#QYE'x oçH0U|UI@+c!RWN;hmJ( ûvXE#,`QD1REEDDTP@$h$PQCВ*"*F0LBV()HhUV0ViX,PPDt ,X$Q,TX*JĊ*T@V KdDQ"QFDV,+mDUEEȢ0YYZőѱDbR@,"X*Q#"V,Pd* R*,IE#DDTV DDF * DcHDE9Jd!#`UZRDbV[}+U-[TPVEePX1!ZmPX" 0F""(hTX)*EbDmiTe((DAVVB+iVJ0*(-b0eTEekB$EQTUc( ``,)mI*VX+%CAEC *(IZ$?E/!dF,"Db1BsT0aRER" 1UQ8Z`Ub c&0) QK  #`ER AHAEX"J$!PH%h1H" E ,ŋ 1D`Q(T*H$P*(l!l ڈAPU`"0AHA:G1e{|~., H~QC²Qgx/{&9@]xK0 a!pynn69gV8F$!$ ~^ N#_NJ<]E"=='ʂҩI//b0|t&W2Ty4CƻAFAb'4g0S`#,Sb@PEUFkY1D`("%@,ȤXiߝ@.ZJՄDtEaQ[Qشde!6 iA+#nvĘ֕[F0m*+i1Ӆo6N)y55 "Ċ((0LˉqQCWIMVifSgli++ڹT+5iC?17L Z(UPATTHHs7`l.TJVOSt7;!͒\)aTo#2<3$.R "$ r-] ?kaUjo5UE"ӽ1xcW> w }5f]Sj1۝탹/եWd T97 d+o;JmWF;lW1o|:H6X,HM&iZ`dR~% RY#?YY9 8b¼ 0DbUI`V. xr$(Őd_y T:%bR˫ғC;5QM:8. Еkg+xwѠ9,vZgh*q2uD/c֜pOLP?Z-?؛*bUP_`ï4 1҆Q\CADĻ#7wS*'ر35֒`t5Z2jHN{z&#$s ܋$T/DLhstdt~Ɖ{>wD=;"iMsf=EiݬBbɲe-EαgKont7[{{B ˿a-8.}m]sYR:8{=E{ɝ\dar4kHGA9K~3IRses6d{[΄BI-#Js]ʞ̴,.Vs3^\h1ߘϞZ @[+ k+}$4@ڲFl P[{nr]>w!ZWw֧ח1`Qݲpz}Oc̀aHB"Nƒ7oOOeWщ` :Z8r,C`핶TXvyEfXv\č%"+$psd `D`i `ȧ?ɘ>=Rj%ͣN"}oEj9Qx/ /di>q.[ӈ29RD5 I[rE4>X]oe)xpYǟ>N R(3!C{l{2nFBVh7 :3%BI0{.N۫Y6 ɐW>ۓ[q9oVߗJQW^/u;7s忛O{dW2T.2If<]_ϔJ('<o'2U`lgD:ˋYs_(ec#s]ʌ+j*u{84 h}mdDކ3(rA2sGů F$w!mky4/MOU ,Aql,RaѶbﳉUS67YGӻ2ƒ1z X7Հd O<_TъlʠXWK64cD"$@IFP_FHDD! $R@C8Վ_T =9ͷ:N?6M݂'k~:U6vs~~+}}򸧻犢jAR?WR"m{-'9q~iy|ëy4ҩZ%@TU^j9qaKO+%Ll!! =s &/iggC6t J]#}P~5>Er8٠ X3(ܼqL D[8:Pq\/ KdaDmJϥyӫIKDP4+ X벛` ddg >̫R>.aJ"N!EGu2^^B4 uJf}=Oz?ֵbK3J#b|Kem]FuppˤSCh9ͩ+k]KG1o1\=E"Bw |aR<1_! I !(uDXԍ:E\+ePpt- ׃@?*.;_vBNxn!yIՐok#NZ /`NWNQx*ա*];!Z-1La5bм2ĔASl=G Ld@@D+*(b-zU,UbX(%AUU@2, D7BsG6k@CէZqP>7wc^@+]{w @B&:<1ˣ.z _hh1$4G ( QB{|р\˲?_lKoO3_-}DMQ*2!O?ذ1[fA_JrZɝޜLtD])mtN 7}0F@,^gY5Eݑ3zE8@bDT:,QL$fy#vBI?;%/|?˓1d?)?dĚqqk3(\Bn+C5[BEM6́/~CH,X-bGvW&E J<ƣHX( ԏU B*ZP*ȰF҂mXDV* [ET !Y9Ae 8[5B [K=FҶgXf+HM~sW?ko6 5Sxh:/)rt]ߌ^Ѳ#3?N4I\]2{;>|"CypYG =),a]%gjQ4~"ݼYl0Ә0^ guL/X. >彌:%_(^_Qr陋FVG#b098 ki#6+lu4B@(,?bKg{gz?t,QX36Eb"e.qֳ}1sMȪ1E8-S&kWǘd'Sǿ8?}w~.$76 _g,}A} GC[~4V%x6.]aPcg[O?+y;xAbjݵN]9`h|eV(/JIaJR[m^_ f[tn~RQ7C`JiaTWsjxuO:i_+\W3|=}kM]R@T$unݥǁа Ϊo/fEakl%vK|2q9ʮV*k&wyi|,=[q*zpY 5獰BV~GM?/1ۜŒiB Ry y/zgNq+mR:/Tb.Ҥ$ 'my߼\UiZEWE>{; "^O5 7r&ә0#-֍\ kAJ^?v\t^DzrwQFVwCϛbab!bAibo^Ѹj~V":*`XX̴(3]g%n#߇z1˺&E7ŖF0)䑉 Cٟ=Us| ͇jYpJp3{ܖYv;/6H?W?YPTڢF1D%+(,#G՞NxVe4r a|?r?-NeQiunޮgzwYtyNew6ܗa$IF@dDSs73gfˎ]lT#*W#e{VfL~- V6K~ߪ[ 0^6q:+>sjv|`窯pe`DKpKT:Lzg(];qe5|%[rnN^֋V>F[#W*˵s:IyL!<|s $,^]G_c൮V{S|*^g>sD;, U\'-rYU3?˶cp*+RA `ٓG|S047~aPUY#%`<7wi:> # !=VH-%MF ZeR䖹$Lޏ-wx0^ך\$)\kt.CcnYaULjkV&1\י@2W#,JTĻ{MIx6X-w!5Id5Ի9 Hg&Sҽ\5)F@:**>)XmȞ4Og&X> <,5J H H%/(0) Jܖk-`gKI0õFV>6pr8$ ksΤ~Sv23]OьYd $8"sAd]] =[ȁ;G$/Jۙ&ǾE"ˉD24dMCǶVoW!c;ەYu~T\rC84}8H0:@"cX } +>~5xWĄT0ŻJOGLsǂ6oYIGyA)F-TAX#u2&kuӞhـ߸҉,Ty +x ȝz;6~Dt؂I=ry2 ]d B(hw8@273sH%+ P>Q1+sSǣbOʧAU? ~D xnstA *&\ca%|Ag-Bᤠ>џ;7#iX1O웊9_)"RA$$$BQ $iR?:n\monitJBpl|kR4$P:_4f.WuFUy D+I$hpi%BG/g1vL~vA?+ʓ>zAhڵOD `CPo&16 \ІVǂ/u-d޿?_5ȷm_VIm}iv_:#(QaXj6Ϋ=߶Ȁ4y 3X;]Ǜ&߿ֺ%U{g9oT$(z tUP_Wy~-ZFh5~,[ =&SiXJ?W4Qݮކ*xw "((F{4PJ @sl@=].`ݠa#pDzB6kHh 2P䔞=wٳ|=tnZ٨-Gx|*u݆28Y wsրzK}yж5 ;x8ۭϕE }(7m@fJd  dPN8 ;ʧ6v[uo4rh fyW^}fO̶ރ@H}8__;5w>ף@} %ƽ'wyyV*8^@(A襁ϗ-Wgk*ڇmhJABFZ*`7vggљw{wwwtA@QJR j!%$ R*w<ӜugMpP* xztx6ۄTkvt G & #@`LFF# f&&245<Si!T&* 4&ɑ= 螚SOCIM2i `%=zdOI#B$ u )`*P E^F;߭|?樛c:$vKq5[줸T Fyy<)` d-kŧY9DE((N e7'm9]/^dT"0dq r(31S`3'0:\ qӻ0ܥ0":PWۦzv);ν3jNĤ)Llv:)l9AIy?DP}"#֞`5O%U !P0)ޝ0ߚ?zx h2q_ٻcGzTNzoN!@v*yctbouэ(BUPM]@k:\4% CaMtv SN$vA34.؁ ʛ8}ywCx&xݜL8=Q/ZC(7z*m 5Aolg|`S~Oهv @W`3Hsd7 hR Ҵ$*s ;* IJ>a $!< aXX_m`.tQyE+ct1ٝ~7jME%\FDBBbtMƝ5BO}dPՌMh_PvLh&#Z(j"+.Х-4G3ѩ%t]~4=ذ;jlbNcS%T:w;ڪ4lX'j͘a4C{j]UTuTqWy>)F?Z֐7t߂X_G|+mhVgfz3_Xm*"QBMe38KM&F))\۞%d".'wxU$QnY. -a>=CBEEue-atʖ,ձjS.5mCqP-AI * WĽ% Q?AJD'׽2Λ eeƈB4sXYYꫣdtlg$&4JtqyƘ Y T9&U4Asڍ &p3YI=!KH@R4?:<#Gd-?m%giM7Zd'?[vyO"=XC桤kJgN,%#|@zRԡ{%'BP:*(]!T-!I@cKIKЍ!]#)4(>Ϗ<)톆Х)Ge6ƓF쏯^p^a=sTš N))즄;d֠Q4%%% 4bDāAH<'ؗ=Y9C@8HFh%;@AO'*_'ۥiJ+ѺDVhX4ŦI^Ohs)aB*J@nx^z7#],Y洜QNMg;*c0 g26z&I""9DV' \@$&3pjLƫƂ}R͆dR Q;߽5P/a Hֳ4 EDA4):h]]P+[PtxR FfYէ2MtXlbYJ060h,=Zc0bXxE6Yt07"MB9iYœIw@. cqPiS` fZ͔VwQ!L@ 'TP1c h)'Jh$'mŊO+f [ b|温mn:|6Ŏ9/[::$c")(7P3-条%mh2 @U_#M:&ϒ<&%SB<)`i{7@ o͐3jM]m}y6pm) S"pXo}`/ZH !N J3J` lGd5SK=,zyCӠ& F"8\ptoy#GوKC aU<*W4K"[d=_u1p,0@t4daaŅvYr2ÞzhW4VhG6k#r6fbl>)B hA U)PjR(Zjb V Mv8IO;4s_[s7L1ԡ*A xn3VK^"&%SaV"HQJ4=Zb(j% TFJw/hAs~f-l.1ObSôXU[wފ w>ZM)Gh"6[ʰ('MӨ{ 9-وG9׆oZæ. Is:̆?s~aG虆tk.w o7q`@z~1^?Mec/[g#;d +LmB*"Bh R,)()J2sGfvzy%!TRӮ؉tyPy1d w!hZ ( ]Ra. 4A)BxfC0FH1Z֭`(Th)N]-gf{ih{#ʮqяfC \O䚐k^^}@Wt˫tjm{ow<΄,&(EJkE fˋI-7 g9BlMCAUsU",hj2eDmnLpɱ@o6;8 ^[`,+c8CYEq"cr1AQl"UCU&"$B(փc@V_>1v&)vUE޶hKH|NEjEY*ި6C)6l_5^ $+~hCc|8s#hgjtb6ء ]N%Mni)Thڨ1h.る jխ^Nx҅8nFElCƝeM]1F^7`1w;P) Sg.]zKFnc#0jiyA4moM7,]q43w0|EQb:=ꏉgYNZÇ}QZsf͕(Y K8r6ay,;}q/uu'_jR|E.fP=g v /XΚ(pAAg_:4MEb2S cUQV4[ ْ(3M;a *"ai")AP6Ԏb"*HS i آ*VVAP&Clӥ`+b)UДBi)14Vڒ`h T4գc`"#ahJ44RI$Pb ()B5}񚖏F/UaEP8ZK(q7f7(lYAc". ZR/Fv w#Ǜ8>T%5p1TGo<{|7$Ϊ(KNJ@CBilh&1(Pi])I*B(u dж 15A&(Z7d^bH&Ϡv]WHQB^B ] (H]ZsPFE hhC@֫Ib0"KHK/Z#G5l4k- ~0[\Ԡ0nTP-r727]@U3yF)D CA<)R tJZ)4Z|/@P/Cvh(P_=ф;mtlz (z( [cIXC@ 5dDfl>:f] .TF}^yٹHhhv)Tfr+ 亣$:CICAM53RP [i"Fhd6ˈIHZrl4P:]&4itD9(hB C+XZZvɥP餶J4趣FCh CRkNhml-h(h +AI+N!F2D=~$G\rs_#8qm oUTdӵ`WgX6۞٣em"aw@ت",)RZq)fPQJXSnlxi3pJi'6pRRU(ЅE KT>th(:66*i):*:t&Ww4{%X 1n-RGJS/vj 1#YӤBW{7rMhǎ12#m- BȃMd-#Uӱ]q:[:;E%V9Ϗᭅ2bcHx]ǴFV~FWaRU[!>yT殞kIq8V&v&̔Qaeo#ː֏Z6Td Flf82Gw!kZi4:-VNTq]gGGVn͗mлѳN6(0E~[E'#_>:ON.%ռڋn eˆu4n; "$LM" J*QGIeSJo$+ntEE?僖 fl}CنEwVNW(kw-L%!ݧugƘ̡Y|"ŕ{aר6jGEX:Ffjy:y(;zo ~ tTRJ\)0 @$ROW Q*0rA$6Hů0yQOzEQD&u:Ҡ}K wZׇc4RD)H%PYh) AC@ (43 ܡƒd;@Xȱj B+#0" ho6J%$m[pcANUEPwj_(potxn9yGI梮- MI*$1#p׍EKlcE!֙Gh4b3xgh'j l$сJsBp`ĝ1&B.f1z ;!2J`N)oCi'*5cRDUR"R-FR2Ңv<e>G_2`62jaXH*nM}XTRƨʦ^.}>" 4AH7R~_<JPZ@V44JR&PU((J CCHR~CCCB HR ytt,IoRE2jLtQ pu(k~5gJVz=;4I̡dUP(56ӊK]\ q] {icq"KS&vi EDhNA51=&Hb"Jbip"،=KU )h("D <;q$a4$F=$N)}v>` FSK)LNqKQglhr%ؚJ5[KDa#Ettqmt=!(JU^dDnǯՎqϳwtb0 H6r{*иv,q`COG)(&F#Pq=bUQe"Qh ]v'WuWU"#3T·yBY4)ր -U,MF؈sm{6V6J$cm:Ԗ2H4##+3D?YtvgMUMAN @iZ1iU% F-FJ6*\JR@hZK !tTWHѶt"iADCD1&ثHTEM-U,CE QG,KmqZ:PSz㉃5ްzUQMEDA[QE@d"th֒Ջy̛gWdD&mTfH5A ``($th=tfihwG|E0j)i& (65m/HSIבДѧCymR){h &J5T-(iIklѧ5%VBTYRfM+PkC))(bљV#b#Q6U1U D&3RĪTi #HPK5LJK:4JhД4h4TYLmGMs>-lj!NDQFوm$[WUR*MkęmM j4lZtm8bѝgXcz XqN5g6KZL6ӊ5V6jZM8) T뻲BkBUl`vTE%U 2^GPv]Z]L5  7xv7֤FAE[`-Fg -V" +`hhERׯX7-Sx!T'6PκR 0;ec|6cbY"GuSeq)iD Cxc>*Q0\ҋqi@˖U4uz:{=NGy*cX_6=Z.?N23U$_xunwt0LARD j6#` % FlY}W: PwуH'Bd%*1V{n *ו}C^Ol4+!M )" FbpQB YRl;s:JC6jU8Pr%XP9%JJ=A")@hZ 48i)RJZ@ )( D.Ep'ϹMGBztýS'TOCM4"/PuEXT A$fbֆ X4!T-%;jJh@b4t:DTӢ4U -.%4"PҺ)BM*KJDЅ.ڨ-8BhҔ&Ҕ4h6v))ҚMR P:RABiw;y4@+H1y΂*a<_-# RbNz^X8pڝݗtc-SS_F64zzJER`PGGvข ^!';ʊ^ ΅NeUQ\v~PWYCMNFP_L]6@ukN&Dte8݀r „φ9?6Et$RD*&qI<qchQ"mihr*ojIBHg$;F.S';L͵:!9#E#HRRa KU&)) 8]M69ЌXfrCOCt5' L֘Шj#%Rh* Zb6ht۴Gl%i3-li(*CJ4[CU)q:uS&M60`Ӧ$E-QCuUDFLm(" ZJ b:h*$h(hT#Ѧ)1-%M"%S`9-V߻&>#P)+8Si baE)ȣt͟-s'n嗴ʍ Tf򕏏QhQz 20PPm]ؒإER(u735JHL͚p3o`"QUSzh"+nF8HoX\ZMƹ,VFvICU}ZQFQ)(do ukD߭R:䛟wJ6G MeiXkmQ77q@`P/Ug/%El9ֵAMV^FqJB*&ۊjEX˘@;\~/M›I0*hڽ,+ea#YJaj7V}N+m!g$ =; Ke׼\@.1əι;eU1SqL\PuyKxNL$ v*|wi$gu]#H6B|6ƽ=x2T,ТH,!(  ћW_[D$Mj$ +c;m{q:3QӣMz=&9#hm6Cs.=#βm(7z<-TAA@PRU-4 51 Q 4 #PR(U ,MDHJD@]tԋv@ X%,͗!;G^ѦwZS&rf J17[5U"2t{{2m}ʮ*֡)Eߵ~؁a?1@B444 %R)Q(ZF=?,.Z!R DġJʕJд(4CNOpET(P-+}?9a&oºJRlB)i7#=ms$L v sTr-3O*.]