vsftpd-3.0.5-150600.10.6.1<>,(h^Zp9|B{'+ (|єOJn~C<OYõ1H8{(lS޷L˕T1*z \sC-FC}7ƆΌ9ll*ⵁ!Qǣ0|dKfdבZ!\$X CΏNU1<G{ D]QǦ)\lꋔ1Μ8/I;PsjxM~rqPFʜܩ$tyg>O=FP6 W{槷.3>Ip?od   K )Jn  ) F88 8 d8 D8 8 <8848 L p8!P!%"%% %(%[8%d59&85:)5=a>a?a@aFaGa8Hb8Ic8XcYc\d8]d8^gbicjdkek fk lkuk$8vlwml8xnL8yo,zoxoooooooCvsftpd3.0.5150600.10.6.1Very Secure FTP Daemon - Written from ScratchVsftpd is an FTP server, or daemon. The "vs" stands for Very Secure. Obviously this is not a guarantee, but the entire codebase was written with security in mind, and carefully designed to be resilient to attack. Recent evidence suggests that vsftpd is also extremely fast (and this is before any explicit performance tuning!). In tests against wu-ftpd, vsftpd was always faster, supporting over twice as many users in some tests.h^Zh04-ch1dSUSE Linux Enterprise 15SUSE LLC SUSE-GPL-2.0-with-openssl-exceptionhttps://www.suse.com/Productivity/Networking/Ftp/Servershttps://security.appspot.com/vsftpd.htmllinuxx86_64getent passwd ftpsecure >/dev/null || useradd -r -g nobody -s /bin/false -c "Secure FTP User" -d /var/lib/empty ftpsecure if [ -x /usr/bin/systemctl ]; then test -n "$FIRST_ARG" || FIRST_ARG="$1" [ -d /var/lib/systemd/migrated ] || mkdir -p /var/lib/systemd/migrated || : for service in vsftpd.service vsftpd.socket ; do sysv_service=${service%.*} if [ ! -e /usr/lib/systemd/system/$service ] && [ ! -e /etc/init.d/$sysv_service ]; then mkdir -p /run/systemd/rpm/needs-preset touch /run/systemd/rpm/needs-preset/$service elif [ -e /etc/init.d/$sysv_service ] && [ ! -e /var/lib/systemd/migrated/$sysv_service ]; then /usr/sbin/systemd-sysv-convert --save $sysv_service || : mkdir -p /run/systemd/rpm/needs-sysv-convert touch /run/systemd/rpm/needs-sysv-convert/$service fi done fi if [ -x /usr/bin/systemctl ]; then test -n "$FIRST_ARG" || FIRST_ARG="$1" [ -d /var/lib/systemd/migrated ] || mkdir -p /var/lib/systemd/migrated || : if [ "$YAST_IS_RUNNING" != "instsys" ]; then /usr/bin/systemctl daemon-reload || : fi for service in vsftpd.service vsftpd.socket ; do sysv_service=${service%.*} if [ -e /run/systemd/rpm/needs-preset/$service ]; then /usr/bin/systemctl preset $service || : rm "/run/systemd/rpm/needs-preset/$service" || : elif [ -e /run/systemd/rpm/needs-sysv-convert/$service ]; then /usr/sbin/systemd-sysv-convert --apply $sysv_service || : rm "/run/systemd/rpm/needs-sysv-convert/$service" || : touch /var/lib/systemd/migrated/$sysv_service || : fi done fi test -x /usr/bin/firewall-cmd && firewall-cmd --reload --quiet || : test -n "$FIRST_ARG" || FIRST_ARG="$1" if [ "$FIRST_ARG" -eq 0 -a -x /usr/bin/systemctl ]; then # Package removal, not upgrade /usr/bin/systemctl --no-reload disable vsftpd.service vsftpd.socket || : ( test "$YAST_IS_RUNNING" = instsys && exit 0 test -f /etc/sysconfig/services -a \ -z "$DISABLE_STOP_ON_REMOVAL" && . /etc/sysconfig/services test "$DISABLE_STOP_ON_REMOVAL" = yes -o \ "$DISABLE_STOP_ON_REMOVAL" = 1 && exit 0 /usr/bin/systemctl stop vsftpd.service vsftpd.socket ) || : fi test -n "$FIRST_ARG" || FIRST_ARG="$1" if [ $1 -eq 0 ]; then # Package removal for service in vsftpd.service vsftpd.socket ; do sysv_service="${service%.*}" rm -f "/var/lib/systemd/migrated/$sysv_service" || : done fi if [ -x /usr/bin/systemctl ]; then /usr/bin/systemctl daemon-reload || : fi if [ "$FIRST_ARG" -ge 1 ]; then # Package upgrade, not uninstall if [ -x /usr/bin/systemctl ]; then ( test "$YAST_IS_RUNNING" = instsys && exit 0 test -f /etc/sysconfig/services -a \ -z "$DISABLE_RESTART_ON_UPDATE" && . /etc/sysconfig/services test "$DISABLE_RESTART_ON_UPDATE" = yes -o \ "$DISABLE_RESTART_ON_UPDATE" = 1 && exit 0 /usr/bin/systemctl try-restart vsftpd.service vsftpd.socket ) || : fi fimJ>hqp6}5/pe2Q$p}6)Gp8,AA큤A큤AA큤A큤A큤A큤A큤A큤A큤AA큤h^Zh^Zh^Zh^Zh^Zh^Zh^Zh^Zh^Zh^Zh^Zh^ZGǿOraqGGGGGGGGGGGGGGh^ZGGGh^ZGGNah^ZGGǿJ`iJ`hGGGGGǿO|Gh^Zh^ZGGh^Zh^Z43cb24f9420d9ee73c22dafe29fd25616e4df55b38e450764fb1c5b8b0578003a56c55569c44f61aeee475344dce61f4ea18df08c26782a1013f78a0f14d9a0ba23879a7a2209d11324c392a6d6f1824b34872c972ac1cf60b11279a46c953b4ff59cefeded709da635c1212256e6d417d82fa456319f90e4db85ddb03f7d1a276ea0d69babf59d696c5bdf853b1a2a8a898c0ce177ad971b1742174de21bcee9fdbfd2ec0207170371ca3cf2b0ddca2dc2fe3d062e5792e0d3e51474c3198c96f5f21db930b9a8d89b56a6654780954bdc2a41d2bc9529c0b8efb3817c45ef19b759a3d152efec326db0504c93c8700afc1ff6318553fce4da98be5aa2c78517dedf833fb8a3bcfa96b48d309f3892b3ae3340d271e518ecd998750fe11a0b74690662cf0bbf289900b0ddb4c2e0cfc555dda870633440d852f7d4b1b783d61fb32f8176eda6b27a54a61d14165b03aeaeae8c6d81a4c995cb121ecabe2a8848b12b05b7d664e344d4d59a26c3f6b13c645f1b53ce6045780791350b278606b4326d89a39bea92a0dbcaaee0f658d7bf810c8f322688b6b1303