sssd-common-pac-2.5.2-2.el8 >  A aFU] d7aJ[wOqxfx (l.i]#]͑rw0w|~G~ ¯TL_4kB"OvF]F~Hɑ #ALaP@FWUD7Lg2T-+{"ѰyOȵ'hvq#Ѝ$ vgupQI2MӆMOI[4]' M@57yԵJgڈ) MQ0Wpe983edf2347f21d15d7c50855792888c0822acd9ac71f0d9d28490664db5299d9f0c9cddfe6cf697d39fac2a2de173294594cc45PaFU]BAxaQ29nz?& tb(fIz!1n퇆Ba'ڶnu>9ΔU Սo_JeI4BߵI^R,Du|Rx ;,yŜػ7y 05\\òjRv1jՐ7W%1mmd"4_kIHSũZT/%Hw09B;gnꂯ(+xqrւVKR~a 6VZ݀rP)ג8 qj!;O[J.w{1V#& J+L soG;4q^6YhmEecTShm}/DGiڪ&ظU mimb}i?F,;_: 9uKb Fl%%m6BÝ,"^d{ \ie ڄ(*zw5Ow²N;p>p<gh?gXd  P 'DJTl x   " Ph55 L5( 8 9$:^GbLHbdIb|XbYb\b]b^cbcddedfdldteue ve8wfxf4yfL/gg ggTCsssd-common-pac2.5.22.el8Common files needed for supporting PAC processingProvides common files needed by SSSD providers such as IPA and Active Directory for handling Kerberos PACs.a{x86-02.mbox.centos.orgCentOSCentOSGPLv3+CentOS Buildsys Applications/Systemhttps://github.com/SSSD/sssdlinuxx86_64%bXKAAA큤amamamaOam`5eedef7c04b1415c0d8fd201b5c40f055d58f62a306172e21b975ee22c3a1e988ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903../../../../usr/libexec/sssd/sssd_pacrootrootrootrootrootrootrootrootrootrootrootrootsssd-2.5.2-2.el8.src.rpmsssd-common-pacsssd-common-pac(x86-64)@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    @libbasicobjects.so.0()(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.28)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcollection.so.4()(64bit)libcrypto.so.1.1()(64bit)libdbus-1.so.3()(64bit)libdhash.so.1()(64bit)libdl.so.2()(64bit)libdl.so.2(GLIBC_2.2.5)(64bit)libglib-2.0.so.0()(64bit)libini_config.so.5()(64bit)libldb.so.2()(64bit)libldb.so.2(LDB_0.9.10)(64bit)libndr-krb5pac.so.0()(64bit)libndr-krb5pac.so.0(NDR_KRB5PAC_0.0.1)(64bit)libndr-standard.so.0()(64bit)libndr.so.1()(64bit)libndr.so.1(NDR_0.0.1)(64bit)libpcre2-8.so.0()(64bit)libpopt.so.0()(64bit)libpopt.so.0(LIBPOPT_0)(64bit)libref_array.so.1()(64bit)librt.so.1()(64bit)libsamba-util.so.0()(64bit)libselinux.so.1()(64bit)libsss_cert.so()(64bit)libsss_child.so()(64bit)libsss_crypt.so()(64bit)libsss_debug.so()(64bit)libsss_idmaplibsss_idmap.so.0()(64bit)libsss_idmap.so.0(SSS_IDMAP_0.4)(64bit)libsss_iface.so()(64bit)libsss_sbus.so()(64bit)libsss_util.so()(64bit)libsystemd.so.0()(64bit)libsystemd.so.0(LIBSYSTEMD_209)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)libtdb.so.1()(64bit)libtdb.so.1(TDB_1.2.1)(64bit)libtevent.so.0()(64bit)libtevent.so.0(TEVENT_0.9.9)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)rtld(GNU_HASH)sssd-common2.5.2-2.el83.0.4-14.6.0-14.0-15.2-12.5.2-2.el84.14.3a@`.`@`[` @`&m`@`x@__@_@_#___[@_?@_-B@_@_@^@^@^^(@^oj@^ku^Y^S^J@^C^0"@^0"@^0"@^@^@^@]f@]f@] @] @]+]]Y]Y]|@]o@]k]k]Y=]Y=]Y=]Y=]Y=]M`@]M`@]M`@]D%]D%]D%]9]9]]]@]@\\`@\]o@\\\\\\\@\>@\>@\>@\\\\l@[Ѱ@[^[[ā@[ā@[ā@[;@[;@[;@[;@[;@[[@[@[@[@[@[t[#@[#@[@[@[qr[;e@["XZZ&Zw@Z Z$Zz@ZyZiZiZWQZWQZ%8Z@Z@YZ@Y@YYzYKYyYw2YRHYRHY@X-XX~@XO@X}@X@XX6@XWXOXXWW@WWW@WWv[@Wi,@W5W@W@V3VVVvV%@VqR@VO @V<@V/g@V$@V @V @UpU|@U4@UUUU@UzUzUzUL@UL@U.RU@TTT@T~T8TܕT@T@TTTq@T@T@Tp@TA@TuTto@TG@TD@TT @S0SS@S.SP@S @Sg@SrS!