`ěrS3rnS3Nr!?B6tDmi|F@H QHR{DvUo&}*}{ܕ9hkMl5;5`|^\ݒUO2Wiߓ;TxhYP𒬚^.3qn4}#DʢvZ$9$7m'x{3=i\o]>PɮM1nbaVlE,HJ}zLSQ**9伩kDde&)y!ȚMsʪހʪ@ ?Ym=D7(4SoUACד%&JDI} fo}Rf*`ԇ(쁐(K]Q@:HN^Ql.l9[s'_W\=^)/%3=P&](6\L<˅$^3 mAz) $@7jG;YEvwÿt 2 zI !#`ߕI>sa J%qS wͰݤV:+* z۶GJT8ƏEӡÄ˙ +Ҕgw;:2 * @*M-*B P_C Pҭ(4ҠP=Ai)Zh)WlTP -JP44 IM%*3])d}~q]:{&0 RR( FBhhP@iVAY((Z@@hB;GF-cdC@]`n6ۍ;?Gj` QU%9ٶ97Æ52aUT"leHPB @`ĐX/qW)%mUH\tG mxmTcێG#c& x\Com¢޷\>¸aemNêno )9~Kϭ)w37SJNFG)Y,l7m&߷}XaKyĺ 5 Hj0sd0 ^oJC!' 94ٶο: n';w)^:9 Uד!r< mq$LGQH\fdbXS6bhgpϪ }U?[ ᝼KsSwӬVC$bm\qumQ_09vɆw DX_]QUPS eJ8%鹅r(;<SG躂!n6h"qm#Ip~̤!4Cwjy *5} ; &,.d <9vE8Ԣۛ6%=mmrv HeEx-M6r]dDPqǶ}N a`iQJ8= 1ӳ`CDE#_q~ݾ-+ٍwɺvcGduid5N`Vawh;]ƭ=~m-GFNͦ.Rժ(U BT_ǹ8Uة\XFbSPGe> |5i7B,==2r4a1QmXsh؋QJt0sYlsrL8LHg}o}AFw~‰pWvF\9}ǺFD|}#66Rج`_~o&JccO[JC߻fxfkԞ~2/7'NWkTe0ZPDG=C"eYux/E2:Mp5D7߫SihT rqS;)Z#$ʳ́,4ifd-nZyFKYI5p ~*442ʇ{I@R_84fwn>}3)⩽jyLcX̴4)BP1P zhX)(_SC&G֑tY9;j %b nf@\,;" Z4cј +={(6rجŧ.5IO<Ncv%WBE,fNsNP1 7s(:n1hqH4R>=vB|X5h`p87,73xʚwͽϊ_ޣ uءVXFDc+4Ⲱ# ؋ݏ[0vIa3xe18LfIlY`Ō"uJ"t?/ɿ{":_6`TLU׼Uƭ{aۈ~ߜEV= )DɠRv]9mWΎ*oT,vth<~kƪ}=>8RUH{[~nJ4D .9iv1S0y(z*ؔE%c&jkUb)0>x޳4>~@"3Q誽֫Sm0 'ݴ3aj iZh(V_{H T/H&J^}Faq)ez~:KFaԚ ($6N=ӣ`ׯ|JM#h1И) A`TS871~7PV@R41"ȥG8݂\iged݌vy&5+a(b4 w4 h"֬q]#w'i>"{A@?&%q %rS@k:()e.ApyOTkWSxL& Qy'tKob]֠dPzĉb3@HL#1_382wEVS:Nɍ^CHtyKCE?z4vКݓGvESQiuuЃZ<˿`L~G>co%M_v?j3RY:39r .Ȱ* 3 x,XmETb 0ٯ;ܺ)e!r- $'|.8R~T4-7vX~CzlȷjrGQ@ɠarav#5: (=[LWp$#fg| RסyWC%!*7JVA7Iw*R];}?[j_P`4 rΔyܹi(|nJl{ntqpԥ q!JR%fE#^q6xi/ʳdzeIvxƮѴg>^qRT*uFiJxwpQXt=D4(jhc{%g F[L)zis#mNC~[+tlc'jY-SmjFrsmd-eɞ^niilmM60IЩR졕hN=?zdRmW[wbFۮL[Hd+H-5UhyGwI]=qGCZ1iP#*1uZ剱,.Qec"-:;]7N:z z <ɮA1huӺ1EG@8pt: Si%(xR@;;x̎BQ~f* jn֞ie;ĵրaV Ơۑ/{׾f.UH+ b#n'r94i&I nzw۶)۬+I&\(`d3c2wܢ5V-8 Q$Hz)bH^u5U$C74UuޘƆ"tƝj+%)Z*8Hl=qƵ}Vm2zᣴF5Q~Ҥi7>=J.(p=)ӻ` $JAkG>͐?!J՟Zw{*I6XZlgRqX1~/u xٜlm^%>~HiVYE5^+~i9:5u5iŃ)jLH{>IoP#t-"\cߨ10¦':|wS[]} ҉*EbK'^ЭHDYHPKs*ȞD8HkSdr :T(?!B?Bo>?_}W'g%5)! |=4 LP6_َ3ԧP!!X%L7[uycuToy=2ƝB8^KOv}Al6S0 ,) c&}u$[RR2 LG(0%Y9M']90=)+wWmbW?6㸓"v$ƴZGơא b,hl z >'Gl?gnf|ҺɈ|pkMЃƛvaI:Y4,Ni'q l< q O仲: * 8o3LдVxlW Qq .$o64I>lcc>O#Li[!,f0YT:.djCNif%e˳);jv^='mNfh'-FaJFlosPU,T-B&.P-&"O}jzsaf|Hl3:ji#7;f,A$Iv5. B$ӍCR#5 v衂6uQVl}|3Ћh9: {(Vn5 T۾"Vdv=nA[  -@BҊjT~r/,C:uxIהbi )hX(Ef) D$hFB$ZiF;bJROl)I@ Aw`(khiit@`)${5ΐ -+R@)"j7Ìbvm8GT#d nBUgڥZU?Z7O,i͸r%#e'MfܲhNφjIάR$V&}DJa\"^؟ 89%R Y~u7\s/wΥ~=HE((P VZhZ(N]I ^גh^wªJ0%Ҽ E 4]QH)&c}`H?WݟY$b! j zm`*'[+2_Q찀Q AƧ4|z}ktwI#%-B D1%4IJRRP@RRTJKB̥ R~+\Hb hJ"h@(CBb*  JRZiZZ hMh(e4IEL4IIT)BDPA-)HRDJTJR-RP4D@4KABR%444дHM4SMKS @ 4Q4%iJJSA(h RZj*BhJ JE @PR:ET RkA]D(B (DSGs^qSL>0cBRL7%-9iTbisM8*('BqՍH&+a}1e!?ɸ |O>kŋo N)0#!J]$d 9鉮n8J^ x+:I,@K%ii.{2AIziOK$SE!Nxgz/-Vot@@}QwՃїs-S?$]Vy~Hyx(cUl;FtTIFʲJ(I$OWvTl6I7 E^,b(o Q̈́~J [~7X YrR}%TёvPH+u mqi/x8bޣТ\Wj I-ڪ[|ǯq\cku4 FtO61u/AZB-d5EA4]J<:Inh1ڰi '_TixvIa͆Ut ])]ϫjev 08˛GY8.dŢW/e lY2 @0EUJQb]9 ᮵%~!_CpjW*'Ygu$ 'י+9D: bGDZ}rOԽg b jIUW_t tt-anRY=t}ffIR#tOF (  3VQ0:If1B/!S(5l9So$lTJC(*T+ضApJkT6zHb0$ZVY7mDۤpۆ0rl 1A)2!# a[JUrUR<yÕUNbaX“ѹHL6O&ϪCm0:ٮtJU,%E]YLICi9 &+ r6d5f˷`:c!Ci['v)">8IA =F` p[}/nxPdA}{^A1(;KBb(nFpqK,.75}sM1WDv ؙd'yK=t=l0TbGʃE^>0F 6n=F85޷_?\V65Y뙘Aq[rS /2gq$ hڠ/gJ*SqCg^>jԸ,[ =W"w ylsB<$%I YP9/IkE!r >,E<[[ic(b %6TXrE kP*!n"ywN/iM'"H-aÎjFyQS0t(J.K>q [uAr6wpW.&U1im %7)0ٔhF0a fe`vJpHPc":URK]Č\CF9DK#r"UPĤ4%DA;X/x_oUJou[uڒl/=[j(ew&Q*L1>97ypq6DlbdgS#%\xLh3Ě_-؇P?O[vdzTtT?Uר'wF{F0tM3x0RgJʊ ~](_M}o9gwcb2I BYT)!C*majSO%0hlcBEH tbEݶ[pA@X.7l& }M:Sy䩺b\M&ʫB5A: ^yY0"*˒zqyXS 86uwղ3rx2 FYȗɃWYIܒAAb0,IڃMcsgr%2ES# #:%f0%|1.,bo__ iɶz̆XWlPl(M0"/3SԙG%P H80j̲N`^{]We%1GIZh :' M#*: Zl "ZEuu X!vZ lbY)<ϑU=n \3QG.x`f$۪TTq+96M1ߧ;]hAYَYÓ%w^my Y EPF%):I0)f&X36IHtH.%h3,=]x$$*`">#Q4'F*b*(*DW޴ea5]Yh I G{R C 3:s2܅S%AE;?$}93Sњo> I_{դ{g*|J׊4ػXQi5[3`tf۸9@8G|tWMyQm: ` OCfE2I^TNRJLѡ/Fo4 (5#NEF(G7|;B|Z$gb1,P*B.fDFc<6޹RgI'.S}ua07P% $=pEdWt{ZO*횿4m\W9p2A3ͻSZS} C)Ěp_+Pky.GecPd475 Mͭ]k-ZlxY B3.C(SQ ԃ*q̀LDXC.qwjپtbZTi6'~j:rtFEF^z/H$(f&09k%1HLJe>7֣z jPKb'Fw 8j 3ڌڜ M f^4l: 6$͚lb$~iVU)T)`Iʹwe1 ȖTe&(mp0[PD"*ܡ{~i`A(H4OY ~|q w$"TeeF#gH%4 HSK@-@:(Z(F Jyo3 %)H44E-% )& I@!IE ҆44: 4@4+D@R 'F(4!TT U15PRPRPRR5BRI@15J+J6h JVFiB(WMACH!J @E444Hҍ4Q@PJD4QRBPR h44U M)@+IIķR T- ERд.WHHѭ=)H)TiRZĘurv'7jz$PUvQu%~ieIfIUyEޒˍՒhiwmU R<8cut )3ш2pk6rWu/<H+F$$e!;93ipRQ8V\ i5|k=?`^\(i\`AsdRh-xh™"6vH/mcR)|*w'huN5>Yhh`[rP} [ fY9F{jz7rU&װ~H(I6))\Z R 巈8kl҈'ݬ-.0䣐IUHǃՅf:8D--)\\B5"BKׇ| +pT>:ʳig%iE ,KnuCMc/18_X'{4MD)6%Y1*1C ^8e[mm0)+]MAU?ԜIvgy)U$[a[WE(@ Vŀw)hHg=_iG+4VXl 5} ICI OWWyL{5xVpaLNt )"(ufyZNзU7!!Ԑ bMD?g\oVNY 2/y&|(mS瘍1ƥ΋MUVDR&P0'V%2QQiUIc晇 ,L]h}!ĦM?mv|K  3~N)aRWJ-O8e0BᲲ2̱cOY0L 7{0hi`LV^$M4fqF׵G_̠S"bO]ABGΪک5ӳ$[t2Lԡ$ 1I_vPAzƼkoa[ <]Lo"1D3DFM{Й8@ߓ̬b@#.9ؙ̼GؙJG;3$l^?>["!@w}[4  PO 1s\&T(l'%H- h̓3Y8 HZ GXo/8z8 aΓM(_ŠB>旚 rJUMsJ vw?,Ɋd|}m;ُ|i.@\}ؤ R (2\̃TigGMg\J4=kP!Qu[f`$$gŊwWA?LωjL^b+-rsPd#ZweHH%$A0B uEq2/wJ~­udJ'E2$վ}kח2*6 >Y*~vjү2[²AaXxM5ybW"& P 3骓z^hF~CMaG{U.n/8=Zg&^gHT4P2SS8`ʠ2&Pe 6)l3'/d @qpQMU) +q0][7HO"?ay )ȄH B!h[+ȲD 󘆞__澉-7YӦ%wARrn>#,VxTI"c?JJ=*dXOC{M-rTQTb"b[r=tRD(fycEWeihGƒj`q;|ȰX`eoLJ$J[[nxH cv*F^T`m'$ ׵]w}~8wG@{Ɵ'e'qzK.WJb@;F ^G#~C噯.|2)W,䔙Nc՛ה Xaa%U P12UfPmN?I(شmia* .t2QHba)$y ?rA>@H6Ϳ.:B z(Ao:ƖB Y@‰FsBVgaиܝj@L#L4Ø\" D` Fdדч/PFEi`|dg[P_JF/]JꊌI@((֒q`442-2!M+#89p㎵nn ԲXV"d,Qa~a:IZuKnU xc~'l x4X$T[l P#P=꺖cC>W|L$as faM9mk"|zOoYkT iR#ΉYYZj 3ıyVyZpț,VN"H3IRx)%0hhS8{lFƬ%ŕf(ґ] G^6ZmVU4~7֙ WxKd C#QWMRw ]*!C?a &i7vAWO!/6ᩰPD"[r%V%2 X&?ʊ4ףuRJBΚeȂ7UФ!D!Wy$~DѨ6tG_z3[W3-8ɧ˥ccbb(TEpM"807uf Ι2襥E5h<Z?m'#'T [x Zf%ȟnfZrnqi> #6@~וǐ*kګ!,wlRLlPV&4qZ ~񭴝hoe5iI%mEYL aJ> ܝ{A}?_( ȩk:mrC [r.2!CCmү@`h2Ck+FJQt(<IuQBb{ NѦN]88nlJ.Ǣ]G :`t|Ά~ TDuN}=^~# Eq@2Aii)B GUT P貢*ᒿMtOSV${#/nyogMnY ay7-1=$}.`mȦZl7kL?v'T 8 oV[H4 KW=0hМ)0C |T~]UnrƁos5Iׄ)l\ha7~T$Z| e;nL^|&viU haM<ԢMvWCܪQXiE ~E\<i=c8K9VFes&25d\iS ʯŀ_S<¸ rv@4y @Ä"M9= uAHHȖU)v9E)JVX`F(K@BP<̪NBt"[.]uOtmGRɂT*LIѣBb!A @:(Bh1I•L"U6r?؉-7, wK,6:ȿ77)Rd0GaA$9}2 Ɛ¹`D($5,C2z/etGh9@ AZ-f/guF6x^m@y 5`P9H.jlgj}8fRj«Bo\kfK֮QJ4l.;lDwp!.{YN,a Nð'k(mŀnJ@oՈaIUDQ-U9j9'=8[mIKSlgK3{bR1 ӎSqoS ))Kw2hhOR::8:Bb z4 #3KDQM㐁͇)yv??HɖC=)LMF^|?WyxXG($|~\DNvs?mf)6GyPʯZh q>,&|*c#\;Tp 6?` mr [+&_ɬ\+6TY+;+9?؆I5wmpv C>K?k6mҔ1AS‹ahbD\">n{m 6t}JUE(8$oU8mg:Uy*b$.߲9 (ˇL3['u>HW FX:HL0|)_Ѯ*`ښs(AI`-eq8U(pɇ?2I\ 3,IB[>9FzAWԟܛWj߃ )-lLK?F_Mɡ,Sj *»]V1Mҙ_$w⛒.LAC @dkWzbLR A`7'W׌{D҈lF,PǪ L {jfE%)?!ٮ)rYDU#ɹ ,tڻ TdoQ f^ 翿<>uaeVQ%bkq8稳P*Ė,7raM1^hٿ'Qn:U6*BNm/>7*tgL :`Dz:1֩p(zT|,]+U$nΉYXyi%)=O q, /Ag"kvHMgگum]xp3XLs/`@/16jHPغq}6 jȰCwþmFUmE ԅeqǵc&I\~bY\Ƈ!9Ob_ plYA\KI]Q}X[sݷ=ٗ.%>>|M9{`l3&+ Hԍ5o92۩WΟ;NKփ*R_Dxmr'uWMI,a>ʌuvfza`@\[zEqE#165Nޮ5۩L"'rŗ,8)P%Ե2sم˖`1.RyUJ,D ͠ ٗ'Db:( v,>/_Nf x<g-utXon?|H{n[/7+PA?NݘsdMp8iV#ADJU\aS6"/xzт-tcW*#,Sf]_gG)}YÇ<IYYU9 %#D0_T{-C:6Zr=DH-b'>azTz`ﺒO?' ~H G-&p- Sq!Fj| XQ]n ӴɮNxC! bE$# w]{_k}'w>[\?sff2ϴtD'm%ZyY>׎ Cw ъ?{Je넔@ Ea1ZP#EFyzTseG7fm7ÿlٷsVA$M$%b@M1[ˎu5 zQvtn F#- I9.\sX#6ߢQ1Wkȯ>{rP /ͦ=:USFjUdF,d֟% oᾟBc6fiFDTHB X, e*KG|cy8z9VX%Y( &ypȉC?d_1QPŃ$0| lLqۺ .NbUR"xT7.@{暦BְW"m?Nm|dx3߽DX,繧&˽ƽLd,l0BJ(+f mtC/7qTO?k$RG/|,mѹ~Dk\z#gC(cZPȟ$ͳ5/HaWJ}6eloG9~6Sر9fp`w(cxNLP=*ՆM͇SDʍ9 'C;5t%HUpkG5"RUNդV j@*@Y"~`LvZmeB[ˬţQ WkгQcݘCһG"LZфVK jCF2,Q"=&DlZPp(-^L 宛C KRNW% +R#e&ەF>D'=a#;$9ƙvq)'M  *Xw:?D) #?