f3b357a0971ffb26bd0055e5875fb2d1083326b272685de7b017da65000a21f99081c1a300156ed67ebc32ca688633732308ba23c7601a463df9a8f6d4d349cf1e0fc770c8f5ee162751cf714e1ab6b5894fd08b0a95e788a462311cf7da47988ee5fa55aa6247ffd29f468e22eb304a368bb987510fd44f0486894de293dc7dbd3d48e78f5c4935bc943f442e358d7a9c81f4ce2ae1ec098543e726868d423eac55beb91b7b87274257549cc60d5fd2d873326b22eb89a4d8199bb5841fed3bf6c82b5494f2519b63d63c4f1517a1e7cf3373f19df4c8a697d1823814f425340bbebf5fa8f17dad436bf918a2f81a540847a9a46946370c2d796ffd5bb5d98cb8a69b2e926e181e70be2fcc7d0dbf34f8626e2e026b10ee91108f84dea93670caac57b394c2182acb8b70a360dda945df11a1598cf493774f017db569a57f07447119bb0713c55f01df06b2d4ef2c26d0d679c6782a60331fcb0f3991d0015458820819893b60b8129dd74b2e4779f1ac8344127e47a7847584b8cd79eb36a055208ca553e3517941f8d5bbb5970cedbef05d0593cada2185557053b9574c11524841d80749041f854a654fc72e6d173d62da1907dd14d6f39d276b20e02b0b1ddca6f54b5b61de85b72629f20996b3124be21877871518388548636459df9ad6cb5a3e31ba1f0b372b2f63fc08f5e195f0d1e958dfed03c57d8868a3f90317bcb3125852289cf0afbf0552928f37cd4b068a2cc039f4200175d65dcead6701de158a17c95797d0cab32f477176059b7799b3f92c90136440aa84ee7c5005f0d964a311df66595fd71183207e0297b8ea5d1f0f2ad1681e16c1df530ac11844e7fa010e7d5490c4a70c9df7c3b090e7a1822f3bb0cdff5a559a4cdd58f98c9536f23c5f43ba47a2ac8924cec7a864d3482f2fdb9bbef552c8c0123b8647b6ccbfc2d3cf717c0662397b33b84f9827d238703e7ac36fa9f129fa227640956bbf87e0233cdd821ce6627358df144f933424c8b81c40d70729bed51f634c6205ac6b8da43eec413bc084f62d987705c810dc2512fd4eec4269ae5e1373c19b9b21e5e089f31e173f54cac8362cd97c646c8e034e4676c2a053660b033e2011fe24297e93e0a74ec9cf119e2f9dbcf187fb805ba5aded105db26a693803636fb7228c98460ffbf22225485a2ca5e00cafd96ecb4336cfd34dc6064ec16f560c1d7b26d213de6e81f5044553f0237c3ea3570baa910e6a31e3f6e2bd8cb9e244aefa89e9123e0d306477bf3ae7199ce5c0604dc83fb34b04de1f91f96929532c4918c32caaf94bbaservicerootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootvsftpd-3.0.5-150600.10.6.1.src.rpmconfig(vsftpd)ftp-servervsftpdvsftpd(x86-64) @@@@@@@@@@@@@@@@@@@    /bin/sh/bin/sh/bin/sh/bin/shconfig(vsftpd)group(nobody)group(nobody)libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.15)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.28)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.33)(64bit)libc.so.6(GLIBC_2.34)(64bit)libc.so.6(GLIBC_2.38)(64bit)libc.so.6(GLIBC_2.4)(64bit)libc.so.6(GLIBC_2.7)(64bit)libcap.so.2()(64bit)libcrypto.so.3()(64bit)libcrypto.so.3(OPENSSL_3.0.0)(64bit)libpam.so.0()(64bit)libpam.so.0(LIBPAM_1.0)(64bit)libssl.so.3()(64bit)libssl.so.3(OPENSSL_3.0.0)(64bit)logrotaterpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)shadowsystemdsystemdsystemdsystemduser(ftp)3.0.5-150600.10.6.13.0.4-14.6.0-14.0-15.2-14.14.3h^hIoedC@cc$e@cd@b>b a aՈ@a;H`Ȗ@`D_@_u@_=@]@]@]@[ @[4[+@Z@ZmZlZ1@Y4YA%@Y>@Y.@YtW@WWV@V3V3V@VaU@U@UUJ@U0U!#U@U@U@U@T!T@Tepsimons@suse.compsimons@suse.compmonreal@suse.compsimons@suse.comdavid.anes@suse.compsimons@suse.compsimons@suse.comschubi@suse.compsimons@suse.compsimons@suse.comjsegitz@suse.comfvogt@suse.compsimons@suse.compsimons@suse.comidonmez@suse.compsimons@suse.comdimstar@opensuse.orgjosef.moellers@suse.compsimons@suse.comdimstar@opensuse.orgsuse-beta@cboltz.depsimons@suse.compsimons@suse.compsimons@suse.compsimons@suse.comvcizek@suse.comtchvatal@suse.compsimons@suse.comtchvatal@suse.comdaniel.molkentin@suse.compsimons@suse.comkukuk@suse.depsimons@suse.comdimstar@opensuse.orgtchvatal@suse.comtchvatal@suse.comtchvatal@suse.comtchvatal@suse.comtchvatal@suse.comjcejka@suse.comtchvatal@suse.comjoop.boonen@opensuse.orgtchvatal@suse.comtchvatal@suse.comtchvatal@suse.comtchvatal@suse.comtchvatal@suse.comtchvatal@suse.comtchvatal@suse.comtchvatal@suse.comtchvatal@suse.comtchvatal@suse.comdimstar@opensuse.org- vsftpd-2.3.5-conf.patch adds a reference to our bug tracker to the installed vsftpd.conf. Updated that URL to point to the proper Bugzilla. [bsc#1182473]- Apply "terminate-peers-on-quit.patch" to introduce the new internal PRIV_SOCK_QUIT command which vsftpd sends to privileged parent processes to properly shut down the TLS connection in case we've received QUIT from the session client. This change avoids misleading error messages in the servers log file. [bsc#1199250]- Enable crypto-policies support: [bsc#1211301] * Add vsftpd-use-system-wide-crypto-policy.patch- Apply "0001-Fix-default-value-of-strict_ssl_read_eof-in-man-page.patch" to fix the documentation of the strict_ssl_read_eof option. The documentation says option would be disabled by default, but it is in fact enabled. [bsc#1200075]- Use valid separator for logrotate config file. [bsc#1192179]- systemd versions prior to 244 do not support