@SkqSkqSG@SFSCS!SSRRpRpR^R[RSRNREs@RD!R@R@RNQB@Q@QQQکQQQo@Q)@Q@QQ@Q@QbQbQV@Q'@QQQQnQZ@QU@Q0@QQQ@Q@QQ @QQh@PP@P@P@Pz@Pz@PqnPl(PaPaPS@PH@PDPM>M2@MMzMx@Mj - 2.5.2-2Alexey Tikhonov - 2.5.2-1Alexey Tikhonov - 2.5.1-2Alexey Tikhonov - 2.5.1-1Alexey Tikhonov - 2.5.0-1Alexey Tikhonov - 2.4.0-8Alexey Tikhonov - 2.4.0-7Alexey Tikhonov - 2.4.0-6Alexey Tikhonov - 2.4.0-5Alexey Tikhonov - 2.4.0-4Alexey Tikhonov - 2.4.0-3Alexey Tikhonov - 2.4.0-2Alexey Tikhonov - 2.4.0-1Alexey Tikhonov - 2.3.0-9Alexey Tikhonov - 2.3.0-8Alexey Tikhonov - 2.3.0-7Alexey Tikhonov - 2.3.0-6Alexey Tikhonov - 2.3.0-5Alexey Tikhonov - 2.3.0-4Alexey Tikhonov - 2.3.0-3Alexey Tikhonov - 2.3.0-2Alexey Tikhonov - 2.3.0-1Alexey Tikhonov - 2.2.3-19Alexey Tikhonov - 2.2.3-19Michal Židek - 2.2.3-18Alexey Tikhonov - 2.2.3-17Alexey Tikhonov - 2.2.3-16Michal Židek - 2.2.3-15Michal Židek - 2.2.3-14Michal Židek - 2.2.3-13Michal Židek - 2.2.3-12Michal Židek - 2.2.3-11Michal Židek - 2.2.3-10Michal Židek - 2.2.3-9Michal Židek - 2.2.3-8Michal Židek - 2.2.3-7Michal Židek - 2.2.3-6Michal Židek - 2.2.3-5Michal Židek - 2.2.3-4Michal Židek - 2.2.3-3Michal Židek - 2.2.3-2Michal Židek - 2.2.3-1Michal Židek - 2.2.2-1Michal Židek - 2.2.0-19Michal Židek - 2.2.0-18Michal Židek - 2.2.0-17Michal Židek - 2.2.0-16Michal Židek - 2.2.0-15Michal Židek - 2.2.0-14Michal Židek - 2.2.0-13Michal Židek - 2.2.0-12Michal Židek - 2.2.0-11Michal Židek - 2.2.0-10Michal Židek - 2.2.0-9Michal Židek - 2.2.0-8Michal Židek - 2.2.0-7Michal Židek - 2.2.0-6Jakub Hrozek - 2.2.0-5Jakub Hrozek - 2.2.0-4Jakub Hrozek - 2.2.0-3Jakub Hrozek - 2.2.0-2Michal Židek - 2.2.0-1Michal Židek - 2.1.0-1Michal Židek - 2.0.0-45Jakub Hrozek - 2.0.0-43Michal Židek - 2.0.0-42Michal Židek - 2.0.0-41Michal Židek - 2.0.0-40Michal Židek - 2.0.0-39Michal Židek - 2.0.0-38Michal Židek - 2.0.0-36Michal Židek - 2.0.0-35Michal Židek - 2.0.0-34Michal Židek - 2.0.0-33Michal Židek - 2.0.0-32Michal Židek - 2.0.0-31Michal Židek - 2.0.0-30Michal Židek - 2.0.0-29Michal Židek - 2.0.0-28Michal Židek - 2.0.0-27Michal Židek - 2.0.0-26Michal Židek - 2.0.0-25Michal Židek - 2.0.0-24Jakub Hrozek - 2.0.0-23Jakub Hrozek - 2.0.0-22Jakub Hrozek - 2.0.0-21Jakub Hrozek - 2.0.0-20Jakub Hrozek - 2.0.0-19Jakub Hrozek - 2.0.0-18Jakub Hrozek - 2.0.0-17Jakub Hrozek - 2.0.0-16Jakub Hrozek - 2.0.0-15Jakub Hrozek - 2.0.0-14Jakub Hrozek - 2.0.0-13Jakub Hrozek - 2.0.0-12Jakub Hrozek - 2.0.0-11Jakub Hrozek - 2.0.0-10Jakub Hrozek - 2.0.0-9Jakub Hrozek - 2.0.0-8Jakub Hrozek - 2.0.0-7Jakub Hrozek - 2.0.0-6Jakub Hrozek - 2.0.0-5Jakub Hrozek - 2.0.0-4Jakub Hrozek - 2.0.0-3Jakub Hrozek - 2.0.0-2Fabiano Fidêncio - 2.0.0-1Tomas Orsava - 1.16.2-2Fabiano Fidêncio - 1.16.2-1Fabiano Fidêncio - 1.16.1-3Fabiano Fidêncio - 1.16.1-2Fabiano Fidêncio - 1.16.1-1Lukas Slebodnik - 1.16.0-13Fabiano Fidêncio - 1.16.0-12Lukas Slebodnik - 1.16.0-11Lukas Slebodnik - 1.16.0-10Igor Gnatenko - 1.16.0-9Lukas Slebodnik - 1.16.0-8Lukas