&sza '֖@<%"Fv!ؔx8&(@g4Enr}3(Mt1"%}Db5:ar1⋭JAc\ʧQN9:LXXHhSTv v8D%_Μzt}mh)3ݖ<AU^ɉ3Kl {(Z<m̓Mh~>/rAbϙVQ,ƖC}Oh gpךR1xL:7S s2;ZC"<~Qhi _SCjVw'[Q65Gs-1MN We_v~䐊ֻ}wI?Z~J&(MylFQWqd+goO4!`*LVLޫOMӒ5q6 N%[EKJ} 5?f)C^WކKi#>VR,H=y+>]=|tB !LMo-Dr|:8[w'YTi%e G`OĢ.kvTѾ_LeR?ϋ^m4gS.RQD@$g$t1 9A퐬P(>~1?dH..NX۸4ď\Re9Eɛ($"za$U/ TwBr uʊyɫ, X7%Gx`WG_gA3f zj!Itn"l7hn6TnDӛ{efuWA*4}̹ i|հ *%!&a̽/r';Vy8A @! ! ā JkKÓQ`J`89g;g."9'^9V3ND&;Po)t BZ ٮ\:{OG4}ONiw>q*p]o;?/cյ¿/+'[ˎ88hϼ\Xٚ\;uW2 }?j')!rU<+)B dzfaZ+#\(褑  C3 :sXK/w;t?F"0eiTUTWǏEUꚐ %4Z $ uYCwoOw>ϫjknf[6}:Zn@C =ZO?y+˨AٻM0h:(,4}*<.^iV3"ENm=$"F.<_<˞WF*b~sWrIFuNd t;\k gRm&{Bv9Llz?!WG,%WT,QXN+5j@]BC[?fմݰ%DJ?~@; gi G9꯷ d(cL+R!Uat&<,uc0Cq(';G!9TfngRPsq{WVh4>ZmM"8^Oߤ+ RUN>K`Tmg Pmz[=-8z_ o_X(3L&8*' S?fC\Ή@򪸸.CՐ-Sx<7h#s"cDe1k_ :t.m I8{]6y.˷'=!'db7)U B@5L`Д02y8%.Ol12c0)2oO\t[{ǻM* ~G HbzDrS/ϐ+Ww B6u-W]*e>:?#aԮɝۉ1#dL!ć'blæw.Rp e{gaLvdG8l&'?ե'Jd,2LP# )+5L֨@*@כuvp[ӛUqsƐ8" T aQAM_|3wiJr^eόb(i\bⲷAk{29=5_9$^5uS>tH A% :O{Py`m55t׿B:{31ЁT!gVi1(lTBm7Xojr]Y-3߆ m+6qPR{~,t(qd%baU m/! M;UFrLqٴR*s` L&匂o.|0*r/!!k%_jahΩ0W47y"˩.S\$V9AM#Ov D_M-(U,˾< L鼩6Z٭Giì}(v[߅bXJf#TM";JTuYtӟ3,s[RRL'7To\~5Q. E,\[n:&|"ȯ:9g7~R`>e"ȘUPZ٢Z{`TVKۈ_O]HsCJT ċa{]e$<[&r!*TDM+E{LeB07>r!^gZub>"gK yW8 hIZvOl_L(Ľ^j>͹-!O!w+!`9'yfԇ\*Pa$iﶪ pJ+z40פ(UrH4IUvhMaIn"\Q;UgFh1<{.k6,X),nȟ,#@A(/nwE- {nmg/Z6? )P$T.w.~fB ?P0eޡ$BS'܃ROFr:iz:E2BZfƗW?:܂9B B ?|+);q.4L#yirq^5:uGbfYn-^͆\~Iۦ )vlmv<𨂦= |Jȧhv`?+Ӌ`%C!ſȵzBՠߗ.r'̦}^fpY^& Tc57~&" !QR tM~4ӊ`kq(h$uբ~p;mÙ>-c\Ba3ގpk n?l/X KِMˀƽ\\u@ΩZhr=E[«oہI!'Oa,بa= `k@ DZ{w=}e#4q`|(R+@Cp͚ݔtzav 5q"/-ZeWYN]Qk,ޛh.YAoBqჯ3WT;?f|4SD}p&~&N |qms. $Q0;0V:?'Ev#-}ne<,$l^v29Wo /=̤(J0^W0b "`HP(tMen^X!67Q©vwm+-!q g̙7#9%]+yS;21~儤>Nac 1+S!pjy͹R'V)۳m݄"Y<"dubG*TN E8R_z1ޜZqbg4QJ6xxX76v5J3l5˗ ^9@PJxOou2ߒϫZet/x_;20QB0/]ӻfqsVՓRBc1oFHچοϣO[DŽxP$ ,X)LГlqʑhlŖVؼ[>azT߁mgXleNʭ$ awLBw7qJ|X.q ev=Ӎp|˘T|l kh{?$z==հ?|?[4NbhґZ*ZbAW*Q玡*X9+#=D DŽ1u•}UD^"8iO,Mg7b:)ISQZ3 cv/ . neWmX-%j^֕WIߐz;,U80^tJΆEy_/ >t gy-Q2 Z9Sn,}FD}8艬bdӋcg>8o(pbj/tA?]v{eO<&3ce=6 lS>[eh9+4<\hr#RʿvE@c:CX ՞OPt43z]iz%;]n]QƎp&aW @A y6bt>;'wfuڇ4eo/bԔQ*Lj~ĊC9ƚ tɐ_R*( Kyh)O(z(g:3 g`lݗPGI*zk ڬBq>ؠ* YOW,Y t RwŷR֠T1p?3޳_9wqׯjzl܇4TD?/c*O- *ó.D|Q2fFǖI?Wϴ{: p9F8b|fdzދ%%vO>S]OE^9Mv'f%~?)v)x8kOD6>`WDKN~jUb+>|X.ߌnα/;(RNΨ \~*׷B7O;z.ۜQ|A[;`:_mPben;^<^:$s,峑ISɮFQ[(gJzM T/ʴ>"Wŭri+}VW$K""m<{eZs :zNrbT6>ڣek=P;uF.: h~09%Ğe|W=oNyGGƪ3Ѿ)ƛ*d,r>z0͛ySz'Yks m#&xp=^{22w16S"mro1ZLAXC#Di&h|rϞO!6Ԋ.~W^QLy۬E14,ӫTVL cq3pZׯXH_jj[>%-B'j&"ٞkoCirZ+$H)S!@~n}6?44Ah49:m|tp=Db"뼤0'CӐC ?` }o'D[[5^WHkz􉩢Hꡜ xWw~w#ˍ{q 2cXm'Dv +_>Ұfhn}AAM~#ʽSk*oK^?Du6MLf.ja2)~?>LG}0rzn#iPΆ | Q5p!6oDKr++ClEu|}4dHf#yqgW߯s/ sbNg'zz@%ETͥ)mu)YQbv1A')wd~S&=u1 6".*CQ\8uZu3Y^J?qt@lծԺCg1qYrjuit%xּqoK/FU{ _JL2x*%HcW׽KŁo_?nNYl rk4azKPa|/|hҾ65rٌ tyS-W%#kGr"XL*NOnc] TI}{kDiW˖DhΦ=y[mze%("'`p8>yiVFCZKIxZA<7h\T"۩|I^pr:yTtTNCn/-lIhO[Ah&W߼8fm7bRNj+M-;2l5rH! ΰ-&ü8_Y'NEu{rrlЗyerSt.1Lmo%˅vM6^9: ;ێuғ$xFj`uF /wcɘiϛ&rvO;l2.J"^N[r9 .ɹW~]HܔP;6lu@ -yy킯5y>@6İͤkc”]O)ˣo:m2|˄?yme-It_wt@@&aPҦ$ T(ze(UAz]lNtlghXBJi:*eXҐⳠC֔dUv+B/YTߘQƿ/r .;ݪSv -)avbNre _,uM$%E(Qacv(*@ڛD![`*OFͽ1]s`(`:ȪS_0O0@H(.9JrU_?qSO9 4: a{w!Rdd}23m ?~Fv ɹy?@xAH H((( $PY /8n 7w-ٗznaɾ PEi2 BTA@Y\d1}z:N_Wu( ?p$7%6aGg;< UEY8$~ MWL {jV vqN2Kӱ\lUvJFTi?Xݘ\Ug_ϤV.@(NOF 5Y=_Ǚ2(c]9kx'X" w$N}Fe4tRQz&!0'BeO7 w QdDy?hAO\elNmžE(HwHAy@^{Y>zkwDB2b=e ,TeN"i_NAγě- ]8Z&(FB8x gjABi\î7.LWxtܘW)SՖFk8Zhˁ:9"XCT&Ow8Bjp&CYJuョ6W46 D|EJ)_wG/?b랅7ۺ"dZ3*ii!^ҟ(-v*(h!8p}wZ@DglVȈ(dH}NsB݀Xp<4HP??:ҙT6r2rWގ}`4v9DXGaOh+,Uh*pB@!fzh(J94Gf\@eA&pOt6>̏h" c 0~w4 ,Cb |"0X={˶Ov}Z%k ohƒ͍e ,S:Ϋ^$5hBB j."{:$vBt 1ƀ&COݰ<_qyQaY! RA@|Ja"xӕ, d x=s37!8:Tt<~Y WAbZ(ucIBT裆ja+Z0lQ]9q~_jOҚvhd(ƦuY8'M&ꓹ)c:Nc'zLSJuu` d=hmPdJ(ro͜ ϕT g 1Fj4s4A}_Zp`xycf%^ڂTa˴xl[ =|EML-ߛY kCfZ( \\ x@hyvTlM욊43(e J! o5Q>֒ mcߧ㤕$쟙Ifa@ᰱDa4FCT2fQ =!TMDX ΢(Ug 60j!J0=~xBL GmdC@+>qp]6saه zf}ُP_% baIT î @+:4_?.j9䀣~ (:񹳶LԾ|6s I5 T±?m*!Ob,NNϊU +|BoӟLߒ )t4͍KbM4f}7p[?Us.[B {]H5j "Fbpu&=Nw=( ykZ2d)M4CI ;>]3+eKz] i1\2Mnha8N$?C]]ֳrq,Q"aԵخ9]%N[ RUjJ@Kf*ۈT0aU2+^:` HOmXZ \bf&D,u.@0;HNvB~~XHd!Ҟ (ӱ<^\fl?` + C:͂׌+g?XZ: FkcǢqm}\h&#߭oVeG"GO|!*PVrR=uhY2y´84EŰ 'nBOC|34T Kơy~/#Ә:FYb9S2̄`!z&BkiyFv}Vݐ]m}C~f;1[qMuPJ^%uvDexӣ'@. ЎQVAC@ ʊv؛əL2umo:`U8xzIdc|:򠻝uuQD#GZ(SU/o3,ղŀ/IW޿~Bgr&``a  1*9,qwyZN50'?YMdY^ jIr*sO)40e`(.^B2ECr7o,ܮٰ8(2)8ܞzUZ|ZDӟ3|*kwk$~  3Ɨ, GlwUz(ZM^> {iU}`K 7q0b 2gr:ޑqʹ[˻p6߰lap.P(lea ە8HsNPNdL~26!y[:˭R|6w]tktfWN 5կTUNģ\ "H:.vj1kg :+ \ ؋:BxD"H>2#bʮ CkI)C+gI6[kVaiLePwC &Bf(YγʁqOu:L8Ĕ:lFrGjɮ]o?$!oQ8?ǧ#_۫8]//&L`? $Hvo7WKrE7 N<:[`lG#A "J^rֽF.W$ $qDIW{"pEbS39.4qNԏb i0B\`^tSGOvTaݏJi4QM6dH{$IGYz8[wKSyM_w"%q$4d7s$Nwj8r5G(ԛM A͠m(y pN0Dy{xkw;؈sA@%1,,g Xb k ;ɽDm;$DV)LdLw8;v}g$6dlNl:}Y98kb34ۿgtմhFl3Cnj$92a9 hLH()U#rRfsV\;O\ 勦n} L4@v=`6Z~༣%rg}i0GT5[ݸV>1(0cu2,=lTh +ylK^ͮ7%fv6x_)1N6\6KpRw} C9tb+L+_g6,3$CmէÆ9ѫX Um,:*l6(/nK4%x)%\l&odi( T.%+F^&vQۈq ͣ8ўn9BLʉ1|z8,?먠ɥ CT)C)Y TX,oFkl'"UHL<6=>3ՀÆo}2}h N \KN]zTG!^̺/]:{:iɇZ@חs-U#9&A Cm:DORqt\} ܇2ykqv?&h[ěI؈`\qY .9z]is1?w~;J&RZGː`,n$F2A!JWeO%wͱ "nTsfrjQ*C1;y_7vJF0[P-4 RB(knȼ?\e\=bW[O{f L-ydeŕzUhDp,^d/:V&B2$ Ozƍ**@& C镪+JM(ēʚI{r0b3919jkn18OǯFٗ3 Y]EkMޣaC%+"E <9f&7Xy,{hP« @B &$@,T.qY95VpzK:Ϙ $7p\LTѝQ:>9\p8Ņ|0=,x'jOkDZ49 eaDw 5^BZ8Wok{Yæ/ݷ,NvQ($Cg5s,ªȉ⭜S ORq*V(fXJg" ,mvғsz|Yyg~^9Σj,śc8“!_A!V yb# X$g̥'r?z/\$Q)ws8/*rf#`\h/ 958۵mbIijxq1G"b8,@1K@~*[gJUpauB& 4MQfRˍ.-r"X9MӬ8gT[M$B|C 1 ƖֈmA 4͌qbG:k* 0.Hڣc1$`{EAjr6WXihE\j Y#BRa6zq7s EV!c\{pjuz2Fɍ w(30Q]ZnlWN-5!6+ 0Y7G;M淛:a#ǫQvh+ƙo!$s*Bo{aN3Hq$ l!}@ȸ${ğ_SPd|XܽnABZclr=X;ƅСI퐵4^tn>^h[~ k z޻gԖ w>J~4>q|xq<$K%LhXh0D)Qc ʷS-l(L=G"˧~ϗ>=dvwqJg>r>ҭ`PVq{kȦ7f_V[mSWˀZ+v-b(BI NJ'*zOgUmj3m;Gr I`4`^] U!] g=*I zbkkԜޟ9x=Տll&|n!6  G[ثȆw/A4k8:<Or^_8Gm~KQGQ[y FF ^O[jͫ#Fu#y.t~V`+x0J~Vm.7(>G(Ub@BW@iQ$O6T *^L|Q0"hv,QF70HO)l_z˷ު7z*ߓd]>ǣzT]weCwΛ( '9@H6O6~_G#: ف}N QG~aV~7n{lx[TC]KDA=]GdTGd\*e@ @ aJAJT eC*/5DLQ* Q *445 J |B~~~tvgu=N $|l6ADu|K1DULk.XeV7뿭2qӖQpۤT |__w ; )ʳP'2(XȎPW5<9RN &J r(ϱ|3kwg ][O2_ue -qhvo\:&MZX㊀cRh!*r(Q)d"RVedHLVgJi >S852VvY3V3OZa2e/aѦgwp`e6xrLCh&!3`BA)H e]5Aa\klڂ˓Ah\ LPPj2>,XȠM.iT\9s=Ҝ)kN#^P'ZNsbە1QHyHǷjW thVy埇8'#R^ KqvuJӭtW!gX(xyOݓQb تb*.ŀrLmQ&q70^fw*,q½q)cY-[K*{F+I -#&P'إ<3tt8Rq":7i}WkY7z)5bvմ/F|J*NagZΉr@;dIBVsd,㏟9/W͕P!Eo1* 2Lඎ^3&yxP8$l=YQ.݋K2d{4)<5 uhvp1Cjuѽd;4mkEYfvL.,%;oqvK-;Mꈭ֠6ą |8db^n;`I,'2_5#zNFd#)Åe)sp1Fؘ0qEm{u4GsM25kiF'zVas|p}qs86$[rAi[,. 󹫣S7 dž״~:LRآF[ywcCEUXjm`m֘&Vu_K;8{>K5l\:j}ܬ!lT}pJ=%%eY5& 8a n䉎axaUՈ,}ccּDԔ >vT!1Bu$`֞%;3ǘGWI~'w4ضг)SJh=jWkَ;0dL&mpM iqH8W0’ՙfMqw8)|>5=I4𷀝U"EsHIy8ըrָN&|50`I)XP@Mҗ 5 ZeD i ,VTܩ*c3"(2lL H »9zcz퀫-HoKPz#E<1bў.qG8Uӷ-3ֺ\V| f06"MLa,ut,}>mZçfx1!ą#i6;`ŕrb!}5tR(mBVuׄNho1aE-IEWn1t|nMM}cgnCXShm>;iհA֐jƃō^*.0lhgDaZM%B"=d_ҟߍ.yM0'YXQ "R. PPEp׼̈Ɯd&shot8u!1{:xR6AA5ϝRA|h; 6_eg5c)BV++-Cew&b-!қ$HeU/WpX6i]qZ594u qL8xmF&D1ma2̽o[appÛ#Q֥V ȊgM#JLU@DC(݉3.5!`#݀cH+B!p  }B&?8WasYƻL+{quk3uosHcZ]hb!$sgmC+q1>6Հ3@B^)f7Č<^4wy'{;&PӍeh^w&B78ڶ6lnfn0xsp5e?-8~bњ`d*΋8k(mt-yHL3PQ PTҴ]6ׯn8c`g{^qF88ڶ>`+q1^Xf'.`G9_; 4m6Fn.&͘Jg4+cv5:;B/3O´X;7jPmU 4ܱUϷo 8c'ﺅt+OOxmlpeiefRa1R pP9t}L:Om>]uIOk{=h%%!%E"mεᮠ*I*AV^B[-,#L;VSW{ߴ犂4҄)'Ƴ5gQ/Y+qVb![#dB f ExtSΦcRUhֹ7bZCr7DD)+cgu'HgkF>zaɸG鞚[myYKiC~:ZgCXȪbZMH`˯/i545'c34Ýv)s\3C%oDϯs[;xo(1q;9cܚ33.SFq#.Wmt1qXPSSJRm"AVi(]Bc{ucGH_lU8eu,EONky3s9 wf\P\sZ:mƲHwk>zMzfG;N{Sߓ-"c&"aSD-4LkUv= aw\ck=g+=6ɥGS6 c]Zg[XFoZ@8nxѺ8B ;"~"0$h&>gňZi $II򆢩4t!)