the ProtectXYZ directives we use in our vsftpd.service file and log warnings every time the daemon starts, which confuses our users. We avoid this issue by removing the unsupported options from the service file when installing on a distribution that comes with such an older version of systemd. [bsc#1196918]- Apply "disable-tls13-to-support-older-openssl-versions.patch" when building on SLE-15. This is necessary, because openssl_1_1 on that codestream is version 1.1.0 rather than 1.1.1 and that older version has no TLSv1.3 support. [bsc#1187686]- When building on Tumbleweed, move logrotate files from user specific directory /etc/logrotate.d to vendor specific directory /usr/etc/logrotate.d. Builds on other codestreams still use the original location.- Use rpm conditional to build against the proper OpenSSL version on all distributions. This allows us to update vsftpd in all maintained SLE codestreams to the current Factory version and mitigate the newly discovered ALPACA attack. [jsc#SLE-24275, jsc#PM-3322, bsc#1187686]- Add "seccomp-fixes.patch" to fix the syscall architecture offset from 4 to 5, this change was documented in . - Add "vsftpd-openlog-force.patch" to a logic error in the way the force option for syslog's openlog() call was handled. - Add "vsftpd-seccomp-getrandom.patch" to fix a seccomp failure in FIPS mode when SSL was enabled. [bsc#1052900] - Add "vsftpd-seccomp-ssl.patch" to allow stat() to be called, which is required during SSL initialization by RAND_load_file(). - Add "vsftpd-seccomp-wait4.patch" to allow wait4() to be called so that the broker can wait for its child processes. [bsc#1021387] - Refresh patches to -p1 style so that we can use %autosetup: * vsftpd-2.0.4-dmapi.patch * vsftpd-2.0.4-enable-ssl.patch * vsftpd-2.0.5-enable-debuginfo.patch * vsftpd-2.0.5-utf8-log-names.patch * vsftpd-2.0.5-vuser.patch * vsftpd-2.3.5-conf.patch - Apply "revert-undocumented-config-file-format-changes.patch" to revert the "ssl_tlsv1_X"-style config file options back to their original spelling. The changes that dropped the underscore from the version numbers in release 3.0.4 breaks existing configurations and it was never documented anywhere -- not in the package's changelog and not in the packages's own man page. - Apply "use-system-wide-tls-cipher-policy.patch" so that vsftpd follows the system-wide TLS cipher policy "DEFAULT_SUSE" by default. Run the command "openssl ciphers -v DEFAULT_SUSE" to see which ciphers this includes. - Apply "vsftpd-allow-dev-log-socket.patch" to allow sendto() syscall when /dev/log support is enabled. [bnc#786024] - Apply "vsftpd-enable-sendto-for-prelogin-syslog.patch" to allow sendto() to be called from check_limits(), which is necessary for vsftpd to write to the system log.- Added hardening to systemd service(s) (bsc#1181400). Modified: * vsftpd.service- Update to version 3.0.5: * Fix ALPN callback to correctly select the 'ftp' string if present. Works with FileZilla-3.55.0. * Fix a couple of seccomp policy issues with Fedora 34.- Update to version 3.0.4. * Fix runtime SIGSYS crashes (seccomp sandbox policy tweaks). * Reject HTTP verbs pre-login. * Disable TLS prior to v1.2 by default. * Close the control connection after 10 unknown commands pre-login. * Reject any TLS ALPN advertisement that's not 'ftp'. * Add ssl_sni_hostname option to require a match on incoming SNI hostname. * The options "ssl_tlsv1_1", "ssl_tlsv1_2", and "ssl_tlsv1_3" have been renamed to "ssl_tlsv11", "ssl_tlsv12", and "ssl_tlsv13" respectively. Note that the man page has not been updated accordingly. - Upstream has a new GPG key (7B89011BCAE1CFEA). - "0001-Introduce-TLSv1.1-and-TLSv1.2-options.patch" is now obsolete. - "0001-Introduce-TLSv1.3-option.patch" is now obsolete. - "vsftpd-seccomp-syslog.patch" is now obsolete.- OpenSSL was updated to version 1.1.1 in SLE-15-SP2, adding support for the TLSv1.3 protocol. As a consequence, some SLE-15 applications that link OpenSSL for TLS support -- like vsftpd --, gained the ability to use the newer TLS protocol, which created interoperability problems with FTP clients in some cases. To remedy the situation, "0001-Introduce-TLSv1.3-option.patch" was applied in a forked SLE-15-SP2 version of vsftpd. The patch adds the configuration option "ssl_tlsv1_3" that system administrators can use to disable TLSv1.3 support on their servers. [bsc#1187188]- Add seccomp-fixes.patch to allow getdents64 syscall in seccomp sandbox, fixes bsc#1179553 Also in the same patch, fix the architecture offset from 4 to 5, this change was documented in https://lore.kernel.org/patchwork/patch/554803/- Apply "0001-Introduce-TLSv1.1-and-TLSv1.2-options.patch" and "0001-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch", which add the "ssl_tlsv1_1" and "ssl_tlsv1_2" options to the configuration file. Both options default to true. [SLE-4182]- Use %{_prefix}/lib instead of misused %{_libexecdir}.