Slebodnik - 1.16.0-7Björn Esser - 1.16.0-6Lukas Slebodnik - 1.16.0-5Lukas Slebodnik - 1.16.0-4Jakub Hrozek - 1.16.0-3Lukas Slebodnik - 1.16.0-2Lukas Slebodnik - 1.16.0-1Lukas Slebodnik - 1.15.3-5Lukas Slebodnik - 1.15.3-4Lukas Slebodnik - 1.15.3-3Fedora Release Engineering - 1.15.3-2Lukas Slebodnik - 1.15.3-1Lukas Slebodnik - 1.15.3-0.beta.5Lukas Slebodnik - 1.15.3-0.beta.4Lukas Slebodnik - 1.15.3-0.beta.3Lukas Slebodnik - 1.15.3-0.beta.2Lukas Slebodnik - 1.15.3-0.beta.1Lukas Slebodnik - 1.15.2-1Lukas Slebodnik - 1.15.1-1Jakub Hrozek - 1.15.0-4Lukas Slebodnik - 1.15.0-3Fedora Release Engineering - 1.15.0-2Lukas Slebodnik - 1.15.0-1Miro Hrončok - 1.14.2-3Lukas Slebodnik - 1.14.2-2Lukas Slebodnik - 1.14.2-1Lukas Slebodnik - 1.14.1-4Lukas Slebodnik - 1.14.1-3Lukas Slebodnik - 1.14.1-2Lukas Slebodnik - 1.14.1-1Stephen Gallagher - 1.14.0-5Fedora Release Engineering - 1.14.0-4Lukas Slebodnik - 1.14.0-3Lukas Slebodnik - 1.14.0-2.betaLukas Slebodnik - 1.14.0-1.alphaLukas Slebodnik - 1.13.4-3Lukas Slebodnik - 1.13.4-2Lukas Slebodnik - 1.13.4-1Lukas Slebodnik - 1.13.3-6Lukas Slebodnik - 1.13.3-5Fedora Release Engineering - 1.13.3-4Lukas Slebodnik - 1.13.3-3Lukas Slebodnik - 1.13.3-2Lukas Slebodnik - 1.13.3-1Lukas Slebodnik - 1.13.2-1Robert Kuska - 1.13.1-5Lukas Slebodnik - 1.13.1-4Lukas Slebodnik - 1.13.1-3Lukas Slebodnik - 1.13.1-2Lukas Slebodnik - 1.13.1-1Lukas Slebodnik - 1.13.0-6Lukas Slebodnik - 1.13.0-5Lukas Slebodnik - 1.13.0-4Lukas Slebodnik - 1.13.0-3Lukas Slebodnik - 1.13.0-2.alphaLukas Slebodnik - 1.13.0-1.alphaFedora Release Engineering - 1.12.5-4Lukas Slebodnik - 1.12.5-3Lukas Slebodnik - 1.12.5-2Lukas Slebodnik - 1.12.5-1Lukas Slebodnik - 1.12.4-8Lukas Slebodnik - 1.12.4-7Lukas Slebodnik - 1.12.4-6Lukas Slebodnik - 1.12.4-5Jakub Hrozek - 1.12.4-4Jakub Hrozek - 1.12.4-3Lukas Slebodnik - 1.12.4-2Lukas Slebodnik - 1.12.4-1Lukas Slebodnik - 1.12.3-7Lukas Slebodnik - 1.12.3-6Jakub Hrozek - 1.12.3-5Lukas Slebodnik - 1.12.3-4Lukas Slebodnik - 1.12.3-3Lukas Slebodnik - 1.12.3-2Lukas Slebodnik - 1.12.3-1Lukas Slebodnik - 1.12.2-8Sumit Bose - 1.12.2-7Lukas Slebodnik - 1.12.2-6Jakub Hrozek - 1.12.2-5Jakub Hrozek - 1.12.2-4Jakub Hrozek - 1.12.2-3Jakub Hrozek - 1.12.2-2Jakub Hrozek - 1.12.2-1Jakub Hrozek - 1.12.1-2Jakub Hrozek - 1.12.1-1Jakub Hrozek - 1.12.0-7Fedora Release Engineering - 1.12.0-6Stephen Gallagher 1.12.0-5Jakub Hrozek - 1.12.0-1Fedora Release Engineering - 1.12.0-4.beta2Jakub Hrozek - 1.12.0-1.beta2Jakub Hrozek - 1.12.0-2.beta1Jakub Hrozek - 1.12.0-1.beta1Jakub Hrozek - 1.11.5.1-4Stephen Gallagher - 1.11.5.1-3Stephen Gallagher - 1.11.5.1-2Jakub Hrozek - 1.11.5.1-1Stephen Gallagher 1.11.5-2Jakub Hrozek - 1.11.5-1Sumit Bose - 1.11.4-3Jakub Hrozek - 1.11.4-2Jakub Hrozek - 1.11.4-1Jakub Hrozek - 1.11.3-2Jakub Hrozek - 1.11.3-1Jakub Hrozek - 1.11.2-1Sumit Bose - 1.11.1-5Sumit Bose - 1.11.1-4Jakub Hrozek - 1.11.1-3Jakub Hrozek - 1.11.1-2Jakub Hrozek - 1.11.1-1Jakub Hrozek - 