& ejk™ +mt3f-bg};\qpM8if^݃Շ,k\w.jwk &jII2&i-B4j2 Q_($X &vѡADUl;ɪVv9ِU&Q MM7|[I9`}mWȾ(έӏ/̦1w&D 혔qzҜlm-. c|2'k^4s#c(;45T;z]HqU=x]ijPy8}L=qv#V]jG =xmDGtG#p~|h+(Ev cYWה ?]avqx?UYZFKPFA&6;G-YFo W/ΒľzZHw 竚&uHfTTc[>I5Wz徧j|`{Da. 'St2loreB!oH=!΃&{d@wp)E7K[?$PU|4*yf6oݻm߻D}!5.=Kc_p0~ UC?;"^Ce@^0ltk 9KCmOq HSZ86 4$1CH{ }pfi4sR WT 믑3[L瘐 Y݁ix2 ,fG8r镫*9k^vѼſKH|v?oås5g=N:q-tPJDRT'pz B,p(@ZAL=0Dba7rs@"8eMi-ךjnd̫lt({P=b( AH`*aքL]ѕrxGʹe7|ZkT)}U̜>,#KVf/wnXʚSvt99ސ'VD ܕO!{!#%JoZV1}ʽm)Ӊ?ɐ  FAggM>ޏ~c$@Q)H@FDHDx6]*"@2Bu;gzix3Μw= roK gS·(^!4ɢAr:7`Kk|=ѕopwbgg4sbCYD)FEh)) @|Ę$u.w4_.fUˀ??R"hKghJL!3_jU+!%>P=̏w':ä" 9sx\4oZŢd9)Z~ԕgb˹!aي1%}yc"6^ r@ P;v-5ؼA8ttw)L.}~n2 yJz8}oZP(7|y6cېs6 ]'Դj'~ dXC  w] O3v<[ N*;[CszZ:oEy].ll!ELMn${cny:#K[ݮPy})}GsFy}kտ~SEjxxd0M2o H@0dg3R_S/=:c\nP&0nHctr#mI|3"1yV>/i)s=YvC܁2"NזgmYg4 !i5żYy"u+v/;%G9sUȰGn[GUW4gǯ>j[\:wA]'b I0,H `x-ZƧђ\&Ȍb$"&|c;7EdҖOJm9UdTsWCF'7D<!n!KM!Bb8JS-ZMhuK;:73$ J*&֑qUP8Rk=|p`5P,B~q)EbXi=h_gԨ1!>!;6'lJBG^ӓ^cȮŷCD$䈃LP3?Q$ ʱƇH߂Xr,l(,C&O3UZP\eԎ!w/Yu!& AhEQ6>rlwR_'-Upw5 ϗe5O:&<;p'yf<,>] jL)5%(s2i4~kt vUnqk9s޹c )-KmmSȦ؆51XFw!uCߘ \$_޼;P^XNt%0A.„#;0h&'љeׂ+E .z; wȚYȘKTAy1xHu B6O/ó꽵ak.395u3ȱ>^&-NAu\k&+XC oR<ےqfr:P5H(^M&{ݼΡj@2,:XwN?xG_p%S??B `87vg%fbGy`8#@DFG**vD{Fhz:ԝra=Dg$(Y'͹~Cy{$hHzD7%@ c$$"t:-gNǵ}L@ ^WcowReǎǑ d{p NNiWw 5B`wyE.B@AAAPQExٸjwO]DK`w~|)^ZyۧdȠ;Sg=! A}⛯/ k֯ Q8$"0H2B9GRd%"켒w{}Bns($#R&>0sXu|o9*h ~CL| |Զ]94žN(cly;Z|%zH^ǎ$Mtg. 0 Ux5O]cNX\ W*^.&kv͛ABx&Kd.rjr(b9g-FZmƗ^ qmM ٟZ_xtjXOZ Uʼn< 7Mbڲ]f ogX|BZȼ-oE4?7zNn=FgcNoĆ3hIA>r]5YiyiCow?…2G%j{IǁԾ\X~L@qJ? Fu0_:;)Yj`[L@ RV:s,8weއY=ڹ]O koCߓl1d~%6&?I8sg|R@HB{?S~?x8UII+o U \ $R5SdM'{684s=zSN_*d"$G&lX<-8Dpt2 ĵHK Ļ2eCEC<-Jk*Y+Ow 77G0 yڗB(~tT~7܁4]}$GӰh㌩SB@jT!@D`o/]Fv5^}5XF-~j"VAh}'$yXJw'v7 &6lGeipB$ns vD(RSŶKH,Sk:і(6gYd'OV)h!yGa>ثMBndێt-a5Q_::P#xظF a%W7/G2:qA><)tmC]ڋ~osdbƧpzAIU¨^}}4iR%%GZ.}.l9 !F*XI<*MĿuR~[h&"XG<:~UcuB,!X|2vڷ(Ѣ Hr()~ oT lWOwΔ$)+wV%#r<šj2!R /vRX7FgP=ժ"Eup*;rI~[TKNIu9GO+C 0lА$&?[*d9~f_|;s"i'WWI*s>¦Y GvH8 NJ%qjzH=U{シn6A>&duLi^0\.#OrƗH~ I+`VrE3ّEbdȔEsJ3Fo6-HV#V[FJ"GNz;_ {G?תMۗ0=*TWy~/Zz;r]ǜk ׊P[Q Cu4}Lc~y"ݾ֚^]Av~ٱEt 2'ytBH)k ]s-8`_Mry#> yˣ~ב{OES^la\iJ֋v9-EFF}ĨPRebV69s4|izFW.T]H~h[8%8fşk\{~ƍpogu=!?/f|aE"*xu?jj @Ro.ރd>n=\Μ5EOR~Q4.>}>$9B GbDtm|@(( ~g(RR~PY>{!m:θ.dws|O'Lk8r΁჏dj-AClkwdzNa? w4QJbCc /TgXn w y)RsPbeUQxkX_|4ZCVX4fjH"'q)j76n>D[ڌѮUɗiL忞wq$Ux0U>`(0u~e`< F Esd t7SyrfW²_zk } R@438WۖLION C>S(ǿv',EOHvwutgS]UBO@ }C [D!g\(i<[?@ՐBQ![s ځJSMgm+-^ǜ5:r}/y[ewk %u/p}UkE[ێ+/أɾ.p蟷/$7Y͉V%k.pE;'RyܸyXgy믨 =pR:qc;66?M V϶ѵ5],hBұ}=>Y/ARPbWQV ]A$>H.>CS?>gwpVNXMȘ? guHm~4zָsmĻ\鹬PʝyzE !;pjW̛_ʲ1hxɿnXg,`Atk?/9ht| ZhOp. zDGh`4v;$k ӂKҏ,yk ޿2Arӂ#<݀~~*Yչ\ήSχ]P;fm`jYi>w[,1c- f3\u)q^/>Ӌ,{wֹ;BCxl@J&Xz;|"1+S8i}qq^iz춇Kr+CBds??|k3hb`P v;la? dvgI=&r/?kK}cH ё!K:ZlL^L$ϖ s}ib@$w[]}<nr&l~wA߁KcîZv%*7iS¨zoYdgy|̪_:=<ںGEFSt+ vU v#}e>|8-njEg_]_칩+VEiX:Pr/S+5vKZ9-?ؔy{d 7ߣ>V$H:oG{y۽X ym=oR[]aϡU舸h;V>Qתy/U -HyHOp'c旷/;{ଥILd*wO9kpԿE޷|`W 7Ώ"JN*U\_=/"FbC{&3=P @_I(GOR og~FɫANbTحgRVY:9BPBky=?'zJHCySʋ'3ۛ1H 2 Q O}WqPM\|z=O^![ww Ӗ$cOy|Ѕ4 BΗ%u m?GCl}JTш!]~=y_=@i*'wǔ+|#__'Mv梀6cI6 #gP/^?+/BWtnڣZHJ7 A}͘/cs?'?ڙysEAܼ($9!B@jDJ~+ 'X|T@Bʗh"1>8CP"4JMs_#L}U'jNK [jiQ|x>u}gΦQtp@RDD H} -;PIĕf z4ĩ&"MY̤ 4Z=BBCV"zV .ڻԆ&ϭde!sVR3X(H!mIŝg@vlhnQ[7??oXfy7,Zt^T诚)*^S,W0Z*ۄ+6BZOgWETпFe4mnusD|#~:.뷓6Yu *Zg)y#3> w$ݯ2/Y;4he))vLMx9c 'U~?{k1O2OZ_ѻE#Z_ƃK~ ^6TK .Szmh:NJY>uK] JDB"|C~>& e#AXi9ĄA')j|(&GlRśYBɧU!IRZZ݃7 lQbTw-uv2}tq_$1<M* [ QEud0Ï~޼Kz3y_ J/cz;'V356K=5$N*!ѧ,a%=N/#CE}93534Z8/Տorq31y 6E5$l G=~pܩR%M9 A[{X&߆:} }NF]Rc v~+fFJl*=bfy?SXy]*>l[|cuGs3Xo tg@(}~g̭(sGt][x EHŒU v`XVR@yK& -).p:;-;/k$828l=0,^~.u}m\ g:y$`ZZrw8=7kL9P$ R&PϕqO%{6^G*T'4;~[,gV]R( c;IIkص[;"N^'O?1T>m _nOi"y+Ʉ;E>^b3~)>OK⊘nK* 4ҀzSD:p1VC1S<}hY# ,vXY y ]LʅUFVa\lfpϞ韾.֊ێ΀1FX=Lv{C9 ~fwJkEki{kֵߋGl]~>d7x}n}l'>?IblEx46KB?{RI܆bd5瑂ۏThs{whW6jj8Oʹb|Ft+`fr} iGt> {M ".Amj?{Klp $C aIv? p/ls6.,G@aB 0:DHIџk{&\3Ɔs u:y3ÝcF#ɐz2E<ΰd.-KfDz5JawT*V*2AAdDDDZ@Pߵ77s>֧́U>)p|P:To>y5 >'XNHJ&S^]+Av25aER1[c=TC|<|E:3PH ME[|g ̆ x8/==yv9:w*%%O7}[—Qic@'K*b~'|5 eϴ8=Ac'.-- Z٭B'Jբ&^a׮ d> 5s>9@"; v&(E5sI,a۶q$)sv=Rob0a9@}!e_.$9zNip-m\V31ơ =j9Y?1{m&A Ptص[dZ Tl kXmk>xk/ŭMG$ {0 @mS ){pݸSr$xz8?_GPR" ?ր.AC 5T V TUK XSx2N,,oV=wN?v,,dAͶ36,vyXU8`+9$L$q tjV؏ 6NF1w.ٿ /bDDIb۳0'ìO`8ŏ 3/_6jn,Z>'^VGRT/Kt}+`& Yo* tב; h-Zg}Pk .;?3H=s"oãZx*䰿Y!{'^M=o^p at8ˍ(ECmqކ/vy=,+ V=kvW'oih?Siv9ygmmp+ Ĝ;Td;nwrE=b|w^;Uf 43_Jms+k\﹦+3F.T?iXᙾX{;VBX}А߅fohK`EkʬXt_=> uy5cGor|Vn=n {L7-rvd]J=J(m/' ,ĥ=KXv4 P>$i׶ne1F@MJ՚;AbfumNqPqfVJ+Z[Q{ HM" ye14&io`. _h/5_Ե=>-vUPwz Vכl۞+ѾI /E0u=[b|zkFOv+ B>f%]o}UA4WN /¸_mx(w9Ѭw.Ѝ x`Y&2LPh pG \T/l5{tk;'B~_KuI]K')~d,6l/jꦲtMam@r~GHoǬ³'=z//zhD&ѢEOjqť[jv6$,wzT!8i ǻ:3G l`4[PH?OOwUd$zF];/ 6LvK6| Z߫sq( Nw#{0jg"^# oF"Vnb 08tt&MˣAV"%d5$d vTj#h(/%h}'1Г9x=N~I{Xk|-U~P;֔v7Bzvw;4~+6ͺ2tZqdsLo["Oo.<#ULV!7^G,J-Š'|Sɣޓt-vlHeU)'FB~R=&1E1>]ϐ ro:2aH>&=, a~}Ԓd8y.]&P_I7b W%O>?'nyj#`X'cK脄oЉ sZapuV%Xȩ!:]{tWFb_gwdKO]sf{٬ #CLf ߙwLJ3c#IN?tZB-rXA[ZA$ āmNǘ.F ?|=qev~{9ש7C yss9V\{OC')y8a-Lb7 [Rz]E]R(\)y'd3s2-#i@WVR24PWBF 44J֍&F$`"O\0u*\z x;L쓥x]VQ<1+H/HR#dC;^dDWD{*Vi ނs;z+H]xTxk$Qh ߥ6˙BK59̊ ,63aNH<> g.$~.{zMqrΖ4]-46| Ngt`.3GMa;5emt9-xC(яοjVH1аbU0w-LFva-&lp %+llQ@mlܛ/`wr71҅ԧC6X4̱U̎[ ic&,U}wLKeIr9o@Gϧ_k蚛zqC}֎GcB=i/d nw|@JIJWEb$pDL#t{(u1O;B¿Svkgr4F\ zkƀxh%dq͝ T͸ q5k|Y3zTir9ikCZm\".+ 菉4B~6޺lLbd{̠%Qe ?|=:T Neјцh,GjAm14=>T㟤Y4J* ]|Ai7 {@́ݽM^bQy{ȢŜ?{9i4.c6]~ HʊNJ>Nc?A*؈CWq Fq7. ݲ敭^y,`&p[v[QRAccAׂS2_Y z7`#}c1$/~igx!:RCjw545jӑ+n=HgZ]v١qkͻ?;k?e:V (]~q<= 1P˞s56aCвf/oF3"m*sRV/3hAs}|Zn0aKlBLV(0JS*@&./+TZ:ԁOr_09G*ى~?s,ǭz y8R[EgIޥzB4O2JҾO}!< bB΍݆缽}ֹȊ$hE`UFCg@A&%w:JVNbw*VwcTq1$|T:s52{?2N9FFx # YIE|G° 3Wt_P>תOO{qYfŤA^3=ũeڷ@ (]JK'@adPIbsهi'{ޡ#s,>ϱV3ԣұم}+ӻ&Aqxsqh'YW웕3IЪt^a.OЬ}< Cf{)@UNہwv:%MʏN؈ ,*dT</L/V 쯠$fd`4t7?Õ1$ʸ"05&x%2~S_::q@ÔB:C|jZ (VL޾lꄦ9S83Bקٮp19TwO<*Wٱ=O%;@ {w3>cV|_8`fJo4f@PPTҊԷ3e+Un_/o΃X>4kC45ca*SRg#^ )1lʤO|-rgоm A]ŔooCӣk'YS͐:&@%TX q*HHx-T0`:qq\|YNnYGE˷b?6cB}IK~넏 XK"/#l,KBdq@DAPT@G~'>oU?\ax zߡ׋"B >M`?cHM9mtg|yW#$^Ol1޼arݓ$wߠy~ ;;ܛa`l7- ִmw~=lj{Oߩ$b3Ͻ,f0{FYd{}g 4ؗZ|'ߺn,~ee OXi_q7=i_g|*K}UEiޔlfb<<ʖz+jby77^s:qzpxh;^Eޮ C4"`dX 5XKVT#@|G fpF}JLBXB>w ս<'B`I3Ƅ["Ff#雀Oc{Tsb )eN>6ۏ:X*yq| mKW,>2r@r4giN0Kgۏ[tYlH&r`ˡmPO꽚LG+ Ī%)dDݗtĨ猕͹(&q< }_= /bsDZu/'Zp&O?(QHEƛ*EU¦AOߛ˗^,l2vզ9@&>P6*6Y2NҎC&dTp 0_iY7Qc~{9,#o}T%Cٹ!UGD}rŶ͏;YĒ)gƼgXZ3#MGcmD4z 2N -bSقvZ/ߢ\s{8ĺNs=S}*H0qTzYΪJ"dM-cl!8pNbE _yeB2s{Sn@CX =mC;~ QA kc?WF1 % 2aن?b5Fu˕$}R^p!ɏH}@ٰX 2k HgGŨcb cѬ`hbbYmv;HςpFJN,U}MCV[*'pY,uV{Bϓ06UUDX DCxz&5mmgsm않;_êhClJpJ>CVlnCV/R CnMOg#+ض\ˆ2Gftm)Tu$Jk=i(}CDcU!\|- YWyۈC4۫Ӑn(`f4Ҋ%Twnbff1X3)yؚ/}> ioXA+u3.Ib<(UTT>5L~{tR(~vDH ^!~@ꐸ B2><!A@O'4P4̃wHz%g5(dg]y-NI~͗Eh >6x\˴UJ)~|'.VeꬭJ >vz3w>Uժ4٬ZyH#u.m)u(E 'z/ր2ՎPgK}t\J` $#qd%z3~)Ґ_-^0 y. v;3g0L1 =' zpf4+~!II0% ڱq7oȧ/],Kg(ys9Z#1w<8xj;LNzQ+Cw$ɩ3ޜN,Dn5^eFE_OkKt P@- `h0hc@{~dBn<;~lXp^O2 vkeQ/{E>f3  Dݯs}[lvC!3t}2sssXQ68OcN 5XWFY"]=orjU=pm=-[\qhup{/M75d~>1k+x,/1?T@z;Z9Ť^1RQwSy,H?ca/d.](syZ/#ѳvOLtQy}JMcT2_`23Ve f%P7I?p~9ReOˬ#3^ *wyѯO?F^L_ \_'9븱- 3*̖&e9oK|uG%)2U?_ y!U]ն0پ/,9\kȅELJ0RVQ+2E1|Z60$]Ğ@X$9ZgZ> I?