- Add pam_keyinit.so to PAM config file. [vsftpd.pam, bsc#1144062]- Apply "vsftpd-avoid-bogus-ssl-write.patch" to fix a segmentation fault that occurred while trying to write to an invalid TLS context. [bsc#1125951]- BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to shortcut the build queues by allowing usage of systemd-mini- firewall-macros should be BuildRequires, not Requires(post) (the macro gets expanded during package build)- Extend "vsftpd-3.0.3-address_space_limit.patch" to mention the new 'address_space_limit' option in the installed vsftpd.conf(5) man page. [bsc#1075060]- Apply "vsftpd-support-dsa-only-setups.patch" to disable the problematic default setting for rsa_cert_file. Upstream initializes that value to "/usr/share/ssl/certs/vsftpd.pem" and vsftpd won't start up if that file does not exist (or if it does not contain an RSA certificate). Therefore, users who copy a DSA certificate into that location or properly configure a DSA certificate via dsa_cert_file without explicitly disabling the RSA certificate won't be able to start vsftpd. [bsc#975538]- Don't start/stop parameterized systemd units in pre/post actions. These units cannot be used without an explicit parameter and attempts to do so lead to a confusing "failed to try-restart" error message. [bsc#1093179, bsc#1010177]- vsftpd-enable-syscalls-needed-by-sle15.patch: Enable wait4(), sysinfo(), and shutdown() syscalls in seccomp sandbox. These are required for the daemon to work properly on SLE-15. [bsc#1089088, bsc#1180314]- Add firewalld service file (bsc#1083705)- Make sure to also require group nobody and user ftp bsc#1070653- Add "vsftpd-die-with-session.patch" to fix a bug in vsftpd that would cause SSL protocol errors, aborting the connection, whenever system errors occurred that were supposed to be non-fatal. [bsc#1044292] - Add "vsftpd-mdtm-in-utc.patch" to fix interoperability issue with various ftp clients that arose when vsftpd is configured with option "use_localtime=YES". Basically, it's fine to use local time stamps in directory listings, but responding to MDTM commands with any time zone other than UTC directly violates RFC3659 and leads FTP clients to misinterpret the file's time stamp. [bsc#1024961] - Add "vsftpd-append-seek-pipe.patch" to allow the FTP server to append to a file system pipe. [bsc#1048427] - Add "vsftpd-3.0.3-address_space_limit.patch" to create the new configuration option "address_space_limit", which determines the memory limit vsftpd configures for its own process (given in bytes). The previously hard-coded limit (100 MB) may not be sufficient for vsftpd servers running with certain PAM modules enabled, and in such cases administrators may wish to raise the limit to match their system's requirements. [bsc#1042137] - Don't rely on the vsf_findlibs.sh script to figure out the list of libraries the build needs to link. The script is wildly unreliable and it's hard to predict what results it will produce. Also, the results it *does* produce are invisble in the build log. We stumbled across this issue when vsftpd suddendly had build failures on i586 platforms because the script decided to try and link "-lnsl" even though the library was neither installed nor required. - Drop the explicit specification of the LDFLAGS and LINK variables from the call to make. The value of LDFLAGS we passed is the default anyway and giving LINK has no effect since it's not used anywhere in the Makefile.- Conditionally install xinetd service only on older releases * On current distributions we support the same functionality via systemd socket activation- Fix build against OpenSSL 1.1. Remove lock on 1.0.x libs adds vsftpd-3.0.3-build-with-openssl-1.1.patch (bsc#1042673)- Explicitly depend on OpenSSL version 1.0.x since vsftpd doesn't compile against the API provided by newer versions.- Adjust to new system user/group RPMs- Add vsftpd-3.0.2-fix-chown-uploads.patch to fix a bug in vsftpd where files uploaded by an anonymous user could not be chown()ed to the desired UID as specified in the daemon's configuration file. [bnc#996370]- Extend vsftpd-2.0.4-lib64.diff to also find libcap.so.* in /usr/lib64.