1.11.0-3Jakub Hrozek - 1.11.0-2Jakub Hrozek - 1.11.0-1Jakub Hrozek - 1.11.0-0.4.beta2Fedora Release Engineering - 1.11.0-0.3.beta2Jakub Hrozek - 1.11.0.2beta2Jakub Hrozek - 1.11.0.1beta2Jakub Hrozek - 1.10.1-1Jakub Hrozek - 1.10.0-17Stephen Gallagher - 1.10.0-16Stephen Gallagher - 1.10.0-15Stephen Gallagher - 1.10.0-14Jakub Hrozek - 1.10.0-13Dan Horák - 1.10.0-12.beta2Jakub Hrozek - 1.10.0-11.beta2Jakub Hrozek - 1.10.0-10.beta2Jakub Hrozek - 1.10.0-9.beta2Jakub Hrozek - 1.10.0-8.beta1Jakub Hrozek - 1.10.0-8.beta2Jakub Hrozek - 1.10.0-7.beta1Jakub Hrozek - 1.10.0-6.beta1Jakub Hrozek - 1.10.0-5.beta1Jakub Hrozek - 1.10.0-4.beta1Jakub Hrozek - 1.10.0-3.beta1Jakub Hrozek - 1.10.0-2.alpha1Jakub Hrozek - 1.10.0-1.alpha1Jakub Hrozek - 1.9.5-10Stephen Gallagher - 1.9.4-9Jakub Hrozek - 1.9.4-8Jakub Hrozek - 1.9.4-7Jakub Hrozek - 1.9.4-6Jakub Hrozek - 1.9.4-5Jakub Hrozek - 1.9.4-4Jakub Hrozek - 1.9.4-3Jakub Hrozek - 1.9.4-2Jakub Hrozek - 1.9.4-1Jakub Hrozek - 1.9.3-1Jakub Hrozek - 1.9.2-5Jakub Hrozek - 1.9.2-4Jakub Hrozek - 1.9.2-3Jakub Hrozek - 1.9.2-2Jakub Hrozek - 1.9.2-1Jakub Hrozek - 1.9.1-1Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-24Jakub Hrozek - 1.9.0-23Jakub Hrozek - 1.9.0-22.rc1Jakub Hrozek - 1.9.0-21.beta7Jakub Hrozek - 1.9.0-20.beta6Jakub Hrozek - 1.9.0-19.beta6Jakub Hrozek - 1.9.0-18.beta6Jakub Hrozek - 1.9.0-17.beta6Jakub Hrozek - 1.9.0-16.beta6Jakub Hrozek - 1.9.0-14.beta6Jakub Hrozek - 1.9.0-13.beta6Fedora Release Engineering - 1.9.0-13.beta5Jakub Hrozek - 1.9.0-12.beta5Stephen Gallagher - 1.9.0-11.beta4Jakub Hrozek - 1.9.0-10.beta4Jakub Hrozek - 1.9.0-9.beta4Stephen Gallagher - 1.9.0-8.beta3Stephen Gallagher - 1.9.0-7.beta2Stephen Gallagher - 1.9.0-6.beta2Stephen Gallagher - 1.9.0-5.beta2Stephen Gallagher - 1.9.0-4.beta1Stephen Gallagher - 1.9.0-3.beta1Stephen Gallagher - 1.9.0-2.beta1Stephen Gallagher - 1.9.0-1.beta1Stephen Gallagher - 1.8.3-11Stephen Gallagher - 1.8.2-10Stephen Gallagher - 1.8.1-9Stephen Gallagher - 1.8.1-8Stephen Gallagher - 1.8.1-7Stephen Gallagher - 1.8.0-6Stephen Gallagher - 1.8.0-5.beta3Stephen Gallagher - 1.8.0-4.beta3Petr Pisar - 1.8.0-3.beta2Stephen Gallagher - 1.8.0-1.beta2Stephen Gallagher - 1.8.0-1.beta1Stephen Gallagher - 1.7.0-5Stephen Gallagher - 1.7.0-4Stephen Gallagher - 1.7.0-3Fedora Release Engineering - 1.7.0-2Stephen Gallagher - 1.7.0-1Stephen Gallagher - 1.6.4-1Stephen Gallagher - 1.6.3-5Stephen Gallagher - 1.6.3-4Jakub Hrozek - 1.6.3-3Stephen Gallagher - 1.6.3-2Stephen Gallagher - 1.6.3-1Fedora Release Engineering - 1.6.2-5Stephen Gallagher - 1.6.2-4Stephen Gallagher - 1.6.2-3Stephen Gallagher - 1.6.2-2Stephen Gallagher - 1.6.2-1Stephen Gallagher - 1.6.1-1Stephen Gallagher - 1.6.0-2Stephen Gallagher - 1.6.0-1Stephen Gallagher - 1.5.11-2Stephen Gallagher - 1.5.10-1Stephen Gallagher - 1.5.9-1Stephen Gallagher - 1.5.8-1Stephen Gallagher - 1.5.7-3Stephen Gallagher - 1.5.7-2Stephen Gallagher - 1.5.7-1Stephen Gallagher - 1.5.6.1-1Stephen