*H`$Ќu4$.R~e?O*:J!Pg2 e=:AR6 Bc|p:@&[| =~Ќ) ZƦ#W-O3RJri0Da) م#C>[~RQٗx//C *^''/q0%+J DB8{WuuyX=>݋2]OE0eupT%3p~TP ģp1 YE|bmL})zǯvՓSw؋YfiW" .(H6V]:NZؼKB`d9$ $c-R zf.7!Z椫~B@ǵ ,z>G [Yޢ0:N"ou؜6OE uܫ_par&ޠWFR[R &7k!Yɽa[nPٌba_Gi/k<|O/WKK{/r$tuf0:%|/eg Ϸ{aοFN*ԫ|:D"FEIiDǕa >{udXA3ML$sN!P(!9{ۣ4=Ïo0rjTQQhgZpP&z'NH-vXlDZo-2]J3> 7Nj9c(S^ٳvkYвC v@iϭBؓNꯃWp Hk#<9\r+9<kBI%0%ٮ+?;}Gߋ=l +@J`rB(9!K@;]tٴ + vqYoq6_]^c"E_Nd6; Zud fdfٖy\|j]65kү2\QI MQ&PDlW"DFa/VThq{t .=D(7y:$Awdk'ț?`t{yPi\Sѻ_l3Qꁯ?SJ.꽊M {B]cd6TFrpPBhh3M dcuz,!o᪱=b7ÀP!,P6!TM Gſ(HNT_9@So,|~ HKUeYrѵaÁONtQ/S8(zy̋Ql bc(1ſuERbξOdXbH*keEudz_[" al94l{ܮ_>/~7AaU&Ytp1bW@}yI:F@KV@µgzL=JY#_e.R8|aX3;ί>8ozq[qNC~o ~{߂.A#"qL-g@> !h-il]!`lpNnr _j;e qt=y D!xVkniȸޘeeKqhf-# 6}J"1&W hܮp xl梅ΛZ:o*!~G쾛7W`7)O<4 a"gdz.aXC"MuqRŕ'^_~uuChuI`d=\;:oGkjU ,<(xϢ1~DZsW.G^ ל0@={zinԧ!XfAjb`vtѳ1?&}llC pp Oܴk׹/ %Dnmc) ݁ r\HYu n^<74yhwׯb־  2ͯ8 .BԩߓePb_99Zr״A2DD0g =oqbqS1cTrXoQe^|^G'ԯ/5ez].{|if){z΄, OIs*$~qES]ދ zFU2 C)S[$wuh{:Ȕ4$ e&)XtfegEu#RefY1$K!iMc<2[z}N!X$Ьo%+^=GGKÿ^Yŧ%hQm}_s;YSgLi|a=U~Ni^> ~*_[i$%&}wB>AB%H4'叱DB#| IA:@u8į{Ĝ4ЁPs˙GHDF1cIM&`5R- Nl&XQ@IL2N7PTOy m$=c"A@A*}w^i HMCjp+r]@(WQ-75(% æԃb4G^7G$I$ #ADZDdHeHBHHPE[ECEu𿆃8CZS1X=mz] 0HB9 Cb"T'B(YzP]XlT$רZG+$>_Ero?4b_:D?&&~M(A$Ua.r{L"L2^ܬQ3&4ͻA 6;(1A "T,@jrQ |&PyW3$n :񹹈A.n}l,V LS`>oO͘Ѥ{'| DAJBRĕ\H2 /l7P(lOfFђ?mlsF(+Pe@m(Ç:fO{*~6o??rErX>mLWK*<vY)ȳ=2`BŻz{RRǔg̬L.Q*yFF"v@N(X-L*zއM-c\4h#b)p(kKa(r՝̀ыD$TH[ꂢyqsNGaNWB|3A  Šjf;KQ'?y?ѿz7ms^*!aQH)) @Rػ#ulZJNuQRЀAʎ\$B@"@Bk]8CpPHf\kw՞W'd.嬫 6ofo`$t݌edAs?{{gZxMU4Rb!9 3F}ie1@H-HIk%n3I_)%]&xfn<&I$%&gKL?}}V&CjSqŵ=څPwU5V q.Pb#T!+.S!vI#L16yt<=Rv?4µOA'00mgԕ5_F`Vv״8J";rD]U8zs! HM_&mZlhtFgc#@Fn:zr݆b-zt -Cqt5>%!IB9KE4ROͮ'W:.4u~>R_ !@]w=]!F]rŽ+]ǵM=q˚i>%FͦtV Ͻ7Z\:E?~z nN eLjCŬ[Ly*y1 gȠT0GZll!yg6~yS_pgkNS+naqy.`6$`!Ffw?E7[ ^7)qؚ(,3lB)9YhFO 4꽁lϕp3pΥ3bnɓ][vSi]Νj-AwdE$]$%v=w׌8^*cO?:rnHϻ+SؓpG.W^=WIQZ Xlڷ\"dDlb#$tOeOGծs?GS71Ylo(dZ};;-q?Y/CTlu8)(aVכWVt t r]_RkߕI_iG^ĺoцq,T͌t̕&Sʿ7l DOSGw5hݮ?:HA72ӕ ؛VL5 ף^*tm-z/M#8XD,ㄶ-+__\ p*i|vn/^/:v7J{]@N%5 cWs>?c}.>*wj˨ Нhz>eMv'utlmROS/3[ _F6&sqYBax'œءV]_ ߡ__SznKsj+}Guq]'mAXA `olNơCCls(֦dlW)ֵȓ@uMOs~͟w#`DJ4IZhsBt2}hwڋSXH_{55>ek9vf.qB+^rv'C9$Ys+9A "&D%n{e*s;b7_ll@͖rQ2Q3  H(0]|L&7FF= A#SN " Dl" S{Yҽ`1B_bR]H#}L}g2ؔHy6 So/!/+6aH}bEQa.ߟjm"hs*=&P%\^(ewԨ`O N`MCԔqkk$0eWV(zZ,6KUzQdV0 R4X%i6ph$m{dwwwA"av0@!QJO2MX&W.㿊'GP闛=ǫ[gӣ|1EE''VN,HMdobV}4.Z!%0H@ Ru:1:ߛe%wG> 9?WY0@+hOS_u漖|xJ >9ح fH2h$9ܣ,`gIT(ˑ#y`z]ƈ /^^'_;Yұ>=Sn:,_ @ju63~TC !hBVgMPKB>͝Lс͢S!%0 @I*_p0 kY20>T j+qnz9L[ rM27iRM}wy:g&ekp(P^y(RI>H=:0ܴ) E mDJP(# ?c]nǔ!1c䇉25vbo#%Oi% b:`+Smg_gOm'>۵~Ԧ=ɮ yL4,tkWќj5HfE s...p S@a܉ `YN⽊W{ܞk  qmwsb6J2B$2w}T/w& Ú>Jَ:ӾS] TA/c^% DL ѝ2K_Z)~$ ໭@n:#ƣƆ+p* 88^U[!&z٠w%j~ZY>P!V ,^ IMdq~kwXiu/1A:b@Rg-d#\eө-n}rڶ1 _ї5I4L@r}8NQw^S-OgO'ϕWimBvJkG빪Gf&ו՟.驶q؛)8OXiᭂr@ dV5٤ݻ=u-ݱgJJB0<8UK5hB #{]h2SWMZ5sz {Q=ACn5`Ocr۽[x*V-}Imx5=.=|BWJضkom+oIZ;;$y"i9yZVO!a{ĩLHHP:Yl9cf#yS0l!p\vBd@5~RP_R BXǤ0d뀠"(A+u+^DS  =ipٗA#'G}qU$dd# u!F*c3hDY[|@_i6=!`d+?ZX\qpR76֧̂@],$+kW+=layLE- &g++.V9 b\xrZrFƀ)@;sSJ}7-tLOFòrѿKMl'I,Azz`^s("gF͇QQdr'go2nNy)BXiaևÅse-_%Qf*_I ;t^80t`rP3 }~ɹETP{%+$ިv[.! {Js3ot)a}}AӮ݁8R2*ħ(zQp&jM^qp+:]Ytwk T&l%uSE1,JnƟῐp\50P/JɃTc6лh7x˭wx2 1C<[d9S0kB(CWj']j)]~rִejX:BQV5`Gy>1=jX>r:sFX&pOC9H J qȴ5}48p ;(E)zzg k,,;EaաfLE#u}!wm!o[EB- n*PB{^jirg垃g:;bi\x i) JR!,C2!4BU@ġwBt }A$A@A!B% Dy%td Z <%dBqPhDfRA!`i H(TIHb RȽI"z!J@B $RWICH!@*P &-H& BV:ˮ4˷3u'7#dK[ t ʡ\`z"xq^o+XsXEE뻥9!2"t@,'t$pۻ}Sਐ1:(XIG:gUbdwI(#!>VPa5LkH !rߏOKn8A+|mj!TvQ+TO^;l֌6x&h H ? ~Q~4E#9Kk LG8BjF 9vA Tn.je˲7,yS\iM}G{h%ku+M /Q+8] c?Xd,fLvbIZ[,=ب`RA1"qm`EԎl9t$%Q[4~x.S5W!tOZbI>'䑾Q c,``@ j$\KD9*j<ݼZc_5m)m :bS`t; :e0SA=eF J*lBٯc2lg۽~]+ I$X>Z+WNGMETiST+M?R%k.$5fZt'sr፦R[\F¨V\Q :PBeK\Q^*T)$H9~c\RB2B]ǘЫ<.Je73?t[ӯnu"7a1Zu\V474cE٫w;iD7/՟@XI `22%LXcL(0DPWz)ƝjR fVv4&irOMwTq!Dfh$:uZqqCnl7Cl^aqdEm¾srX)< !)Ma5! !ܝVVzL?e)Ӻ`C·svP5y. h4 3bF!!A퐗9HXV8L ȠZ($qFK>#RDC !XJ{zJaPuNAqzm[}ȵurXtIjOf-l[ CgoȔI*@ɑ UaO1d+:h0K*H)< *>B4c7 I-,;NwSw Q)奪N $Q>=ڝ]2 ۼ?{ Xr$1C>rP٣'ϖDbJcBbB VػłxK=Q]/n+IA`EXOd(71vH%g֫X1s|!܋ 83*-ßCk9W &?(Bz{wxIc@PS}S6Ҭ,KLxl75xw%d9fV0<bT owLEsAP`B%dTN4 ?Vh|-1E^ȔIjE8mr\@ Ik|3c3- rba\l6o1Y E}N?M9ȓLlLUh~1)`h(P\;ýr:gVPdz]db$:W&u_άc ̀{ $Zbϓ/RckPRD"dܞN]#%>'  9IUXGg]-<1 SmXN@ "AC*ný bdM)ZȤ yU]عXEA!i G#mXj :3?-xТNsٿz7&h]) 3j/vpP0wMlE?gc<\+MY$@XW  A$]w烎Zժ\4B'a>xBZ[s1"xN+c0#hLj|uv&mر[>*890E z̠="׃)^hjYDzSf*BlzJ)89-bHmrZ"Mkn&L.,${z58XYE|"''N#âiؚ]U6C½RnUP B. CfТ0L!?AΣ5eތBr%ؔKhgȺ?}GNN{Y/AJi)I֨D#aުiNwE/{F\Ct{r$4G[?>f0zEO^p+>=+hnױR/#؞o7X_VHW+}izצv?yd&]4wa:4#=ʷ[W@Lj_ ǮfPt f}wV׉e =ziۇòP94d>uM0#Y/߁vW[w:qqzl0ӰQz}Ӣ@macX^3Dp{[sRn_5x%osi4abQo̞9M>ƅY:Iqɽn,b*6 ]!H7UӥI4^U5F-H⳥A~whB!!=Ϗv{A49 ϟUJCmvԀʃ}n}y~}icdP|$6_@>S VPh@$,>;Z}ql~QEʣb&ly1݃\V*>)nGFdN_Z\evյ&+FIm( TKmnq}PvNf!HIϤh}}Wu$,o9vlA[ٝoQ!qZ!m`DSU1 ~e\ٜZ} *wѹ[ ,Z <:Ljf}|YK[n~01çl(0c;/aqH %k$=m+[<}Ԗ >ae+k>߅sd:bo¬>س+^qZ 5;Cco,;]o(h'ٷkH2,@^g D9ǺM_y3@1xh@A_%pEk~MZ߭UgMy؃ki훖bs.%p}V89 [\rTi,va"IRp ?o(o?*dk'E$s;,,'"o=Wb~GJOӀs;p>nY+g{f3z0=9StўFtgN9,9']Tp9#GyjbЕ5$#;'X(?XYWzTH @&~U#:ޓll1|vx~li MZe_f~~؋{"ũ^/|wяoh|z?%NIo"G$HF`xw2XVP rA95KR@]'ٰUK]jK~Qa$ Qϐz0Ƅ \0[ۓqVqc)8ag 6 b'd:C:t^M W78'tjpnr_MiKfiADHTog/Y] vzǛ)_jhyOxt <#YÒ^W;?vWf7S7>Vg*|x6_'7%T뼉P̒%92nFτ].Z$EP2 D8sY1u co[x'% §,\>+Bw\GJ^w_T8!I fSNv_dkوkmOt6i{_⹝S)@Z^m[Hl>g7639+?.G1Ĕrů~ť_^=j$"B RdQH}|ϧD߱옏]/:68&>/v>Q1fY,Ԑ22$D0<6+M۪i}-tO_G1MP3HLA!wVDG@P rFs~S9s(# =Z^w42k=>|:kرXdE_w9SD15DTQ-D4ULDAQCT BaQFߟusڷZO̤\ |0h^MU][" H${xHGg\ Nޛ?# 33kd#I䅁U 䪎FYh:zen\48% Җ(Dc@D*(PS&DgPeF^JbP:7PZHcÓ$ D$:v L‘3 Ug(ʤg*Z|V;ҕCŬUCb :F8eg5Y59enESO$,F㭒MckX3ƿK<2/%%^YzL;_RPk O5ڹPgWxwA5'E 7,B@r_e1R + JU83C;kœ|Vl(ȶuL5sEqV;]iLei*"!"jXq8!= cLPi׻64 =1aV~]f=i+WUTrU~_ ˏVn赁5*C6Uu_MMLl/\׋cfDQʓu<D4e?\G=(*("$ f-n чGM TSES@QM3^-X-ߡ4ć>]_^@Ϙf@ ap,d:5>Sܐ9.$FaZl fUy%4̸tKˍ-0B e,Ri?%mqⴛ955U\x= 4(C13Wٴ(>8 u2(NC_{QSj~5nIy>lu %(3!5(S bGv7zp XEAETDI$7uDZ@PF)|o/\s6[N[f5sif.M_t Gvs.NvgڧIEW;G`-M B `: (bh$áEQ5U1 N[m2յB4kgtbHgs!s!̻wu.5hSuѬ6=r3KiBya3>Dcǂ x8㊍[.JQ?:qٟ-Ҩ~N8a]:X a@ V7Ul 44ofe&+@yz2zCWcYX _m8GC5QD>]αe&,: EepX*^MKZqRvhLb~inZfJDRcdx;? 42:n ѕjf5a\ !R)]2X6JI_X>$ҡuӯЗ:m+[VGG?տ-9UshΙ y6lLF*1={j>dn?c"{#?||q`b9WkHpI6|҄1o`~F7: <9SraI,ecǺt(iqnI.V|s|$/!b٧@+O& I;"DŽߩA|fΞztN)^sj߽IOKB4v Z|5ơK=?ia5m$"'R =g0 Q篹~ގ,hVS=LNz=|FŀH2YL 9By e w4PW59!!Ehss_c9bz%t8]6kY^$Ak~z@"VR`p (6 z/:Si *2|w9q]RmH$yUB>ƄIN ~Z4Ѫ>eDD3ThV8-5E1DTAM^c XDQJ*y_F1UWNs5W17noi7B%*3&.wr~.۵"Hx] (D ET`" f"P0DLQ*ig0"M*V *ZE^7r@<|ӆtm(AEISAӦqǛE%/2ҏQJ-Mptqv#{, ΩWkR0k4&d~ 1լ/}'N/Ϯ\3aQAwUbV x6!lRfo|(.QZm14uCVEF+yTPF^@@ p14F`F-]QԬUvǛ}8.,81ZiS iacB>{W5 D#BQ R 40"^FB*G͉=t9_/V^E"n>>fI${zl?5%ƥ XAeF4/-wU $yuƄR^1Ab)qoHk vt %y181]]JIDS2ЁLv>]ov+ee^K9qCygۇU'hBП]dWmLD_ҢSў̧oh$-xXWʑ螨N$0j;:(a X{>jIӒ{iz=Gwr'9ԕT*QRE?e >x>8[~J@"A$``]g+ї;nnGt'>qYtJ 0 R۹Ca]|;MYc 6/ִOe8y)ɈJTg 8u&6, =2^y!TyNa#4[7]UA]u cr\iSYy"ه*j8~E;7QoS_/聙4@A"4Ӗ9d 0 =\wi:%|'M# `cmtkv.}4[pZԀBi<đŒ'N],{IP@%[exuH MwXFA<$wB$h@F2B1\lt@@/n=y'Mn3u'?]!2ȧymcyrApCq\NoL\>!H0`H-˹nj>T_WB=Ro{ڨ*6"h?l9QXhOz;j$NY^.[,b1lWÌ(Rvt B;EZ܊@ >o:ORu4m 1]ΗM@U3U HR~7Ý1_3EW'PI'weȣi6¯@|"W=oQ΀d^DĀ3>kAIΌ W:2%]#kDTF(EUw񂠂 *` "fi"YG6CŏZz RkۥtAQ EU$LS}Q-5LF "iH)"" `~̉@c̵,1 `"&J*hf*H *v0STSTTEA4U44LDPLAUUS@TULēK3TKU4%ALERRQ15RATUQDPiQDRP@EQ34ETDTHDEA`(&& "$)F*  &"*jJIu&(!*)*M;C@PO,.ޭ DE"")uySȅU@AIABތ]`C'ES[5?