- Do not bother with omc xml configs, useless nowdays- Require shadow and do not output the error out of useradd- Fix hang when using seccomp and syslog bnc#971784: * vsftpd-seccomp-syslog.patch- Fix user creation to not report error when user alredy exist bnc#972169- Fix bnc#970982 hanging on pam_exec in pam.d * Add patch vsftpd-3.0.2-wnohang.patch- Fix memory leaks in ls.c bnc#968138 * Add patch vsftpd-ls-memleak.patch * Update patch vsftpd-path-normalize.patch - Fix wildcard ? matching bnc#969411 * Update patch vsftpd-2.3.4-sqb.patch- Clean-up the init.d support to be bit more readable and add missing dep- Brought back additional systemv support so it also builds for SLES 10 and 11- Version bump to 3.0.3: * Increase VSFTP_AS_LIMIT to 200MB; various reports. * Make the PWD response more RFC compliant; report from Barry Kelly . * Remove the trailing period from EPSV response to work around BT Internet issues; report from Tim Bishop . * Fix syslog_enable issues vs. seccomp filtering. Report from Michal Vyskocil . At least, syslogging seems to work on my Fedora now. * Allow gettimeofday() in the seccomp sandbox. I can't repro failures, but I probably have a different distro / libc / etc. and there are multiple reports. * Some kernels support PR_SET_NO_NEW_PRIVS but not PR_SET_SECCOMP, so handle this case gracefully. Report from Vasily Averin . * List the TLS1.2 cipher AES128-GCM-SHA256 as first preference by default. * Make some compile-time SSL defaults (such as correct client shutdown handling) stricter. * Disable Nagle algorithm during SSL data connection shutdown, to avoid 200ms delays. From Tim Kosse . * Kill the FTP session if we see HTTP protocol commands, to avoid cross-protocol attacks. A report from Jann Horn . * Kill the FTP session if we see session re-use failure. A report from Tim Kosse . * Enable ECDHE, Tim Kosse . * Default cipher list is now just ECDHE-RSA-AES256-GCM-SHA384. * Minor SSL logging improvements. * Un-default tunable_strict_ssl_write_shutdown again. We still have tunable_strict_ssl_read_eof defaulted now, which is the important one to prove upload integrity. - Drop patch vsftpd-allow-dev-log-socket.patch should be included upstream, se above bullet with mvyskocil's email- Fix logrotate script to not fail when vsftpd is not running, bnc#935279- Fix hide_file option wrt bnc#927612: * vsftpd-path-normalize.patch- bnc#925963 stat is sometimes run on wrong path and results with ENOENT, ensure we sent both dir+file to filter verification: * vsftpd-path-normalize.patch- Update patch bit more for sanity checks. Done by rsassu@suse.de: * vsftpd-path-normalize.patch- Add back patch attempting to fix bnc#900326 bnc#915522 and bnc#922538: * vsftpd-path-normalize.patch- Reset filter patch to match fedora, my work will be restarted in one-off patch to make the changes stand out. Add rest of RH filtering patches: * vsftpd-2.2.0-wildchar.patch * vsftpd-2.3.4-sqb.patch * vsftpd-2.1.0-filter.patch- Work on the filter patch and split out the normalisation of the path to separate str function, currently commented out so I avoid huge diffing. * vsftpd-2.1.0-filter.patch- Add service calls for other unit files too - Udate filter patch to work as expected: * vsftpd-2.1.0-filter.patch- Try to fix deny_file parsing to do more what is expected. Taken from fedora. bnc#900326 bnc#915522 CVE-2015-1419 * vsftpd-2.1.0-filter.patch- No longer perform gpg validation; osc source_validator does it implicit: + Drop gpg-offline BuildRequires. + No longer execute gpg_verify./bin/sh/bin/sh/bin/sh/bin/shh04-ch1d 1751014069  !"#$%&'()*+,-./0123456783.0.5-150600.10.6.13.0.5-150600.10.6.13.0.5-150600.10.6.1     vsftpdvsftpdvsftpd.conffirewalldservicesvsftpd.xmlvsftpd.servicevsftpd.socketvsftpd@.servicercvsftpdvsftpdvsftpdAUDITBUGSChangelogEXAMPLEINTERNET_SITEREADMEvsftpd.confvsftpd.xinetdINTERNET_SITE_NOINETDREADMEvsftpd.confPER_IP_CONFIGREADMEhosts.allowREADMEVIRTUAL_HOSTSREADMEVIRTUAL_USERSREADMElogins.txtvsftpd.confvsftpd.pamVIRTUAL_USERS_2READMEFAQREADMEREADME.SUSEREADME.securityREWARDSECURITYDESIGNIMPLEMENTATIONOVERVIEWTRUSTSIZESPEEDTODOTUNINGemptyvsftpdCOPYINGLICENSEvsftpd.conf.5.gzvsftpd.8.gz/etc/logrotate.d//etc/pam.d//etc//usr/lib//usr/lib/firewalld//usr/lib/firewalld/services//usr/lib/systemd/system//usr/sbin//usr/share/doc/packages//usr/share/doc/packages/vsftpd//usr/share/doc/packages/vsftpd/EXAMPLE//usr/share/doc/packages/vsftpd/EXAMPLE/INTERNET_SITE//usr/share/doc/packages/vsftpd/EXAMPLE/INTERNET_SITE_NOINETD//usr/share/doc/packages/vsftpd/EXAMPLE/PER_IP_CONFIG//usr/share/doc/packages/vsftpd/EXAMPLE/VIRTUAL_HOSTS//usr/share/doc/packages/vsftpd/EXAMPLE/VIRTUAL_USERS//usr/share/doc/packages/vsftpd/EXAMPLE/VIRTUAL_USERS_2//usr/share/doc/packages/vsftpd/SECURITY//usr/share//usr/share/licenses//usr/share/licenses/vsftpd//usr/share/man/man5//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:39455/SUSE_SLE-15-SP6_Update/4e0e72577984eeecc90e12db6c461e88-vsftpd.SUSE_SLE-15-SP6_Updatedrpmxz5x86_64-suse-linuxASCII textdirectoryXML 1.0 document, ASCII textELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 4.3.0, BuildID[sha1]=781a1a67f26f3eb76d6ae2e51928577ca74f0fec, strippedISO-8859 texttroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)RRRR R RRRRR RR R RRRRRRY藲9T%8|p0gsystemd-sysvcompatutf-8fddca30a924b6c722266a2319e328ba5fdb976e113e3ca9091de624b6cc3228b?p7zXZ !t/]"k%Lqj(}5E*D"’- ^7U7n1'AqWϔn¶ +w`В=U1$CE@,>bS3Ed{e49wH9mDQfovdh9W2 ̓a1ohS1c)6%98ZF*npDȝ_TWSj֊sNY -#P=DC1GvWJAwfiZ-^4HZPjX3ȳ[Tɢx|m: JBP!l!v2\ Go+lgZAcm ~_]l,r8K{QC7WlBsnkP_6Pg\בũ5'xD|lujƴ5Ny~?]