Gallagher - 1.5.6-1Stephen Gallagher - 1.5.5-5Stephen Gallagher - 1.5.5-4Stephen Gallagher - 1.5.5-3Stephen Gallagher - 1.5.5-2Stephen Gallagher - 1.5.5-1Stephen Gallagher - 1.5.4-1Stephen Gallagher - 1.5.3-2Stephen Gallagher - 1.5.3-1Stephen Gallagher - 1.5.2-1Simo Sorce - 1.5.1-9Stephen Gallagher - 1.5.1-8Stephen Gallagher - 1.5.1-7Stephen Gallagher - 1.5.1-6Stephen Gallagher - 1.5.1-5Fedora Release Engineering - 1.5.1-4Stephen Gallagher - 1.5.1-3Stephen Gallagher - 1.5.1-2Stephen Gallagher - 1.5.1-1Stephen Gallagher - 1.5.0-2Stephen Gallagher - 1.5.0-1Stephen Gallagher - 1.4.1-3Stephen Gallagher - 1.4.1-2Stephen Gallagher - 1.4.1-1Stephen Gallagher - 1.4.0-2Stephen Gallagher - 1.4.0-1Stephen Gallagher - 1.3.0-35Stephen Gallagher - 1.3.0-34Stephen Gallagher - 1.3.0-33Stephen Gallagher - 1.3.0-32Stephen Gallagher - 1.3.0-31Stephen Gallagher - 1.3.0-30David Malcolm - 1.2.91-21Stephen Gallagher - 1.2.91-20Stephen Gallagher - 1.2.1-15Stephen Gallagher - 1.2.0-12Stephen Gallagher - 1.1.92-11Stephen Gallagher - 1.1.91-10Simo Sorce - 1.1.1-3Stephen Gallagher - 1.1.1-1Stephen Gallagher - 1.1.0-2Stephen Gallagher - 1.1.0-1.pre20100317git0ea7f19Stephen Gallagehr - 1.0.5-2Stephen Gallagher - 1.0.5-1Stephen Gallagher - 1.0.4-1Stephen Gallagher - 1.0.3-1Stephen Gallagher - 1.0.2-1Stephen Gallagher - 1.0.1-1Stephen Gallagher - 1.0.0-2Stephen Gallagher - 1.0.0-1Stephen Gallagher - 0.99.1-1Stephen Gallagher - 0.99.0-1Stephen Gallagher - 0.7.1-1Stephen Gallagher - 0.7.0-2Stephen Gallagher - 0.7.0-1Stephen Gallagher - 0.6.1-2Stephen Gallagher - 0.6.1-1Stephen Gallagher - 0.6.0-1Sumit Bose - 0.6.0-0Simo Sorce - 0.5.0-0Jakub Hrozek - 0.4.1-4Fedora Release Engineering - 0.4.1-3Simo Sorce - 0.4.1-2Simo Sorce - 0.4.1-1Simo Sorce - 0.4.1-0Simo Sorce - 0.3.2-2Jakub Hrozek - 0.3.2-1Simo Sorce - 0.3.1-2Simo Sorce - 0.3.1-1Simo Sorce - 0.3.0-2Simo Sorce - 0.3.0-1Simo Sorce - 0.2.1-1Simo Sorce - 0.2.0-1Jakub Hrozek - 0.1.0-5.20090309git691c9b3Jakub Hrozek - 0.1.0-4Sumit Bose - 0.1.0-3Jakub Hrozek - 0.1.0-2Stephen Gallagher - 0.1.0-1- Resolves: rhbz#1975169 - EMBARGOED CVE-2021-3621 sssd: shell command injection in sssctl [rhel-8] - Resolves: rhbz#1962042 - [sssd] RHEL 8.5 Tier 0 Localization- Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5 - Resolves: rhbz#1693379 - sssd_be and sss_cache too heavy on CPU - Resolves: rhbz#1909373 - Missing search index for `originalADgidNumber` - Resolves: rhbz#1954630 - [RFE] Improve debug messages by adding a unique tag for each request the backend is handling - Resolves: rhbz#1936891 - SSSD Error Msg Improvement: Bad address - Resolves: rhbz#1364596 - sssd still showing ipa user after removed from last group - Resolves: rhbz#1979404 - Changes made to /etc/pam.d/sssd-shadowutils are overwritten back to default on sssd-common package upgrade- Resolves: rhbz#1974257 - 'debug_microseconds' config option is broken - Resolves: rhbz#1936902 - SSSD Error Msg Improvement: Invalid argument - Resolves: rhbz#1627112 - RFE: Kerberos ticket renewal for sssd-kcm (additional patches and rebuild)- Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5 - Resolves: rhbz#1942387 - Wrong default debug level of sssd tools - Resolves: rhbz#1917444 - SSSD Error Msg Improvement: Server resolution failed: [2]: No such file or directory - Resolves: rhbz#1917511 - SSSD Error Msg Improvement: Failed to resolve server 'server.example.com': Error reading file - Resolves: rhbz#1917535 - sssd.conf man page: parameter dns_resolver_server_timeout and dns_resolver_op_timeout - Resolves: rhbz#1940509 - [RFE] Health and Support Analyzer: Link frontend to backend requests - Resolves: rhbz#1649464 - auto_private_groups not working as expected with posix ipa/ad trust - Resolves: rhbz#1925514 - [RFE] Randomize the SUDO timeouts upon reconnection - Resolves: rhbz#1961215 - Invalid sssd-kcm return code if requested operation is not found - Resolves: rhbz#1837090 - SSSD fails nss_getby_name for IPA user with SID if the user has user private group - Resolves: rhbz#1879869 - sudo commands incorrectly exports the KRB5CCNAME environment variable - Resolves: rhbz#1962550 - sss_pac_make_request fails on systems joined to Active Directory. - Resolves: rhbz#1737489 - [RFE] SSSD should honor default Kerberos settings (keytab name) in /etc/krb5.conf- Resolves: rhbz#1947671 - Rebase SSSD for RHEL 8.5 - Resolves: rhbz#1930535 - [abrt] [faf] sssd: monitor_service_shutdown(): /usr/sbin/sssd killed by 11 - Resolves: rhbz#1942387 - Wrong default debug level of sssd tools - Resolves: rhbz#1945888 - Inconsistant debug level for connection logging - Resolves: rhbz#1948657 - pam_sss_gss.so doesn't work with large kerberos tickets - Resolves: rhbz#1949149 - [RFE] Poor man's backtrace - Resolves: rhbz#1920500 - Authentication handshake (ldap_install_tls()) fails due to underlying openssl operation failing with EINTR - Resolves: rhbz#1923964 - [RFE] SSSD Error Msg Improvement: write_krb5info_file failed, authentication might fail. - Resolves: rhbz#1928648 - SSSD logs improvements: clarify which config option applies to each timeout in the logs - Resolves: rhbz#1632159 - sssd-kcm starts successfully for non existent socket_path - Resolves: rhbz#1627112 - RFE: Kerberos ticket renewal for sssd-kcm - Resolves: rhbz#1925505 - [RFE] improve the sssd refresh timers for SUDO queries - Resolves: rhbz#1925514 - [RFE] Randomize the SUDO timeouts upon reconnection - Resolves: rhbz#1925561 - sssd-ldap(5) does not report how to disable the SUDO smart queries - Resolves: rhbz#1925621 - document impact of indices and of scope on performance of LDAP queries - Resolves: rhbz#1855320 - [RFE] RHEL8 sssd: inheritance of the case_sensitive parameter for subdomains. - Resolves: rhbz#1925608 - [RFE] make 'random_offset' addon to 'offline_timeout' option configurable - Resolves: rhbz#1447945 - man page / docs update required: if