}aew?C{x 3cH)HF0^e''`hi qԔA8.~-W8rZ߹pXzMٗN%Xpp5VU~Y\/um=ۼ vGD\RD3lgC͂8gdlW gW CA|t(a?F&KIh]3tr7QgU9Uj# Z[wVtCP* t+Ά3p,3iFeG.kzaMxS_i룷79 VoNzah8'fRs4H/9&v4Y:AeƮ=ɖ0(̚ѭJGa?8]I8 D1;Kvʼn3$mA"8eoSS 0KNxYCHEN>i"W*򅟑H@?M7Naˆ\:}}܀-$j8~23MA)-04CiJMe׏| vHTe)%hD%sBbBTUT P4KQ >q U'ym~ OoB&!!RMΣ]t3ǥfCFնե/[6)TQ) jP@Gσ 'k&} ko',qkf3 J*L9eˍ#ҬXжkzQ|zVV"EYAW(4iqT P2TO=sYѵ&9y :wd;`"L2 X9+V  )R *(:GcS4@Q2vԕJETG PHPsAJ&jB(__znsR gIxnL.^ vڛJoJ bn;Ng+\㸅~:i-_UzTiGdHl4 ]DɭNlu ԋ[5? \F@W }($%f"$\$ d&FaeȀTT~t'pvve?zU mUoT0o{{EN"dEEQMEE4MDI5QTTG SWTDg80J~LD41TQ1-5UK,1.qv PG#J袇`E4DUE{Ŋ655 vu ? "d"WqmѨ;zqۈj$ >j PRAL$gト[[b=TNOmduQU:gm\bDb(n+lfcTTbȍ%us2]~ 1ciI_2lPtTlAn%$ nlk5 +a5WKl3x٘թ&olk':{ nѣ`n҃8KO}>;ɴEU8V4fGy/'BUx3@;X?qz/q!C^9gkXcn`䂌uZmC|7?; (]f 2 O$!V0VkcSuO H4鎁x2E#^}]@PRi&R[ VGӒ4"WlС(ϑYH}$נ (B2\Je484!pσPPQqf,8䝻QXnKR͌.Ka|vmk>{(=ұzSu؜[vj۸Yp?,:29Db" EQTPʊx%)(cM~(_w:y5"EK)yA첇 xB+&C1zF|ucbΫs=̰ B@zjǜw,rt⺺,:sXjヒmbZx&89`՜íDS ,UZ@^8ÉЅ(heI!>N&*K Zaia0j_{'^'~~:ivwޕFIHH@ AIW!T&jî(׽TȱX* HZ}Lޚ^Z5z{o?5~~|m9;h~<'Fu51\|̤QT55txwk_͙#c f%`6[x:7zF7Yˈ؃SxPHaGҵׅ.ǗCcT#ՆEd!S[U tt1{=܃!!;O|s@99WiH<$0,BLٖ\ ni%7BµוA_5ߍ4kFGG/`a{kƎ]<47pb/#Z@*b.pwyV#1(: wi}25NWu Zk`O7TFv w+$M8edٲZD DpVX]dV&hJ33$ya)jp ͽL8y 1LClO)m A{hnm&[b`qhj̓m6EzKus4ώ_4Ӌr(X~]ЏqG22>:?|7_zJ UX2EDw!Y\41!àAS/Lx= Ha $R"VaEDwy{ <:1Vg]wo9|o-_,`­5"<N7YmmP$#GfxA Ғ PZpenA~ A 9,,U.*&M$DL>uȽiPM lJ (*"&& ` ,M541 N=X$ h)(`&+LMRMQAIE4UTEh)d" &P* &jh)i!(i)f  *I$11MA%EST33ESI%EDRQBPUUPUQ2'S"h "yRSEUZZ($ *?]޽zf4[8"**(Ƀz ) q+~= imQ +[X♪E"$Fcf("bJj&&I# ~v&!f j6b i(dELA5PS$%TDĕLUILUT^LTTTO7hh( f 3f~)sXƤZ .-p9s8C3nؙ6#^cXTڷLr}\ -y7vѪsAlJp"%$M 7UVHd&jGX};<ҬAk{c;(:V}[u| sos_ގ|VPkӑ+.U[p T( `R @׍ Jy,*dTqE5SFb^VyNUC&yn[߂8FP]SS4q̇߬OʊQ1JP$SH}t5>g1AMcGCMDwqDaOF B B]H:3H@){[rMꗞ%I")A ^74`'÷pAȗ$xH>{=q4էt*ׯyjcl%0mUPEE4TD~-jN#Jif:~\6RUU$-4ylU*"UQcfd>|O)$l, ;5?<|x.6گeϟ[oUFE2WU`(Ġ,f x} 6_e*tZWZ`$ --oV;rF&c BqvXMlYoe Z݄3WsXexcthRh*(f h4ڊ1+&8{ת'AW8d2F\m2n2lD枿7cPd0PTrbĐfHkÀWBT'e3bBx~.&n7h+QԆ\<D$ _K|=Z3@2nKPploJ"JJ"Jj~=pksG{PjSjKu}7}yUaNbS)I+whR?xI<iKU| yw?sҿT;@ڒYxY',@SCݙ3 ] E}.ƃ_ $AVH $F/Hkb2RQ~kԓb\+0A U|-lg w~ۇ=ⳞM5>+ڸ jw3U㟹F7tw5y[lXi5o׻FFֿ7y'=U"D %t1 nh2BO+V.& t2QǍ՜͉A:Vsk%B>s?zs{YڴLt&H,+u/Nf&Bz H"I5pșb[k[k)&U`R.4J(^_>-7ҟ#b t`Lc(p&I= WbdOr]@2ۼ?{TQr꘡Nazcz 5@,1ޡJbT05MAjfypيI^On N_R-Ǯ5y6bk@{8==5Uj4LJO@$t]wkgn* 5w _Dj--h+92ZvP@!@|ů+6komȲ:CogˠvԾYaA3!tZkz[Y(I^ZSiKMe${97~8ZPIqی뼕ۖg$~4ؗР])q!%'xц7PҿsR6 w]N R Ԑk(DןO9e&ڝ0$| ۏ!QF1x"feOriHp*Ndlߌڝ$v"JxF~3ITCaȓğ_Ä+n3h"@ug_%2{J Q5zTK@1'N_2h͓=;dc‘Y&d*=VD^V,XT*q8ucYzBBϸ %\H/aM }?57kH,`CrvM+lhTAg,Qh̓x1a1DS,VVY*TU@i I}T"j@$JfՑ 7V6|:؈  [GΙ5UQkV0hՀ ͝xf5?9[<>ُEJA ~ eصh=B~ (&qX{8_'z1xF_!}nuq.5AhAgofûbS6>3BDuЄoR@ʠ_RyܘȞ R^$[$Iy*CgkhrYyFϫfHAvqkwwუ}F}k{-$רSY'%RT@>4s.yM{8= I !\(7Ysgf?k/uT A+:U֍J9yYwI!L`N~/@˪̵ ~'"svׁ {T6"hD&Ě"cHL."C^GIB=i"kz)>}҇ΚBXֈt %4r&r[ X1wu9)VGѦc=rkb"X$T o?a{X[P IHhb{7?bܶcEn# Ϛzv0u}y;E'<=6"&Ǻm%V3"'NZOϤCsx7K dA"`~<|7 0&T2Ǿ__/sGUS|O{oPF^FRZ&nzB+vd|slLnEVuhV^|`PGrg7LV jPwflqzx[Mi.!,&]MgU_ɊɧGzxՀdy+w ۿٚI}!FY؎f]Ho8˥rKCձ>bsPtZ1w a}66_I=.n,x|wf JSl_GޭRLUZ,F-wwAǩ"Uvx*7p#Q$*R,LmniBykBa޴2va7Jd۽5IPx)xXՒU6Dʜ7uP^7+WiXPT: [b(x;VJ~u/ښ pz\eéDb=lvSOGg@iGYX[O򽴿 L Ev7bȏW=a2n7%TPR`E= J1M744@}yPE 7ut4Ln=8UE1RYD%[L,o|5Y~q6\ IrZP$%/{º{|rh@ @֕r~.FV~0!h)$iV'aI0g@lL5MR  Yg">2y]_CWeTTTFj-6_mТWνꣾ'iġ"o[d/ @@_ fna|\P.zCZk0llw c1ѨƱr'lR@q%uIB]cE42SR U'8n1U\ZCj{8\X8z;|wNF-]Ĵ5Qƥƣ孳DyA[34Qj+kPidc[óujiPb(iQiY|zym@fV%46FfҥƛoC, EuuH+̖f>qcwjљFحAF"*b"ZF*:"룚*͋hOTG]wvϖB!FsGa('\v l^5y1o*8WvâQ]mc@=%-ZQ5a+F&'[`hS-U[hѝ=IlKiZJAF\>=<|G:W2V\>+.3mvڊ( 죖 K:xbrv)l1޳˖[$*s +m1wABX`5:;N2mXc*'6:5n E! f5ZU?=pr~ qʩZERE"(]b۸݉ݍ|U7[8uX;wRF6h)+G1ׇôny<2$gAE$2v\[lS36( ĢJf!J*[Y,yyW)飵u:χA!8w`w2B4r5dd{b#F]gvܮ Z) PTWNm12V{'4rU&R1h)h>[>m\wo,fkR $aG8ܱ;͍}iG5 dDWnťJPDѻ\v[qQyb`kmimQn4$M֛GZ::M: kQ Hv.1lX7At:YRhH6kfpmEr mtKj-:NPՀXXdٖP aBUĦ%QG3׏ ?eӽ"+L]+v6 +Nk׼uMo篰k'lUYf\8˪ݍ`SV SյhR1Fء.aTFV?wX@&/4@F8nyó}~_4wڮ{X?liHq#J3Y1َB5=QZŌ81ُٓFJ R62n4\uM1vwUL퍍,tqѣ'D[ j:KQqm5wmmFV KPd^7vvݺBC *0=:dm-ͽg20pi8v&,JGJneF5W1(*KTILlz0Jk1mX~EEVT/+_w:w#.tZ+3tV dS5:zܖJzg K=O$ni 6}UOr; S rG<5TH3!Tds8@vJ (0݊l6" YFr뜸;aA<ΔsJYy^@`:*q#wiϕuUV{3;_y9CIlkJ~'Q,.Ge_{i\R|cBWum-e]26}/`óvU^5FL(ȅm5ieaWeJ1J5k{JݐZȕ #FmX}1.Yv#ja'\vj@ПTpsh*O8hQmr٫X&!w&N2 *^axA^B:̎.ixRBE_gjLXbL_ǥ#xoŻ.nbjݦo0+3N~>G(\weIW^7v@ 9Np5[dZ<&BN^J e9]riH~YЛRKʐl;}42]؉Lf@i@|gC2 |pi(KɆI'%]}zYk\N,a d$˦_2EҦotSeuűsm[H,n!z jP酓|XبS%$zJ)lNxt1bb $rYn{N߫xn;t9ΫYEB@O]?ΚХwXً]>bL :PCc"bziJV\ =ts 3 |~oKwVnag x{}=\|Ar5i }/ŏ6H77;{M{/)TN#KkHqhՔ ө+j+p;㗣[z.u‡'Af25͚sԠQxtc@U3 2Ζ&qZw`2eN\_MyBd/bHuAK,>{S*dC]:vEMI#΋ȫ}5E)"qwCDFYU*_6pڢ9l)6[y*I3 8aNzMga.c螧"%AGtWiz)l"G9qͽqeAU!xhʡF#'dM 1 e|)fɳ}9r˟ LUs*!,HU@UGS&1qHKoHPq2kmV(Ft 'ɟ3mf/%#n%P̶wd;˥̗@w#Vaq FcYॼ ,dņ3k)㛃eٞt>Un?OM(yvPCPAxz;%6l{ј:|Dtft 8kn*ě9"8cn[a-UL1ݶkhS=yo1Ȑ(wM[kj Q^tFޮ 1yR+EtE:vuR#SqU7Mt'v(52 ZSY^a ى6I.]]IRAMv~[ QI\uMv1vddk= uʝ<(đh0PE[kn1I#lEP:4\30,+8 Ye&~0۸p~E. vr-ŞHqA$[JH#Է+Fc'ao5q*bӒ E)27r7O0S#檄U*ptn/ ǥ6LQhp̄ BcHo;}0MiZsV_W+8:=f\?'ڳ\HMbȼeK%srBh9<)PM86f( PYCt1W xNpk-#!_d֕nDF'GKܖ#K\够iu/~ir1u ljZ_WhD@ᨐë )LM{̂6ya|1&J;$>C+^C3!&DZ.#dOg0tR8eFS[Rw7>V} XϚ6MCƂ)(d)JMu$%wfOk`/`YӞ0s9*(Ŵ֢xF7N@"dn8t\ aHwG{"K*VqO>ٜc+b$@ QCD0S*0L%22*ЪaNܓiIVQMm5 i$%[a:_ 8WG7@B rgGVR_Xдfu Jm+C"*)NnH ؉'a&:+CL.HKE`K E-˛ŅQ7i~J_I4{*@<蓚I(C#𑖑 J*$d;.(XȞ[ϯ;SU WuT㏟)1>ܡp^DY~ڠjՍ_ޱ 2@u&+ |p}ۛnC᳋BԴB}z-oߟۧ @QbA _PC]w⻖;{:,%IӮQg @-@LI*_?J5lMB1FgpCm\ cSVKƤd # A%Bв +`>W?|eSna(UVw':{+SH@"@K?@j);qhhZ%JJ ?΋ZL2 Di'VМgU!,_#u7F~'K=P6pSWɫ3q޾Q|FXUIyr*)NH!p=-:1vNx"SIq??VI:{nƬ/ T_N%VnS-Y~]BA1[mo9~XiUKc~kOF[q W@t_JP9ҧR' ?m@T~_09@^tNdR n5 &_l4 <?mv5*۞*tzD!@)"B!P fBa i"B >L$}QoetM Ĕ(-/ԢUB>@(y2 =c+z8!:r} D:chA5HY (ʚATz'@=:A&(A^WHvЦoP ha*itruTVg5'i< )Q FM%5{'zvtQGcQ14rS!ihrUPɁ#E{((R QTRER $4HR,B„*T*4*Q!*4p@ @ JAД - "4KEJ(P $CB(RUBbN%AJT "RРJ & QOJINHUDGɀW0 4 4#H@ p<!(Q ( i$EJzTP_W! BR+HBtMT&FF)TĨD#A QF4R’ӤtDi(@ih)ZAτ<4 (XF BIJJDD m4刡 )@TJTs}*Ek [F~Wυ{vɣK#zH>_ݙ|Of?a͌@WVĿogAL|Hx昆vmDaK1 ')?VzF2:bHP[ ~*PqSJ>qTVOZ¦g&Hʨ+sF (䫛9gwY }zuphR'Φ3騠HVG݇'Ϳԯz_=߆C *w0DPMlIFJZыS,# T:hiJ:Q"SBQHRCMt!(J6RgC2CUT4ٍ4|i3 PRQDUE*RP;bit%)@R:4P40MD$I10T4RPC,U(E2UDUhh"4qb uct]ˢhubAE1PZRPbBPm>j vt C i)*VZbhCJER4ްH*hѠ5:G*h+lc) &)́ZđD{ UJt#)0L4G$#\;0ITE Kg냻d;bሃ6'ɬCA y{m}Ϟ£[э'^ (hb!h 69n@Fa7:2>u*,22SDEPD%)LDԁDđP}ox^`r.BaFD,ٹR|X BB,(ZvɩC`_cUwif$ˢ@|Әi*HlNn*× 1ՐH2j *xj*hG^݊EӮ*4j_w)Ͼ 5 81&u-y9\(!C;tӗq泱,P@N|.D"3Q;4r?gqyG9d")~;ZJ]4&ESJֵ;U[@U M) YҘf QT@Pd[bؔ"Ŕ4/M_G J E" 5]-V*gKV!(B ~V}F-(/R 6OP,{(7ftɻC2A';mB@YQuz&);4gb{PkƵ8{u7|>ٶMbJ"(S6a_?wD;J ?Y0XOB/!l}F :(m|W) K┒;LY ^ѫmfy>J\n GVx IBByz&@ntAGVUZ87pD`RB39>%4֗T+f ba|ب/._߂(dE`nFh6F̨PiuDTݼ*z= 8R֌Pzb}smW9cC%a4BwY2a`>sE`' /bCi!4. Vq䄰{-ݶ_q}YM 94^_e2XpXIM0|ȝk GV_V5߅#4.v:pCpB)DTT_}3]tt[rrLbT֨N򓛚n> ֨LkQ=BQ׀@!v=4{~Dyk˗^ƛ؊޾9i"`090ABJ̀0 ##Gj's0`=g| 2>2Ո"|X O+Ee,==uli2FwjScJ$#  T}m ~D9w P O `a\RJUvGS ^ϜviaJ*1V,Avi qq|OJeF͑Y#u;y0?)K{lV65v˞ʷگu?8kZ#\RRT QY;swIؠk E)|aC=d68Ղ I'XM XU $XH"zictEQ $.qj@UII6s"0T C꺢'#_>Mξoj ͡ylȻ"ֲag!,Tsk)1y6 C۟lasw䒊SoE*mJypk\gdIa"h O8R22+3#G+7ϙ(r `~mb6>i'au7s%g;H^U[K%P ψׄՄPե\aP4(9(ki!Đ@Elۦu)(+$k S``4O ޽켥 G)uV '%M-6}R (*Dd:K@DO`2fX5L%"dKqQʑ 9+#F?sH$D(Ah&imsbEb@E$cP0)q8zz)!I8DB$H,L k و #&2kMJ hI f%(&8d !26L&IQ`JmK5MԲV~&MUDIQ"T*I LŚ̚kFhE$%K3,-5 yyp-u˒Lsၢ&")#|Ħ`0j1cĖ5Ѵ) 40%% ǯno5Ä$IIvm$\%634X]"E!N%P1:U{?