ȷ.9`F$`"tlLGhoÌ4'2"<< A5'UcΦ6>ee(gTZt^TÀZ9;`ekJJaGx ^֝,v?x5WPM <='Y N&']8- o4dTIw?Tw %-&3ZT+Vr}?Rُh=Cgy߸ =s.'D9;-rd\Ĵ'v3` }PT4G[\|lrhh\UљnoESwk'# F 鴄7Ě{wHXx' rHG&'rzRm0Cpe:o(-lp~( *.GDiCH5YOJFЩ3ZkֺRZ=<>cHr܎KuX qEaHEg8>D-sȈ-'aG9,hF_zJ">p6fR`yOdיhE9zU-ur?}V8QSFJ):p6Ĺ-hj!e4=ҏ7srYE?n(Fc4U` G;9x{+VE *sS#`+doݚ|1}ы; C)F(8uY5SsW'FtHĄ" ?㍋%@ m޻a鈷kIH.+lXRpȎ(Uٰ%B|2[p*YAj 9/ y|#a>sN YCdG1%AKE{C_ :LB'~֍2F š})s}k[ęjb]s]jÂe߼.JKm MP!Ǟv K$O85ِ@%LQIp(ADquЖY}9C_N;: *XkkfPZOlU ی䷠"ly d(]}@4 ~s^0zfѕDd?s( JoL>fn><]\8 wݴAU4 HSi0{3 Z`WuUve 6NIJ*Ʋ?}#Ma+^iwƋفnjG*KROٜhyf׊ "}4hc($JBLݤ|4 =?Q. / ɕwjTƜHz6=/>BΎX"~}!O6Q !Q=" 'XKGsZmi+ Aw, xN=9(cIg5h** &r1_h<Llr7٥fCQjMIzɔ!ưrl +/o`$YD6 -*v@LYtQ;׀iwܩPy1e≓x6-Zݢ }JU(xzϢ1WGH5V#&8U-u"0sR ݆ I#N&&s >(uxyHGh`߈r&Afi/=TUp@Kb|ٛak2 4 8d D=%peuĜd<(fiUh`kz3 meeU{I1 LhhH0[mYĸӆhH@U"T.Rc&*OZ:P?/c`׿(Gky "Ԕc륀3\l`j36{wP-_:q.֩ ςI~^)r3y?羗H5ZMɮc~|e.Ikww;w(,ߘeGmÌ2;'ŕf8)iO72]ͷFi}5u[&4۩ꯄWl((#AKiuvx s(+֧*lCأ׾x694YKC D"n̜?%jlXkz"II*nِ7^hnl}齺Sl<^a}AbH8p4yo+#`Q '2ͤҿ/v#O{z(άxlEֿ BUA+<##B?`!rr5 Zw]?m>al2=^DYq G: Es9Uk~4O50AνMs|EX347CApTIg}0|F2Gc8_?9zoWcƎ/0ΆBX\-{̵设dd'Pt iFk:>1[v{lr@E"*m|n^"[ =TK}p ]5>AVczw8 xW㠅/]qg ʅ~?c  jal:B~QpA),N҅p?a)"p2o/F>Bׂf].@k =碑oo\XM),$s eϪی6&GV3)H6!%T|"!D!SwcgUFd\@.s󁥱z[XsQrm9l!҂ uCN]9[SmWWMw>{  [SS+8gH ~;ujD.2FWk0:",-dQ0 G=B"GܶmdZ4a/+d0[@~ 6q {v*H;$ӁW 9cRLYH̅toZ}?J /HGO";^Ħ'_2##4e=3^@M<\b-brB)#2p!b.ntsIe+"e/*NƹcSL.R+;鰛ʦ:j\@UV'LE=]8(FfD`M/^lOck4N~hH}?D"2Uk0 Poų%`2 g eI5oʠXM f{s0c^82D\K,t2ؒتڒ @VPaGN.*:+ή˝8u#/%BvS/n`dY[Iy̜@,ڻ" LvL&秡p.O!Q3pD=SH`>aລtәl75vVղ?NPTOꌙ:GzToҚ9XAKS4t}$z.Z}Jgמwf} :7Jvz~~8f1wFvplAU덭QCi&p.J43^KX0{+ma\V:UaCbhq)wIF~}0z2dcd*N4cy^igZj7#7-/GTrꚮBd2$s UMnE6Co 83fCeorK\ 0{K:6ٹ<ݮVZH\b 20{ kJzY[28e({K|%rt#[[Ux3㘡bc~ P@$ ZdPqu2^ZhA,"~'V0?J GVaL:QdC%S@ aMWLiLpyUQ߸VĆ5_܇Z#IW_h7kYmC׈mjwV|06ыpxu7^yٹ|!5/{Vܹד/'*NQMtjGq)ZqлI26`P ްn Y˽P s AC wʼnj~}pNDHtdA#B2ׄ Ϗ0P2Ny3zR惓d;+@y0@j W`AwLUo9)[wML[_NHdp_'iF;` U )$Y@ztV~vN32KYm'{ZuS6;+$W [l?)N}uڴijqNV0Ү6LtɁx~3V&DfS? $"v눍 $zpc8uO|'~\КXz6qWGv KU;fhΊ?Ԋ.p>}Cr@b~4u;Jqk߀idjMp[2y׃jl WW8`Fmμ- J" 2,;~#EDY+WDhOśiHK].}ߦI|ׯi66jX ױj%Y <7aЀ"SRv WDQXaITFQIVjOEW!pqgt8j&t97uݪ}m]lހeۘTrpX|pS:h̲ٺǢrE[kϣ73vyFJcKhtxA:mrM06#\ ʿ`{gAC22עr-li!^V-J-xmٓU) UUzcZ^%uTz~a-4۹]Im#ސdr]s-5yөk%g}N}3"ns@LR6*^:oAa7`qɰ{vcamvF+.u+^D x+x 1Ҥ:XEQt2UjMaŗY9Oe <% ׺geIo,\ٔŢvzո'l 0vڞ;KАfWMBj XMt{f7H#洛6 @XAT!< H3.u] Q kX{I|X:'ABk yAC[V6$Ve)̼[rG>Hn(VI48xD^ ) 0%] ( {[ ܅StkK0;]xuñ> <W۬5e欚br?, 0, +[/ :]#l$a 2E j:9Qӓ<2(gsjwrwᗢ.<?Ӱ'sWv6 ?`0^MA/s^ǿy& 7xs8 `m^2>6#]H4KMbNB쑺WvDRtD7"DtGҨ@}e;KxHA$>Nln; BCYYjYמš?9Z^YCo>d$/Ыʚ?o" UxX2TAIMF*C"e]>W]C(kL8e8 Kv)I8̚wxb%ȉ\d3`ծ2+<Hz?`co=/XI$JQ78Qf,~6`ߗVO8݇wmj dcȲ W[/e($6!51[|' jhTG1ڼ 2o~(p[ ԁj]w"Aq,D68sg FvJߋ68U!>b9Y26HVOpC-dxpk\ѡi-0N  mO}t$ܻ= Y#? CӺ>BQ|V|aOak;ˈKVh:>98PtPޕ EDLGҎyǩf:T떀ayǛQu :8PYמp^I2a <1GZ䭚's`~[*,p~5:]0uE c~&bvPq=dmo'|~}դ!߷pVc8[R6NsK@ 0\ӥ%,߅Դ:cNk9͐1aCy?3#(s $$FE,1|e=_W!y[r$\h#MӰ&oXDN!ΰ\Xnj*ۭTKfX epр[v&!7΢ KEg!bǹ 3 =Tq{#! ĔE ÆPQ#:\ͤ.?PUgQꙩ̂kӲ6sI~tԅB/Pq}qO2dHwEumʰˋ|No@L8޲eDhI{q%iˑ4eZNa;JD89%O_-775 Khf*-ŰA #T4F4v,pb-(%|d|݀vtHL-Igz'MS|K7:գLu%=rH,mhhS1ǝ,_Е vX/%H9:I>i|gQ|K䎑H0:Cڜ%jfЂ.Z1&F7; 44!8=/ᓟi1Q`g]8ҥt͒&%Trf0`c 3($Aj15*901C@0*\_3s촌 E*ȟ&*{gh^cL,kRV,4TY'@'IRaNLJt2tL_>C$ gIjѠEOȠW߄Cs bʁZ!"&׭P`_$f/$dXց(h:[w XΥ)ٽ򅃭X[U?ԡ]L["Bt7!oNO!o(m0 5beM?A_J@ ןH+ Dqf$ ҫ$9 =![pj˰ })#W&́fɯyUi wі~. :sq1"E+| I=M-`(L͊fmu:6; -gx2M`ꊰ(0R?X,E5 e>#E/QAq|^Ȏr.D4m{cM E8z%{tl%Jc-\r%Ql) ![;5=Ի<}1 !ayq%9 =2'[d싶ΛiF5˳:u$ U\j3`k!ܰ[ӻ"3!`0*#“1͍wJuלoC]R1.pnpIcL+bezJ <>YWG}l]'tSRQQQ}KĖ `Qa0ij$7aQZӴn}ࡗ3':Ad*^V0[$'x y ҽ>NeΣy IzBg\[yAh⁻V+fp{OvAU%eaTQ>u # ^}l. Q@_n U0#k3ǟP;;)ZzqU uL4_í}u|["xآhZC-ܢn8Bg05ND>.?Kve 9~ԍ1&p0B_J~s~@#,yw:mǻ\2Y>>*btgس%ĻO75*:"e CndAd;YRyR@Rd]^UV~ Yd<(T>7c=vt y?$I2KOO$.vV iUE#^k{'[mF.D?N%*sϩ#W%QtNC#y3~2rӵoE cŔAu7AN. >zbln]W pSp d3}u/O1:@0gsLy흥6N*X{dἘl4SZJE `(HZjޡO왦~-b&˻Xuv_+af٘}oqMX%ު"Sq*k?4w ]7Dtb޵Rى0wxd˷S(sl#Iu_Ax&̧%g-M_A9t,XGC7<:# gbGz͏]b |j~v,Ed=SRIgN#WgHxrZ&U:T^Rߍυm[?3gYX 9e@.R{ă,.h Έ͢K*tкH`qM/Y NrnMb: 8&|])?9apqZY]Tis^BM.)xL7K/>$=8~8`/˵ 9!1"dP)"EL쟧$? nXso>K&2wK@u Ru1_Mg`ޒK#zPb rGst3a}4+k]Ve_癶ZJVy" 4php|gxi69(',R L'Yh~WUWߋ5P:Wzvl=чѼZXk]Yg3DUg*kLrF),G(gǁm_ PW EƧڬTX!9j% ]ʻ.܆!lSxȽComP-l tg7fӓL-*_1,_>׼6pviD1NƁyF@ljJG*u^d?9kW4VbYTb|5IdR?