two certificate matching rules with the same priority match only one is used - Resolves: rhbz#1703436 - sssd not thread-safe in innetgr() - Resolves: rhbz#1713143 - SSSD does not translate the 2FA text labels("first factor" / "second factor") on GDM login and screensaver unlock screen - Resolves: rhbz#1888977 - sss_override: Usage limitations clarification in man page - Resolves: rhbz#1890177 - Clarify "single_prompt" option in "PROMPTING CONFIGURATION SECTION" section of sssd.conf man page - Resolves: rhbz#1902280 - fix sss_cache to also reset cached timestamp - Resolves: rhbz#1935683 - SSSD not detecting subdomain from AD forest (RHEL 8.3) - Resolves: rhbz#1937919 - IPA missing secondary IPA Posix groups in latest sssd 1.16.5-10.el7_9.7 - Resolves: rhbz#1944665 - No gpo found and ad_gpo_implicit_deny set to True still permits user login - Resolves: rhbz#1919942 - sss_override does not take precedence over override_homedir directive- Resolves: rhbz#1926622 - Add support to verify authentication indicators in pam_sss_gss - Resolves: rhbz#1926454 - First smart refresh query contains modifyTimestamp even if the modifyTimestamp is 0. - Resolves: rhbz#1893159 - Default debug level should report all errors / failures (additional patch)- Resolves: rhbz#1920001 - Do not add '%' to group names already prefixed with '%' in IPA sudo rules - Resolves: rhbz#1918433 - sssd unable to lookup certmap rules - Resolves: rhbz#1917382 - [abrt] [faf] sssd: dp_client_handshake_timeout(): /usr/libexec/sssd/sssd_be killed by 11- Resolves: rhbz#1113639 - autofs: return a connection failure until maps have been fetched - Resolves: rhbz#1915395 - Memory leak in the simple access provider - Resolves: rhbz#1915319 - SSSD: SBUS: failures during servers startup - Resolves: rhbz#1893698 - [RFE] sudo kerberos authentication (additional patches)- Resolves: rhbz#1631410 - Can't login with smartcard with multiple certs having same ID value - Resolves: rhbz#1884213 - [RFE] add offline_timeout_max config option to control offline interval backoff (additional patches) - Resolves: rhbz#1893159 - Default debug level should report all errors / failures - Resolves: rhbz#1893698 - [RFE] sudo kerberos authentication- Resolves: rhbz#1876514 - High CPU utilization by the sssd_kcm process - Resolves: rhbz#1876658 - filter_groups option partially filters the group from 'id' output of the user because gidNumber still appears in 'id' output [RHEL 8] - Resolves: rhbz#1895001 - User lookups over the InfoPipe responder fail intermittently- Resolves: rhbz#1900733 - sssd_be segfaults at be_refresh_get_values_ex() due to NULL ptrs in results of sysdb_search_with_ts_attr() - Resolves: rhbz#1876514 - High CPU utilization by the sssd_kcm process - Resolves: rhbz#1894540 - sssd component logging is now too generic in syslog/journal - Resolves: rhbz#1828483 - filtered ID is appearing due to strange negative cache behavior- This is to bump version to allow rebuild against rebased libldb.