{` !U-p+ڬ@~'lhmBebڟAB0 RJd><8tpzdbB8%K 6,!6zlXd @Qsf cTZܚ@^˵bxnzA xkAh[؄tehS<pk|@)j{τwމ!t$L#PԄoF7lK̀IBhoW$5*4B&#BpzUAGF{'\Ͱ@"V֔N3|F{N<Mmˀ5q}+A 3F ,d {G@,C1HM -;Hxw { /dz@!1 F҂{}^g5e!/Zqd)93k@i"sҽúfffAFZfe'c>zQn퀴֡aH B@+SYu vس08t^KKc?"KKH426׃kpj * I@Cǿw7f;戔7'Gt=~NGTE$xuư0VCIWh͖'H>&!Ivj[#N ao&X8'I?gtR'|So1b\j~hIHVӛBJbQy_3|a=^Kʡ( $*H0vI,I Y -U_:vĘƈ"ԇRԦ.Xj\).gT%aDxʧKۃtp&jiN yö (ݝ]{u'֓9~7"Kqm{!ӤPe ;~5MXI"0!3K7~F%SZ}[%Ï JvyRHu4R&`3a[݄E#TdiO2?[Q I$IM‰(xN{}{2BH!3曇{\=WUӞ[ -QAGFۅ idǟ4 i. Q;#']}Z]Am)ӽx.q!01N?TAݝt4M/l.jYws񲦥({ӆEPӇ(@ hvƯ>קg/ w4$P7GFnt oʝ D""h6 ` H;:yEQ$fQ!J@1މ#mޞ 3|:͠ߡsEMD%LS޹ڰW.;XdI?~w?^@Κi >swy8< xNZ4 L%, !J8Wa*];Hiv>7`7y,S AC4f-Uَe %!J!LJ1 fF hJJBK&IL2X̂KF1cV ׂ\ 'yYTDM _x7Z.e&w6E\@myg|̓1V**A Dcll",2)%.lJKUJ#" Bc!S;t$A(JmvA!,$ UQI-fT$ )eJ"L{;ҋ<L@FȢI 0dR!S3q2rHF&2M)$QIHhTy}uw AӦw,I6MJKe &6 N~nTE^w1{*j Ĝ+*D)(,Y%! Dn,)>W8j);N哹SAXCYK@Ԕm1^HKe (d͊2M"b(80K.*sqn"`0%{]i)L"XhY 1 ,$bLؓAA& EQ s.ASAA@QE^NΔLX4Fc$#  "-df$E&̖PH#IhP lξ#40ƨɲBH34&QD"4B% ƊIQHS B#L,F ˔TȄ )6<=<;KYLJtߎ JEJM& !&15MlV )F̓.gT/tuGYDžCQ&h~_ovGvsx^oہ,cK0T(.3:>DLzҠJeVfl( M!&2j"D<-O^s|ڈ*d*"E:9DhISQ<;:,:J&".~֊$'M|z:?(F_3ttb0&YԜÜ!TM@QRTs1arW\&ICln\ @A WMvۇ_QRGSPor9gU}UoD=]t998%Ur1-EB`( Hj y lA*A I%Tt"pk7b rwryr"(99DԴHH *Uww`ػw ȃnEDE$h(k+   mDF"?!:r;4]| TV.yˑ\;UF,e56DsdCgӹV$S)HE#dDKyMID B"f69M%lA3 &L(!'jPe0!p%E-(@bM*"n KQA@((\vAm4BW[fZ,%2abҔS",McpꃴYVɈAb#f@ A"DDaw (86΄#2pB( IɈ 揄F!D@KódE`S1 )PH $P& 62ȣ&"S$ƙ)QDE"LDkjHHAd"6QD22)60blbF` hb2̔@QAA# Y30Ĕ,flAfQhCHbMd3M [FlYjf* cE(fLRf 4FFTIDb4mE%"@($HQTlIdMT$ ,IcI)( $ XJ6(Tbd DPM cM&Ĥf$X$ԛAh5 @JLBA F)""Y 8dɨbm#* j@BӁPhxZAZ@"G5ڄJZJQ8qL@A= hJ(ZT^*4%SIN&SKJPm*#PMpȠȮ$[m0$2ōƋFH@qTjFmXhZkcmQRmV6i0UFUQmTjơ6V6j5ƍTV[Dm[F 4b-i(ѱY*X+lZhֵQbFV-AlcbF6l[QXѭب5cQh[E M-!Ɩ\qēS,4"f%Fb6lkQXEQQMlQDcQcX,mElmj-RRj[ڈ,mEkY#V*Mhض1U h-QB+!hh65MFIFƣTF6l[b"V-%QUbZ*-hԖUƊ6%6fɣb1EI[MZ0mQT[5#&,lb65؋lcETlV(6MQ`j*lV QY*4V6hFZ6V,cmHXjQjl[(EMUQ[k6&ţZɴjM j,kFhF"h1ƱEb5lmIZ5Tk&lZ-64,mimEQY `ƈb hE5kl-X4EFMQ iUT +0QHP5"! h QV*+U4hڂXѵEE))hP3eҦ49Դ@+H-(Ҋ(@SH4;Uh5 [j5Qhڊ[bZ6lZhisj#J;@%J ŌmRhm^xKTw@Jp{`^\1N24444oH3۳"jY%(D $i**kEh6-LMa6D&((4Tl",cDmDK( fiFe&Y3@H&h LdLEJ(Q EI# &M&ɔ `lSE6QMDEa(!L&#%CE$ e Z$hJĘdɓXC@4D0Ȕ%Qf&ňP3ci"JMF(e M0В& 4h$hIA+#@ZLjdj"-%!QcJ %62F &2,XJ HP I%+FJ QQ jKbJEIAI!&X JIJh٤ʼn,ȣbiVd&1 bFXRJLFH0J4`̌bMŋ liV+0EMDae % ,2mAY"$hF ` bŠ6$4QRA+s8"&Uͮϣ@͍%HԊ! d20M bLIb(1EIuvm:DP42gW)o TƥK *H`[TED m \`W:IІofƅnNM..P޿Y)sI5"RO ++ZT<Р?>=@XR,%} JP]DSҧgXKTkύ15u.gΫ'ek=.,wyVn|Uu]\|h]iǘ @:E{yw \=}bUܵOqlF 7_%SQN׶%pj(ܧL7罔ZAW#J,(4u欱tщ0in lXVO{K 5?(qU/(YXUw_< ڦ+싢@ ^D?"KJoRn)؎k Ə_L`bC~g;*?5KLR8ngf[е/+;ykɏIKH?b~h909ᢏޱFx ϵ̜Q\J6/cORl8}_h*@؉a:1\0xd6='d0&M! ڨ/ +G'?Tpuqoil-Yr&w3Rå5qd?F'F-t1Xmqd܋hzZkW?Ea>ջ?%vaRpjO}*8RJ^8sߍ|f}m 'i;eȕ-S?{jDPT…3׀X&[*PG5cQû|Tڏk?9nábaT12IHiIP*fnDGYhk| pKMn0wFCjVFO;HxpY4s.3RISA?h4(uH.r^INX֯FDjn5Dyd'+}Bt51'p/V. kx`tКDwΚEeArHS:ձ&䚎ަl] i* $ӦztPi6u uSd-!`VKzGz{,JjsNq5HRi, XNLfr&)dX>̴}[$&2B,] VaHD0t2>Ex4<,om,fO OYk(J6yd" Lsx3gvm+c92bwsKgn@#ힸ:wIPĩh7=Fn2:Ƶ_`xҤkz"o(*qL],/k,%`b|AUjur̟+c(iN \U\2ȠDǙt> Z , ALEGkk5P)tcR&B|)S7zL+.OGDŽuߖ~,~l{3);޲,&$1K'zڕ' !(uG8d`q 7XYdW{e֧I^ChL>S35ofu;mOR#l=_F ڄr7RR*,Z) %f,Dy;ϗ3YU v_% 7b #"a9xWCݺֹf;w>b:xU@ BLjB9 rf،x?K}о:%iuǫL.ө"d͝V}G(` ْ4KlTS"Ѓa)A\צW/vAB~5ؕ%9ؠ %Z7~gZnd C!E77]^SfW:iʽkWӥwg+iSQ~9uwHD%9fk(g"lINb?iv7dPE0/پ cK7IJͬ:p0ޤl?UV^â.˧A=#5 0'9eI/S\bk3zt`~jJe44'dcqʚR<Π:6^bNF# &7FK&QKk[g!-tq k3wQ\X <1D ATclQ_eyx'y(SmqQK̍ؐ~9Ya\J:9 >΁m/T槀- Ϳe~]!F߲7Kc L;i Ҍ/qR I. _g\B8.7EUpM"RWķ@ h׳YWo*. %d: PHP`{@^eGaUԺ56*{8WZr偁3_)RT,ўB>'F),hؤGJ3~$w ?t*NVc/2:+d̽uN$#XrMD4"bZѸ]dYԨhndOZbb5l? lVR+;F(L1kAP-j!/ ct7\9[Slnef()ܽn(S[Ƹ߲kd'w0amԇ_*9(7rԌZI{L&&Oby+6K H6A I5px ]_[K Q2" cP"ꐃRdk&|B!WZN6+N꠼lwd 7b sfS%[ִ9ɦ nU܉uqSo \Q2M$(f19oK\(|e+LOL>Zo>@R~yΕ ZtEmΩ`dݔ !ii9E=44 _N;E59qaړNժ4$–&A/(ݾ Y~)v td^UՐzG\ZH3#D֭idX3/gڝ .!2UdLQ, 1ZRf3w$MgY9ԣ[JIB]TԽk8ՌdDWs_{!hxyFwh#(63xF~ݮy 8^ߍ19em e:(;0Bf ¼.1{6_N_}Ps;B+s3ߤjBdSDѻ BJ 6-O~X)[߈>QVBnx9@T%DԤl4oDOOK؂d%N5݈0>bQn?"q&9 )L^l}{/ˎKu^LZo5ٖ} bJQɷ9[ʲuuD]0; VG*7 >7/"+%?T"[_o{{N##2hU;!ѺFjSTIudqJya, fs3Ùe\x&egfW\.EٕiT'ː?BiVFc\#K032FD62%+#>"0O="Ol v dT$Xl٭aLsfQZ^5}F휐QіH% ,4ː᝞+BfGNRI:-L 9\e~#!1( H?(ui&Qo̦8iBN=X#`2g*w2rU**F:cZnЫ P b%SAN!͙._93sઔ W/O*gXf?Z5)?@IPEÁt[9}WekpBE!+՗mC7;jw˵o0-nXpiwK }?RŹꓖ/F)OjU ߠ5BAV_GBa̠A )$<eyaq2TaFh5tՃr a';k#z*>?2rFz p%ŁL0T}av(_tIu H;[CSѦIy;k$.{\ySwaOq!:JMzN)%#(hw{#tY])6;iTT~Uqa[jz_L" .h )v4؅+.&ݒruϢ&Ǯj uN 2GA$5M:fzȥWOVa y9hWW\z7M<=E)lKB\/CusCk^q/\/'ɠgU\LgV04֐$N*mQnɚh(--eqڛ"3=Z>)E[7^i4ٴ=)u~R沝}9+'B؛{!ږ,[ѭs_\p,+qN 4*rTr_;I-vYkas;18etCrFБR0ƀJ SԵ̜X~hRI%A仁,,t10 4iCE0yg]Y4LŀLpT*#"SFݬkAox,7xUU;'EN0nXV3mFtćf" GaOq$c$F7 `Y}Qq.y(92_C`2|SIL9u L:#1p6gqѣL._ϸ|<:*=L;۸Ơ[ɱ87h!oD >s[l -ώQAG_0}KM/ PV&ꋩ_`hAe.Ȩ4fUu«Cx2:keƜ2]w 0nj1$ji&.x,<'~"O?__佧όژ6y1DcGb[sxfaF=J*.p5ft ,гys4;z?U>>q>زj _0. 2 H& -Ҹţts͓\O5]`b8ܘM>x&άXXL8GrT?9!r7i˲JesSg3POY<^zp~clz"T#{ňs2UQ/\Q$';)iE;P. M]T|!\Q4!U/ZYWE0 ugZSɫ[䙪=N0f)ebHQ_:z.CO{H0 yk sR; svzv7KdQ6h<'Sa^J PɭWȆnS?9 3K{fkED0zh>Jq?AݰSO(ϵsp4T h56WΘD^D浪JffpRd sz/(πwDbA'159,ʒvqq|At=,-]Yf`XZU\JD*)M/qo-^pKtXϖl[~)H 7^^{ gWT#L-UD䯼C<@%FzNVmm2p–*j;/3od 8iqۡV?)klΟ"HGwȾ$ FG>ہLt=0ooUcU#Ys1@g|vrhK[G9S9ҏahw_AHhTc:L^nѿ:Ǒj!X-ŒQM8n۪y%D9[SIQKYlNO|>sIsG  49|(ī)GWK&x ņjۖs/xI:S P`T(F]['s9};/O5B| )aȃSa+Hr=ƆpΪduDa,H%B/|zd m5 (f5C>WhUR7c[~JњO /C9 \]$2yE߉=9n*rƩMt^ CzDŽF+ř0#-:Ո p}B{˶eAY ēdͩrbeҕG#Z* @.{ŠOXzzx:/= }GZs:J GdJ>% 1#3Foha}X3ʡcDi{whvje*S$rd:WGK\nxa @ + )y^0 /J4lB(r7A E I_Nxݪ~ݞɂI ̖SH ma9_~&|QK?v}a:Ay /%.X]n$TuQp^h;d4!qp'?6'wjh} Na܈HO[7~]so<"ը1 'T6`+zC*0Ifm[\(8v"{5|X7x0g#Т4 GXīχ%ڰ8P`dl<6P+\gAE.ϻ<K䑳UN? DGQΰE,!`My}WSam*: $7{M$C;ʟ$51KQZKG]hXpz$mQ'1bUf1Y롃C f'V"$[+܍x "Y\Җ9]+̞aL<{WX;q`Qm35_f&,^GgX}9z4N#*ejIvnP W`7 z}}\#j`F' 4Vv{Y{:Ϟ3~@Kb^iZJh v/jL;$w\> r'sx?Hdfl\hDlt MY5oyRm8y8VԪI/!pSruY[Xw(i]Ox^>⟺jj Sfl jv>DWF!7 (N@0m >CUN z@,8\ ~/JCf|cE`xn"( X}yDVSJ͞fmEX bwemsG,LA-lCIfd|:\R Tĩn]V`s7 hGUt -C'[D%AdSӱh9VSwgcqlJs A an5ğ$F_ 1xQ)`[QW IEM}هs{+e-Aw!6UU+;fq6!Mv^WH϶b)ao䑎g ӍQb.}OPlGdV;T"a0F9SA_]?0%bR*<Y^߁ ']DPvʬeH\ H&>nD>x~Yfxk5xR5@ʁ:>$i25DnXlX֣aEkxY;ٸ`UJaRnssxqt\iu3xnR 51CYaʬeK2@DDiaBa>9Sk^=[@Sq"JUE-AHrnhO,kߝwЏi>"N`'ڎbs9tQLxQ.~̤m[Q=#Pk2n$K>aͱ>]D.EU,-3Z=KH\;#nu+Dz[_Ÿk9X< H- @wJ _+D% N6@YW< H%yF5G3q>p\Ku+ڼ*-Oeg`)s?ڰ$1M XO#r8O/mTN]Y?jz#'T)r;G׺y"s˜3kr;R ^ bkG=!`}2P1U9Ͻ K."*/mvE`mG.8 fkҬjp>,fT0l۰ .^Z-)=c+gd)ьHFBxw0ut츻ܸ%. 3z(̹ }܄ý 9ޘ#lJ{! /y!Pmoz 0qG0vo#A- )x1*)mYPMfɔrCsxݚ۲r& Zo.GDExiK :U54\+zj<̃hBӜp˕N[@jQׇ"n$HvV6KjLj1K?/7wn( ג|wlHKz~\Kk8 ɫKco`t$vlgY̮ @~[wk2&5*W/wkh²wUcn@Ue={a~MNM"18sGcPflP: ߁Ev#ljh{&cKS2Qq?~[`8%.;ƉD5XKvuRS%XB}PZЕCC{%iBj,,Yl3!&\ȐGO2Q"-ڝxThfdrƅ%PB|U,::̃?msOq\Mخ.h $"JRYELNy`\:6S]٩_=jJr+z5׏ Ö(+;"ceѿhd:4@ssTi^p2h39"vl-q:q\ Z$xK;@X(O?i_}j1 )t%}Kc솚̱s(.Q+ n,!QaP}a6޴agzmɛf+)d5zM Y|J|n \ɻ;谓;nK@ H?n"G9mA ;<,ژ#sV,xм5 .< _-dVZT9%urlD{ Ve820@=ַ{GFXo"r0xO _yZv_t#y̩ox-L!U 6ꌆ'GC@kX6 !>t,|.Cƕ_NIPU,doҞbeը'JXU=nC1}o+F«|bj]]y2eƄ2kkYHk`eKҵ0)״( ?QiD4iMѸ\,LwW3 \bKҌ>me^N!ynbtI֭eatɣy*̳ˍ -_m-Q+wA]|WrUi2~'vL`IG@/hx>%с#䃰q.%*8ؔ-Z wӷ>3ie}-<+2 kt]9!ibavhQTwmPVB,. ==`7Hb2yei;dK~a_+c -iWCK)bJ+3{d[C9b6 (DYƒ[y4O^I -$o6\V I^?a='oQ( bvʧQ=E| ~) '[FcZ@gD.=F?%#"[%t;EMd-ϊZv2^ 0]F 7 甶V  Ib t+6L"%_}?${B}|V kxdaAm{+uue2(Hx!I[[1''8/FpXE&'<4Zvxg6~/,lLqڛDЏTIZ[wF՝^R;0=-3d11v_Kl~V3RB9BM =mw9p#;`DC˧՗LN8oVEGSHmI&0§,Jٽ@0hey_Ix1GA.0ڪv!