+rxsR6 QD[.YCۅVfШey~-.oU|r~y_nBruUؤI rLEx uۛ5SW/ѲJ}ۧ!Yޙ7r V6ckJ awi1PX,w:l'i^ՀQ4B韡kZ" SRdCMsrԜ%VHlI*^ao4B2<|(ol!H-կb){G3GOpYO@W:L逍*T<ݟ]%"e{DtC+&x0~, cC= dG6@؇)6x1)^DFw3d̥Iq(=\_2LFkއ:0܅AaA1<Sנ@ \͑|Gsu9Otu)Jrp.zX/ӌM7Ftb~Prݸ}4;\d_}:>W^&fL3gx^dA_~IWl%+:\f0qпtH!V x3/- 4ɷ1 [Fε -rV̦ц/Cݳty yqvt>uW3tߗ.SRBc__$#9Z[=>J䚿Ǿ*IUnSeg)5p=?8nPw e̜+;/)) ͳޙ_7Y,$xs`/5 ec7j½%#$\| V)_rWW8L^#(8U{ =S%o3uo:߰=BS@?6cՔ4U+%t2|q`Ūe2:#)AbM(k≝ԇEPR61We-z^W_Nꆚu{{tO],""s9Aܴ&RdD -$Sdy\Toe4"}έ^9x3`@ "I~tԤ!8.3VG֓?bj3)0Zl $qj_a}`YoΝb^/ vCAT{߾/YTW19=U< A|Cq~.f զTůWLh_&']K&>1?%who4}ffI>M\ c] }%!"`OtXn*H $^͸ ,;Ddh) |g%9GNVVHw(PN\1CM:KhSalĹ1ЇG+V^y$흇L)8, -AΔ!Ѵ.]T?k7߃z%-tw 5W"7wƫ*1 6H׶cS}i#ӁUas']e8*8D LĿ׈ Lf_*GngS]P "Jhi8۝q{OiPYa0w馑@s:rL#bWh;Z$/n2KжN}$ͧ} #i5lrRZiXwݫI<ķX{p[,V]WcNbWc!n vF}F1cwh}huU{{: ;"ل8[htmׁaU?ۭ>m~xiȼKxBgna2&)vV& En`HTbfRGjv,Mxyic[i%Bi,ǐ!vG}5a/fvzr52_>ʨ.%uSgz$Ɣ<!]1o)ђ챡KƐ~(Ȯݤ PmUO- A>\Ml]Bס3LVH{Ա)rAJ.Kg}k >!+:th)x+3jjO1\ͭ% yz2HK)$.O\ WV)̸MB4hD⩩sn (wiD&@EM,HxJ%@Q?{0 YMŕ@,ʧ| ۪r. $g۸U`EnCrJw}dkFET>Y/pA[W}Է$?i=nUs?蟒0QUxJ=zjX  X@ ? Kɞ)HfPXS/zqC-Q|TW~!rrTM~ ',pډ+,;,JX+FMqҢd 9@; d.hA\Z8C9>Hh IW[ 9}~Z+if˟K kH^{ g YfS$DkGP%2ϜoE~z # TA $m._ejQ"R:C:U'eʀ5 F\V5,*"yXJxfBwȆںF1 Ka{Pqe/)Q vpX(g#mjB+[Xܮj} 2FC]D0+BĨϯ9t@P-?!vR> }!3"/V􍚙WpH }קLfS _HĚpxq|KRŵ5!zv,&|+_J:-.dvFYL)4$~W S]nȔǏO^)*ر4/\,5-hK9[d;MGߧ'U pq:%>@\[#TLZ~C*Ǚ52ӼO|rJ.~tΐ*mL _hHz΄ەY&D@L]kpOt,Z@H\ƾnhݝP6prC)3\f?Bk?@}gQgG|%4X}Óm6 VQBpz r"sˆ'͔C*[#a# D%uArw> ŊXB<7΃PjYwbr-Tn uj,mA^^A<9!_Vr+ҧ/KHW|wH[JxLn{pʟ*yX3]'Y2hʞgVu rK4; OZ-39ҵX+(>‹-%}1l :0e //^s^BXm Fԣ/L%s$erw#twANKa~bIGjB# $+I;nMkcAFjЎCV1Yu|lbر!EJNe7Ӽ$,*.h)ˈ8U ?\=Lv{G3,L78dz E$,/+B#o^!حUqk=NQV<HW EN_uʣ3gu =~bS8yf%R+oߧ1+/%h[4[lÿ-F ܝyySԢi Lwaݺiİ/LBvKXlZ φ[bo1C6-M*71&ans^r]2Ri𲆦sB vx^x^:B-?TN{۱1Y` )D7|0(熹_؇#Ь I7w9ׂC&IDi_$Z4H);L 0Jيcc%pgSU3?䖀cj@~[)J2sJZ?@ Ͱ&Hwt dL0e4 rT]BPEz5z;v!ッ| %>-8VC >xpZ,7>\T\( !@s!2Qk*n5(ntV.aUik.'/ zMq;tY9ёóM }2lBM~M,:38Bdy4_ujNQ4S}T~x2բ4:ZjIB MV'AǤ;"yVs)r|?xC"Fwp=' a^(c/w: :={X,˒e׍qML@k+f2V&si`-@&!_ JVtσIp'}dT<{L}V%DoJXV̑ӞG> _Ujo(J*k7笉W!$馘ϙEP488|J'Fg$OaӪ5u쓛)bWurd*lu7}Bů(~Y'+E%3W[W=Z}Qg|/y෪wPj8&?&'Q*NW[f|*yl-ow?Q/|fMvT8xF}ƒ]\!T;q\׮\,̄|a^!p 9awzNQ#Ÿ*:p-(4N9{f;u[\ M"T~쉢A&A5sM1cas'墯,ܵdJ5N1XKMI0.ry12"JX$%Ȕ npM[%\gqLPd#,]Fmguȿ^FW<uzhg5=#[(4" zGv@JV93΀UCqh^>XK|TCjo22c>.a~Hi ,HҤ qDO>ۿ>['87ܨl PpнLoE`LwzYsEu\O]Ϙw"UԣW=%/utuM3h@a6gM.'WvY@Jz?~,ǟV5 tp=$+!4K?ws]Wgr7ăIDH!Gh/c_>naaM+e`(ubd!$D&Kѯb?"Gnk;z@N9w9C4M4fZh3GrU}u7lbºr'QHE%K "I,x 7ys3M6y?c%gTB&bJ ab.ZDqU<1ny_߱b&=џxW@[^|jΦg s KτP =/!sT^ѯx;qB i|۲l˯8MIW-#\ BA< {|$MLj/,4Z P.ʍAҁ؇*h2Fg{DzA@^KЉ: mJ:-g UyCX7?|m҂'nbtuyJxn{PR@ f: oZe)&1{ءY])7=v46]!14<3I\wYpa ɡ Iv SZ ]U 1 UJNE%VS;UDN\3& +()Ao!7cp`ÃOa}Oݏ:=[ccM0cR(l䓴⇣紩hmc :rgG1 wfgB5M!xlH2,<:R[ =TnLEqx+ Y!Q,֖al.*kr{y/K,ݍ'Tda )[L-VpCv=EdE6z??H;ma=h+&J]:A&{#Kdo"WWW t5 xTR\~.گdV\-i[7Gq-^9NsK?^n\;MC,6"Bt{8* 9AF I$҂ A̋ɶf|P2V':FHDc>jdO6@~8ff-ٔDž~dM z'Vq`Dy7fFubʖ}x\\JX"~i'cOFі>z?<4j6.p˵>Ao[ZHM~qԒխ<ԁ?9pTM 69;S17?w \zd\|vngi^l "i+jHFD-,>,MuCbРi8fbJyȘ8KQo(K`yzeYBr;:Dm( z.[@:( -')I@w G 4TbqZe8iCaɶ%"y"!,?umsEʲnHݖ_arG!NT= C#ЩҚS_ɡԲw6I!a&m2LIM*&jY\rəGw.arQ4f=:Ŵfie( Z>\[&p' D Xc}{rx^,s2L;٫64A* !3KJ3m"Q/ev)iޭ{lw|x2^o@"u <ԢUqmWhzc(٬M>ލO$\93bO&c{NUV,jh.ovGaK2Gr$%ߝ1'KagCSB|=sgae+`唷8Rq\ auk-Ia)M|`o.E{N,>%a=?m 閚2ﯽ{`Ar? z1aEnԻEood2=G09s)rj4SZ$Au=B7v>0Tzңva=Bj z_aN[(z| RE)Mk-\Fѡ4g,T[roOcN#c a`+9[u^t' 4s͂Tn߷c2g^$22)hs׷w4Rtx )"ˢ^GZ3َޗn9ˀ&7a=>"(pWel靠G5~ 2r u BpqXEh5&]>ϓMBy!7"떜x(Z}7J(0Xe bd#l+C5&t ng8G%LkV pz q:^ WvD|,sKߢ^@;{Cz@y*GLR!âAI[Hr+,UcvU$G5R~|ͪuO@`{Z0`s,0 fDď!f`SPlo3X*!fH 0ݧ{Yxt]p~Xt;K fVQkG/ypHĿeSm) c_y/'K{91ԉe:>sFi;(]W`|x2C@ !>$R2: Oč:%Jr(NiUf)V{{n9ec;]G@(\WNyQ>ic0 |I:r/!2O*e~Ѥ\- }$FQgEV2>y" a0&z-HY[E]q  2s-P 6x m:Yo_pvxuݖ#/hP*ov`aɂi+Glt(x+bCq. }_ .!GEB?] %twY \4Bh]oN׌86C5$˃XQf J-,kWakbcۣ}w!(_/ZrPR9ˏ<&Y{)w lj@>,y/Gةdo2o g]4o"j|Qw NM?Q{-'b`c)Jcb{2 a\9[$Cf9 An` yȁ/nGRbZo}Ok=6a޾1BE p͠{ ?!eDE]0ܻŏ.M/70h`':m dcNt.yqo* #9L&NHlW6k.YWuc_wЙ79 uga\lvi< ֯QaE* 3!? ]rguLLmphuJ\{J#ehz7.4N=a=>L 8K@-+"W>+13w̽9='|pGgpQcarL: # rcu3Tgj)b?'B-IKxu܎Tҡ70SR(aNo!Upjқ\{v^p=2]W ?<3s*ư88Rpw*30v+ !}tNυ3,esU68zK7/uD\- xD"/ׯ9$bڄ/"8[M~O\ŷN"E6{$K#~ :~HKPK,mqͯԛ_zx#y 1')ID#/bvnNGpKP$3A@C.!3I <1֝]"1p /= Tak|Ȼ);` Q [<D*LO"9=]7d%V \/:&n r0JoBoBG0Ϊ3gx+*_iQmCC8Eg[/GX4[!y~$.T$.+C}^Nh.WhUӋYE ɛ׾9s i34{CV.+R|S*0S4{a`Rp 0 %XH$a2Td6bB2vb#e& :]w!6o$reyWzT2T@byb%㨲rloLG0IKje1I|]u?pBRCS 2Nx]/Vh5RnY d[m^Jl˅Me;cޤE^83Yړ;fN*~Af8 ]zL;? '*-Z/5ݽ=zPA#bGi+ID[<jY.aƱqx4+ TWa)^HYԬ9_tF0xUIXsj}kO'wiM:@huJh! vɈήqψ> O=3՗ς"a%#RA]]oO/=(p-}ApyMа@ ˵>"? 2^2vXhZ;] /O\3q=je!W ^7e{o+ ׂ*HVE_ɡ䥨g0Yw=|ty.4W>`CT63sIv#3ᅧ4?CN*NrtstI~vi*dY6FB:/ >#e0eRZc"nѬƿ!n4KGa (JA ,{G$#cQݦ`504X x Z/zI(Kh PA~T pP@F]PVay8*WD}&Ks4 ^hUVn(^\QOۮs8E(#1ޚl PB*Vh&xot[W֝dT968 i9.z!!].l[m&~/1F"VV DU} z qQrϭ6&O+\T-B}܀qD-A0 k]s)\N|9H/Ugcs,ZPaRK8Z /) HExuɢ8obs,/%(,h.js&8`mI#B@=!ӆ } jSYF"95gě+h⿾hjymo&_0K9"f?ͣ=ˋd&0k8gc]ļgQEAN(wHvrRmG@䍙qήhnste{xU!3ԕBf8;fV2gu Rr1- IL^_U /Oqt(U(4CWN&=" M9p rCml7/*@H&{W'φBS!T?`^>/^N8!69.ǞU<(Q*˰[.u2ܨyXҗt`%b2b99 QjU)$OUN}pw1X){WH3ٹg:rҊL: =j$n"ʔQ.GKsՌGe[kWzx PN ?PR%A#}axR537,4m+ǜ:s-50Jj;:u ,A\TW2]侱ِuh+c$8r|qByqv dGU`(En֊=G4C iEd~v`po,:Kot 0jkXpIХ$@vqy(PUÆWlɴ.f&~cu&,% 3=խVnTM3Gic]?#UNoDT)#R_  @ua4~CKv 7b8͌ )b/^4Cp: ugQi_>9ڮv[QZASMy`O09V?AmiE{+؂\@˧D{$ʟ]³LR(s"e)"th@g.@d=膕ݯ(to&$,7`ZQt+*y"4t+:sD {a7YFݙڶ!kCRE^ĈMr`G%{,z@DLPC#a&7ɷ q6ITq J.iϯ򽺟|󒁦FGaO!;:x6'*EGq`*~EskӦ@Yz1ܤy/`+' :߰e/GZuAu6/.h3wU4~({hՀZV4ßnܿ45f}Dtb4cr"6 ^xt1jYm?YSOXX`\_,P;ҕb<5QbOuGrMZVNӇG\jKR%bnZjtSKۼ禣Z͓\+.И >0'n4.NѤq#D"csuҫs$ Dm{O6!D.= ,nuH@a?eFAx5hAؓ}Pw9=x_W& ŸD~e.0)Jr1r¥u \罃&A֒Fx8SYaXIL83,51hY'q &9ŭ~%&=/ȩ7iX %}Xޛֵ^V %AQ*3e Kd?qib#:#zf]I/j-_MHOъo -b/%,t?5;_Q0,Q^x.X MG[agf^vdń /,# @ě6xwՕ4\m%Ӥպ$(8;?}E羴j?O iNL(ӅAyQS׆9ғFJk]7,o(']ln8r8J͵9 ocv{ +`am(jJKF^2B3LΈg1 I]bgSxΞ{٪i=][d;rw#S\@ o/_?N,^eNVZ0#L@sVtبN@_'/rU5$Mc?99^Ė 0xٕ+ N \^2! DU! Ų*IXeB;x J"'}\8R<2O252\0@>_ʓԈ^̊59FQ̈b>ն;J[3Ek1J+={CcVBѪ_H"X륦Z8 y{=1o)TΥ4c$n?{$*YTʊ D ?] [l,KiS 'pH]VY͂D_O.>(]Wv<"^܈IϹMI>xu(KpSؗtV۟p42\Zp[]liUlbe's+ȰKpNEE Rx3al3Mʥ.9tqj Q|+iC4O2\Fom9MģĤPf)7mØZ9~;?LfˏXƥh KjCupQ_`t^Lr LOt(X N)Ž =cէ]]B2zQ\h?}rlSlK:VtK e]~DTH_f`VH9hjuQ4EnVb͙loIug%0=[{2(YA3xq![ & F{>%Ŭ\%!&^_n9X_=%fC]5*nTPNd,y 39Dd[?NOC3LkӍ(_.5 [lTr 1my~SHC:H<ێGC<#o2FhS7L_4 [HPc.(T5ݣvŨ[ia)SWw8u1ϐx/vͻ5A^3Ӌy͆p /w (wjxwP:k4S bAA;ISfhrS.ƨwKW3( %K$[7$U21Z!f>gCxUMN}+51T%ۂvW[(/jH~i/5qoI˫*X,{agF^u:jp|4GuHbjX/w"m}ρ n\SGL]Oa/@H4m ߫Q;~uI{`WʚP`ffn'6[ X˖?!A[E0Uԟ'Sʼ ̨ >ԙ Bo鮹=.&0G:|{7&fP|Cz*M h~썅 dXăÅ'jAU*H?*$싨RdŜGl+w·<cY|)f39/͍W}ɾPhwlM?1Ξذe %Jn+`wױ̑pzEnwC#N5Elp!3G-]>ej\fQz9%%{tPyԳjE9rsK85?\ZeyR|*XsUnǤ#O|/G"N_4rlg̞F47yT9IjzG,бm: L\ 5!RУ'1KbJ^qh`Q`9GRi;+@Q'RJ=>qOyB^)d-`|!@vzfօ6r8>7SNzd2;Bm'I/j '53޴H/Q|W_ZxՓ["#٠%= }J'@/]A%X@0ΜC+QHn(2N.ֈOܵV jx0`]Z8z&9 BoFjm̸Gb"B+g<Ǟ~wlp)Soͣ DcW/J8qR_ld)2u\G{x x |1]8-}X6T3TxWYax@[j3}'*C]TC!9qabk6: ]>`592YbqKg6wįV}t#K #j`ܧZV$F 960}r9pȊSfE @~jD@7,ExaMLtCT0)or+ ||J(O':d'wwpcWU¶rL/5&nA +cR)މ",Vp|;#tɹ'bk3D-c BHMݍw93 >EZr.ȼmS ai.791[%\F' Cz)[$?B(` Kɧ ud'1+J0.DAz V8@O$f9nьgl}M/9ޏ֑ήMOnHW4 i.ch00_!OZ_2*rn>ݴ$3*i$@W! |ЇFnD '3ڝQlkW=6ԛY-Rꤠg;|O1ȀYa-֐;+Vǧ~d]]ۏhWˈ¶"OX(|d~*{+X?Ϻ\GUż} `g3 %2 s>wle=GӑDtC~7,'6(` @]B` #c>9dMx㓋ֈĿEOoX D}1ȅYE ؙHȭՇMOJ}x뻞_Zb$4Ԭ`>@#uML3-dR`瓄&Ycj `X+PAz¢^jb-PCPoN4\b)io5rR$idܴ )N&*Gg 5+bgFMCwO -[<%{V^ve?|dY<KTtv{52<&h*Zpx !W/m7Am.LeJ$Oks*(Nmly]ԎGT&Jҍvz{ IoKxxu>l(/" iۼ(N9TYA;l],vagqƶm9cJZ}*LN+_m8oΪnL6m֯I7JS(D]/~Í`'_稃~&7aU.F >6V?G}H?Ňh0_6Њ"Lƪ͏/1{ EC Cl,}Pw;1:@Eէ7yPՏjW 4 W>b !A; hx I^[orAY=p\' j-dhJ-|fndt0ff׎ZjD/nW6{qW%ٱ&"U`2h)PTa1Z1ӚAՕ&b.d+8oҦ ]o24 \HB񹎠ю\ zs-#+{16b-qY%AʨNs~(&E<!? GfЎ,OI/IRd@V{wJ qBI)Svc&GCbŵd@]BPA7,/$/Spp=NII,`Yơ,kg Ӌ A029s >E8:6B2qUw#</nX[KZ2N P!BN'Z'[ԙK2ɓKe=6=;ũA|Rk,afݜ *9~l5Կ`EeW-.FǶ'솕.]lͨz0H.=znjơ:rU`JRP|ʨ`DW _weBs27LbHK|zx;ǖ>暧½*Am2޽sOj:C=E8_>YU{&خki'~wCUo0EmsL opӄ#}'-5Oԅ%VP=8R`gY* V$wrm\m G ;#^WBncW!#~z])-vY ^!B:xS_y|)VئJrUEMLI~ps:-k飍1[6c+y˲2SȽѝ!cB3Dچ\HMsagC!|zr kh]JkLq~i$Mxgi 5q.L(nSP-WYL;$sހs/GA(Xl.Bi>pigt%}JodeR&^=Ԁdk7E)HiVX;-@T^&QʕWDl8~>inLP5.ߛr7")ɒC{ "yQYCݤr 缁8Eg@G'{ b|"3l+!G!UQE9  `p' ͏CТ-~M剛*cx Ԥ`3Mo@,v\y*fǙl/%)IwNcLi}ii&27T?1lиɛkCt>?O 0|fќMW<׈-ͤHҲ>kťQ[|)&2wud} ^DntM|+-F),?uSO I@? '3596CӇBgCisK9kV!~6iH'+w?M|H8;z ZޯO181&u?B,m0ĪqcfK~1o[T!xCp= |:=蟶]BtRR.-LG)Ȉ QD"n]l;![6˜2+ߨ bk+Bgs}H9]{jZ0G ^P0'|W`C1EDɾ BnB1d}ӅM5m%H!? \:: V5a&$a֠o_69j́ n^s}{Zr4_ RV:O :k"/:Bt EDZP)m A7RgՑaU~s[#Q@NF .h.㌙yV0LZv #uWsRRZ܊΁CdOgn@g뗦ȌFzEYðր665#U#Ɯl)4oI.@GNa"\72,Sɜuh3rI\(hj 8-׬i{&k6lYZ2͡V9u<`0Uhݒ+;΅Ө[e)ػ==9EWEerɣHŬ@D(J[X(^w8QP{Q0'–)ɿlGo;Q\ GԿ4!pnRJ۹W-vkkD1R}[6U@,la_S+E=)%eY%zH-b_XUe_ ZtEG;Y8pzOG3N%_GԐFXQz8vإfy%1Yyf{ao7*:X&]b+2Fla}O[?BF%>n1YDk,S\ ֑AF5Qȩ4qwL)+v[@wT߸Cl7d,hk 鬒ȴ5!BWjlm$G##0nҞ,ޗ͵#ʠE)1^ I5zY{5o9-Q:hgm;GYlH8e;G%%z hmbaM{6il_[0;axl@W]$q4 h\o ,ЦHٲvOm+:E 190\J@1Nȫ>بc}1nфk_m!DH'bǾrQ 8 sxPEŪhrI6 IZ3]OuhSV4k w.r嘗ᳩ+VQ])ǧv-a1OwX$r(trbƎzhS_c9Z3 '+t{%^"ƁhkLp=ۓԽ_| 53cubUu f+[82Sw ?Xx^/0V7*5ԃT\ƷIv/ ȴsNC5PiMa q²(ֱYX`S8t'CVMb$I:lITXZnt{2J ?VW$b:uEޣ4iN7$+::9a0DZ[/76 ;4osҰ0vnCX:?~&t$HlWgşa0"TeY8^2RL5Ƭ.=eL^:v}*gE4F5U60{jhi'7vnqilqs-nAOwB9蝲H86w%5[T9o7ȅC~2s@XooM( Nc0V7^r!gЪٛ H^i:1נ&9p!$!+f\CPRWv/*R26f~`ҵ0cW>.Y.F\0&GxT)ɕ>MALKVXIjy =adS'}t&.$\B<»9bǠ+s+22@0[!-vgɺZ\I#Nצ{lx+On4wlbLu\)sm몱sŠAVq"rëh$rl̈́9sO>iA_phr7A|i1 Tx#fL@+@]/"1:D^ն,c񙋏Jzj6jѓ !0kș?H>tt=q0XEIx쬮[WECJ9 URتljXpVZ/N<.{+E/=#QJD4j}by#L.߅|z[0pWsZ*S8OD?`.yExF$eݒ63^|>p2RBdg zN|߲ .h~ǝȐnͨL"iej-Jr(Lq @hbj~R[Ц;/EPRˆ>XLAVKDc r >QpݣxDm8u3؛E9KM'ꅉp^Enbn*:u9Wc  D^vX=2"AJuF* ^Y VXϸ&dޓ^!.e-`}OYO%@Dy n_{+ .DAJBu"NX*3%fG4 $&>B-c'K;y7-!ˢzp}ebU{ny9>aE _ۇ:&W"@7654ǒopU~z%u^@JM^ۥd@^3*w!#+kZ:Pܼ[76U33܆5O17QrX]sѴÀCW*V.ug`wz! e_M$"Ƹbgdh͍q2ªU euPsIX9~U=,S6GTsyY,KbPxUE%MVkS#qNi&Crl;9D>i52<&4ݍwQ9\ /_[u(bw\&= jK8Ax|HWt~_0|DO N;nPkzH Pψ-,-*2!9l#!+C HI4Ff,UڠJFo?d~  LܨR,SB,>h7&0V, HP 8OS<5"nv/N/8aWEDY҈$B MVU]=vPwۘYA`z`pY ԚgCkjEFaбMC:m9>!Ƀ})6FNqO%iPO?լ ḶU[} kC1 X)niM9a-4ٴ bRbRcKJ@fZ&3b$9`4pdJڪt_mJJ2+Q@pA#*5̤vPB n߶ YZ