{{(!!og+TUa>?5 [~YknEowpNb)Nuy;XLG͸B6{k雟M ~oL2A-plq.,*cLͱx8pR}Wo:1NT?E('UXJ^uщZq2]xe|ǜZyK:lj``}dyuby3.3قrdžΖF( @v#3Pˀg=9~:N0_r.y`28Wx,Oa>Nkc?:},u!QhUfψ Mnhm-]+lcL8s*GQ,9f8 -=Rt+v֐WMNf@!ϴa۠)<<2,Gevx4HͽxVx9)^!a&ij[A;buG)ʙS|DawtI`O!JqCHƄ$P/mEz_d&WkL`>$uJ Wu[ -Ӆ-/SB:mmܥ;+LgjXME ?_@ kV`Q_H*K{Qȫ;J 8PqdU2, ؀R'?%eL61'_i}=y:0;X') ݩz:lڑAPnNS={wACcpu8,||8v)Wpqځ|?fuiJC6g Ig̟KecfE⯕1h^:uWhž%B8_Wkyc Gz 4m2m3a)ƢbX'愯oZk9b^EWmȺɈLT'qL{Gnǖ,` b҉h3D|(鋵Cl*ڮI8{6cg-ф9%M)w0h^R~e!Wku+7KŤ>2Az\B9{ /B!Gv]? ZA$"]':z. a3Y; GNw~s7Hq:9n q_bF;Av˜,B?4~Cylx#VN|l?0Ê ԯNkfi|i:aDt͂ bW!oR4_`߉#mt֚U4GAvQ!Z!;%Hxy3b=g:: ۤ V *!7VRsG]?إI_eM׀ƃ ]}ӧ#>!Ec?+'Nmt?Zӗc'EIHJ/%5 V)Œ[_**>cā:Z@7}ߢY(=ܣpZcƷ/,=xRedfdsh_naDHum3WvatEv3ItN+Rϫ5T!j= #f|lË3&G+\,³H֗jAl.nV^f2Ițƒ\\/箦`!hz[8 eOǶM%ɍYHNR]f`3cɼ , Q}WzJ 6*[k!%*WBA `gƓn"+idsΥvRmd~p! 7$ wlھ{c˹)A@fdjG$](29C!"׍g&|`V#C D[qm[3^mpbqJ,n>XI&szKgN$yᎸvr V[@%@ A-XhFywlي@)f6g`,puZ}\2`Ų+~|rppHl7#.fa=>^D(T S0܈ApVWrhoÆ޲D[GXb{|*FK2j+lqNɛJ#",~߂[L}[=l2a{١%RJ_֫mu/6Q-s S~4w1](./t_渎1&Fj[m^|5}GIpt;Ncoj8FoOP\oDCTS=2h:lג&"sz`#F P[;d&%8 #m[ ^q|$,?H*]r Lr~}~C`ܑ!)6,p56ER`>T"fGV䌛Y=^ȉ\GDz(Zʇ qR`Dh 7VE*MoO0$%1XT铌02 Bb\s򔥢h_ŝcBKqWEpKZFryQt*RP7bںhB/Kb@<O >!i obcW]XxX<B3{A}kvlXQ6DfS:pT7CG?*I"Hqug+ctC![7NϽ^Ƒ8uR tWÎ ڠkO)(Aq#d#n}gP[]ꒉ1KWג?NǀUIJ S^9@:Wk]xCTU2/Ib.璡?1V ?%Y?i^t}ϺNtv5_F z& 3&1eHHhmpcyR(SAzdY\!ofU4SYr R)BzE,y|K_w π -Jk 3ZXH§!uc RPz$SL9-{ã,(\z}固,tKS$)}S{-.`ߓzMz;ӄ=2 mZ,MqFSUVBwm,N"-lM,E3R SĂpyۍR25[5ER*%ce<dV+}o~$Ϋ]`̓ZkB0ob5hDP(F/3 I`a_%_VL@BrA4?D5zOZ5&:f' h$~H()wY\ -0c4w$+nZG*;iBz3tW2y$aYQ ] yKS^ R]_S7I߫Fx&H F8'dvwOٱ8OM` S0b rqI7NG6#ilX)5-m{H[+yi6kiVKIWuR37~_ +O)#ڛgԫX}3 A@^z[P' a-!uC^X++XGtNf[ #++פy Q*Qbg݌&CItr ŖN[/V6ُAM\VIV:*;,n / Q)a7n\R|fsOS gdP;'^ 4ă>DԆ'z_!stMAv+;Cⱼlw2 |V ?zW刑:+`d-Wq WC+1XErN.!RjJVPu-z1hQmZcT$nΫ8aNܼnXh\Rvc>[?Ӌ8xISJ()ΐq Ur&P)x% ioeQ[kIy+&s_RG֋> 0Hr `R'?UB7`k#C 0R6ReSCt &zb6~Ɩ6d|n> ׸y C, GM 7_[C\@/*Լ96ή;pq:Uq/hcW8nIzid&pE2,\@0&6IܝP:Y+myömaϝ>FEH܀ۀbc<]O'֢"za[Ks=9KNq61jp 3Éxq0}ea&b}+ifbхB ř*|^fʕ?ӇꧾzJfZDtXh)gE W;/ 9^!dL`\RQ//!r9:aqA@$J%pW#U(ԗq<)xFT1}&W`1o:3S;l?d~k]1 p{<=@13h$o D+Pyv4d>\~>M uFGcPԲI|wޒ$"/S JCZ/ 'ؒ>}B˺O-Ȝl:*iq$$"v3T!Q,_{ŎPyl7P=o>H*%XBQwP|gwkѴרJu¢3pjQ׹Ռ9]npEJDVCv6jR#Qj(FĠ&rG (?#}*qlwԱ0\Y]!Y4U9C_?/Y.}gg+G3(r1S]ЍE`^jB!"bJ_d_WɇdWia$d2\ Oe!Ei% Iy&ɲ%|VgʻK5׺`G l*%ENς'"ΊvK^Wp_wpnʫ1Mkkk>sKdaIOd, f7F5CJɴ, 6|JK\Qgf:i(eDjE:\(pT f7۴}2DN~[-3YZJ^0zu> NJѰaXnBf\&gZܾp#6X.|fwC"g z l5mSLK#TI& ALycpv?-ЄE [?ό62auTs3z0m@ܯOmH-K65TT.1N ʵ;2y3] Ay1oJJ[XtVDʫ À?YIJIy̩e"!? RY='SΰMb ʲęD<@z۴kF-<[Xuʶ!PsAG/hc'U\3vt v%ZwWg:/Qr1.&oh=rA-n%ڦ`*Ű^P1Tk!V" _g"("U]F HR:Q{-Du^'@􀄧pɈA^9=S`!E})c rU44bՙ"I:L! fF4\bʀ 9YbP)-މjQ7] n<>یqcrٝt4 Vc)@h:Y %B92}VCfEj͊lVGcӶPl}wi8"k85*:A- n T)߼p(FoC11""yHzulHTL.~9(uth6{?鴺=9f9tuEi=旼21갛3^LӞh,rpٖ&,S]L,$px^SP=W鳎",*ϔ1T,gp6k 9f!,!M:׺_gNXưA;lIazB(*+eRWt$8*6.j"7þcBFlԊO<::mBjP]h}J }S; 2<ϟc G|=P5}8]BOm*X Ifx hl/i,/\99(vi8gu3w-rFEz*f ֠#!ᎀ[/4ޠ%ݛu0hѺdrZVg-ʦŨf$Ӕ1"_̅PwV!}$2sN2T5t0 I\2#pT7Uw!7S!Q<[,^JEx975JUF۸7p[}X2H?w)D9ak]vhī5. "b̸3)F:tga5ipa熩.@3; #PsKl)ZK3j˕~Ƞh&*o62~<զ% N 4&Z cq/wHUȮBn.3Ep5a҅JIOU=z7\G[/w:p mWMy 1cDh9U(NjV?)_y!g:њk1.q ~{H/0Hq.w "JυvV 3 W "6GB]=Xo_柒?q3vҖk{ 0IB0])2+3j Gog,\‰x{d t_K>}9ծ I|R]0hSҁƓ=~=T 9fjo41GJ ye="m y"Z[)ObCb*aςuu&UHA QeX vQp1r4@ S0}K A\L>`JF#5,~ YymM}P>ZԳn3h]/+mb\I2zs;0C;FlsχP5jpO dUٙL Cu3 p,.)iy1k Šۺ(;8/T//>j5.oABH0C= VK!jhƴo}N8Io׉>Ln**Ӄte x"t(jCсlQ =e?)\ \v`& M5%iiD##~g"x6v-mqA!>(Q9w>}?KQ&Ӷ1j=#ׂ4/<{oLS 0ۄlC*@&"ݢA?1K圮H0C~/TI «Ε Ϝ}j@ B{iauRq0u6*wj-SM9S> Kds F:j+ɂI <)F Nm%-N_臾[j^ǭ Kvk"\_wvV{t5 aei^Z mH13L{0@qUK!NUrpSLjd`~@/pPk.%)pa¶!I?01aR4&,2R`&`ט$ me=+<}-T'RJ$/>0eZc]Yl#=D1q$y{%塳CL-tj'.eR)K0qUx̺T]{\} g}MEf_Z3?/2tʞ,q3e78!Ml"\NW蹏&}ox3~v.A BӘA{߰?pYpM*D-єυqFBwntoI7"00:=#y곻_JqƧOR@84;_6q`x? VȆl 7hMFZ RH0X1,\XA_ ~ n6 v.boM>t7zEVez>= ; GD T3} 3h(Zy%|IAtw5aʆ$R#˕D2̻\FU[9=0Ne޸-QOswh4 Ѷ4}ppnFF%Y$󈊓hu;*C((ƵDT4h^z+-g nk#/cY2x5$3r<7rώ01e~L>0N_[< s8%}"[.7=97AHFmXo83+U ߌ Ǐ7Ql8*ζ'(N w7 Yeԋ WYj<˾`2g $Nޢ1;/򷪿w肎YU@6t{i1Ucy 7<~˓I&E#{[W<cD*ewGjvu[w0wM4ࢅXz_ꀆ<- ٿ_#SL#EYe@m,q6` Q={[؍eR7\eBG0:۴I3CMFvZL.QLGbs^>;7Jo$h0K4yo-6I ?ƾwwl6J sX&M9d){}z?J!rx[j5k'%Xj0 ŃҘpEŸ=,\G\Z!^4DdW%0,>]=>`QE_=4S۝0:C`)t cWt ے4 )k y/J&<ўGzcD^*ТfRULÔf >Y/x5]v5hf}>d陴v76&'i_Grj ٽ M(jit&3lTwYcGmVN2ynK4Ux#9a su6kAl.1AXH{Q"DY2>̳81vpwGT`kc\1N:~9c.kKJSu\&̻r#4(. ghUÔ}xVaIݳe4/p@r^]:}(w{ϻՈy'@1+= 0FGͻ4mړ:gr=˷_J&-˱IO,܂b54>Fe #StM۱b&A)"cjujoeAK䆎׍-yCI-"CbіKq Ȍ=#;ս2q@AY`7 uQvڡ=OZ 1#\ќFM6ψ}h>CDmH;;BEFl܁ƟTod, !IݚMkqUS|(r|F}ĭE_NH'.m*ȇ^ihMEoDRAUݴu-&u}:#WN:6wڏiXE.ti_PxE.y^̧JxcAOګdpZl_'k*;"nQIQ$ 嵮Uo~&G ZNaDA! (XZ4rbVJX>og wJ]_EI܉A1_fkIRDgV3a_f(z4(C: צh#,lW#ߓ8ZDZ4kT \E__O,6%E)rGQ~GX( aKkhEs}X('"f)*NMj9Vʒ##-Զ9\/C*-tYk5f{v6x-҅A%k_ï5@)6G,L'Vx8J9U./U F|0RX=+.-i]@DQ VchdsKbg@Oc,ؙ,:7zV\37?Т<t_Pop4dAl3c ҄T"X,w\ `"!Q)>!xzJ7ӪNX4;O#svkaVg1|\9)<{SgJ0SZ qQRXr v&ΒV#Qē)Q=XnFGM9K{?RC}QXe6lk@lPQUt2 VPڣ; /`,@ z\?b8709e}P^U [up,aaZjz PCNp[4{B֖a3v%FmeÔ@{[|/ a;90'tVfcdЙc$ tֿh$C٘xB4qw}/_= NQ YƚO[s\Y=Z< hL ʢ IsBڒs쯡 Yr@gӽ GB P5 n2xmR¸DBcFq)܃a 9c^'3^Q.+ϜRb$'OR@ӊn&=2(dJ0×y̆"@a^>]» OE!mn͜rвS"jvoJNcX?4K00Ej[mp2%G>H-#뾶ŝ߭ o܌r]%:Ks'Ѭvne RaN*57 ;fRI+֊Äk{/3cͅi42bQJ,`Y(BGOI*m;zo 0Ѡ1$i Wȵcny?_5W1 ^V$0ځL]>FB-3 *Q&gbAt+ot~eO¦ez*P+ydctNP[_> 4H0Q\P})GE2Lͯ Fk]kbl!ps®2w>Nz-Q82H=zQpTY/s{;5 BRf| r2v}EzSM֮ >/Z[\@c>V@@d:fԖl}*J< rԁ4ʪПܮ{K,U](s/nV|^ tNǿ;r}9"dűc/?۞i:NfDQg=Q}%)\|-Oadx`yw\)M7`s6EuB{u 90xi 5$Eb.VjЀ;'SNܽׄpfj0ʫֻQPo"؋^厭 *'_ZӀ wzu"iA%1ێS5zoÁ9y^jhcL^dE$n:nсY7A4vJēi[R'{0Oip It:>MA!r ]"ͪTg}?nј ER -OP ! &AwnOC@풘LU$)h{)O|oGx`9 k%? We T ɾdק"yC!#r7L$gO%]P].݇gŝجp0t}[y/"(/u["?&xxP1l^BxR 8#P&%D0/"S읞4@⧼C{j*h"r_A>C<WZK 5nHS~ # m1?1☘dKc&.-@G#nfܛ<`(M`ܾ~.=K]aՁa0ٳ1ꨰ@:j>n*K#u!|ڎ\amD00Ry:xk`MKԻ퇟t؋a19$F ܎} dI qUO N+n>/x]x\O=rGkamj%<` += ]T@kOog%OƒHAVm/O59nT)* G8ݪ7'6Z= # AQV8&rF!l/s`)/x4uAGSkS: n[lչH+(sǽ#2(pnRb-4<>=?ɒ 7G3 }E b0ɇA`zL nbB#р+0aYY,I6?/NT"f1rt`ls;:S2I:wקym)! OnH56{RfLR0O`"8KipXxɜD _]($wƃӒe,Ǐ!qExqu#Qpl}r1,oXʥF}L @h!]6<}3W^W lfJBs ]ɒ=#j9eFp))Y%Z " 7.88'[ BR%G5 ɢD~ca뷚ݾG*k9\J.||_CG֩ ; WWºY8`{NZKBxh9V.Nj+"-W`es Uq 2K,璣*b3#_q5.uhYѰRIwVelg)~9L0^xFx5Xuy\݆q*[@=~Lf%@D2>]c7E#[ѷ<:UdQ2Q1QؒYYN*5 ۾Xڸ6Xrʏ֟MBBR⥔s~PeO^}>8.@ =Eby\DZS$-?!i_;S: 1A@ݔq$UN M`ct]8zZ,@$d2Q:cepKVžwqnQ1,)cR}mE^OOdo*vV僎AbJq?d oR{t5xK;*7A͈௶UAE {*tD2V[ 33p>3 cwyD4nMA% *ْf4M=(QYr9c\憽ܭ;濣Yf2aB w~b16N!0z=ʚmd6ӄ M%c/mTyk3-|A,nz `IQS~ʻAW˚进nhQkn2ŋQՅ(vUdke\*t2 n_{1z=ԅTyCqb#-t=MFQaEO'0BŞ<;ݿ:=p>AW0KհxEopco<5;a5*[&Fthfqp "<♪ r2z@ .YkdV#_frPzʝP|Owܗx.!kmTZ]}Os'!\dde pxr 2Vjw!tJ+f{8쳏nT˱: QQYk!>?kZ2h!CisQ^ikZMYAM\zat`EDq;[\rݍW|&QsBƛ6T2e&ehlogwF,cRoT?-` Oד1Lnxyy`,u*<1t6ӫzԺGXP(k< .Md3ػJ: pAC^L#g^zϐBāx\fpAy+56͔8ꫣa: ҥ M. [ƸM^{p4B^7$@H,7';EAϔ:4a"L5G7J=k՜pA#Bt"ZqKJL69\֒#R Q6bLiZp@"'9Ь ݠͮ'9C #b2]f9::.7~ZMFyCHgWdܷ)b(X]6ɢOn]:DsFƦH iz G $rc236͟YPT{َn _b]YwE{"`Zfk܇$&rW-{Ix)@X~X@QvŨשaN&A\Is=;*sNq$p8 %-7HNn2 .˚! jE#dɁE :AiQj,4ڟ|4o, Gp$Б{wۆl 4dlwpe:}DN#٦vW *g=!VKA';c%|c)ۓC?|yJi&1TnӤzϯ ѽͭq"B]:ݡ,a\J(yVTVsCZBvrXN\q&ڦVF""*e1dؽh~ё§R1Q6ߠ{[riW|[ǕA"g1;xs:d kwL$P1 rFePAn0 ;97ԝdۤ@cu#~XJ\UǵpYX@$8LnbtZ1jh߾n6#*xH̆g2xbJ<ءݛkK^o& ؅QbVGW-]-d%R),fB?gmt㭭gq|뚩ݸ*^ؒVUPKxa`YJB\'i$ptMo48~<|{f,yw4{PLb4)/r̶Hvk~?{AƧi,w>N08:L;rm}oLJOqod; bu :N-[XcNTFK>K0lPts&u&8/*Φylr1ưɈ;T񃙕j7+"(t(V4E|Qx:(%azd\32  YZ