- Resolves: rhbz#1881992 - Rebase SSSD for RHEL 8.4 - Resolves: rhbz#1722842 - sssd-kcm does not store TGT with ssh login using GSSAPI - Resolves: rhbz#1734040 - sssd crash in ad_get_account_domain_search() - Resolves: rhbz#1784459 - [RFE] tlog does not allow to exclude some users from session recording - Resolves: rhbz#1791300 - sporadic sssd_be crash on s390x - Resolves: rhbz#1817122 - 'getent group ldapgroupname' doesn't show any LDAP users or some LDAP users when 'rfc2307bis' schema is used with SSSD. - Resolves: rhbz#1819012 - [RFE] Improve AD site discovery process - Resolves: rhbz#1846778 - [RfE] `/usr/libexec/sssd/p11_child` cmdline argument '--nssdb' might be confusing when SSSD was built against OpenSSL - Resolves: rhbz#1873715 - automount sssd issue when 2 automount maps have the same key (one un uppercase, one in lowercase) - Resolves: rhbz#1879860 - correction in sssd.conf:pam_response_filter man page - Resolves: rhbz#1881336 - [RFE] sssd-ldap man page modification for parameter "ldap_referrals" - Resolves: rhbz#1883488 - [RfE] Implement a new sssd.conf option to disable the filter for AD domain local groups from trusted domains - Resolves: rhbz#1884196 - [RFE] Add "enabled" option to domain section in config file - Resolves: rhbz#1884205 - KCM: Increase client idle timeout to 5 minutes - Resolves: rhbz#1884207 - [RFE] ldap: add new option ldap_library_debug_level - Resolves: rhbz#1884213 - [RFE] add offline_timeout_max config option to control offline interval backoff - Resolves: rhbz#1884281 - Secondary LDAP group go missing from 'id' command - Resolves: rhbz#1884301 - [RFE] dyndns: suport asymmetric auth for nsupdate- Resolves: rhbz#1855323 - When ad_gpo_implicit_deny is True, it is permitting users to login when no gpo is applied- Resolves: rhbz#1868387 - system not enforcing GPO rule restriction. ad_gpo_implicit_deny = True is not working - Resolves: rhbz#1854951 - sss-certmap man page change to add clarification for userPrincipalName attribute from AD schema - Resolves: rhbz#1856861 - False errors/warnings are logged in sssd.log file after enabling 2FA prompting settings in sssd.conf - Resolves: rhbz#1869683 - p11_child: default value of ocsp_dgst == sha256 doesn't conform RFC5019 and has to be changed to sha1- Resolves: rhbz#1723273 - RFE: Add option to specify alternate sssd config file location with "sssctl config-check" command. - Resolves: rhbz#1780404 - smartcards: special characters must be escaped when building search filter- Resolves: rhbz#1820574 - [sssd] RHEL 8.3 Tier 0 Localization- Resolves: rhbz#1821719 - sssd (sssd_be) is consuming 100% CPU, partially due to failing mem-cache - Fixed "requires/provides" rpmdiff warning- Resolves: rhbz#1815584 - id_provider = proxy proxy_lib_name = files returns * in password field, breaking PAM authentication - Resolves: rhbz#1794607 - SSSD must be able to resolve membership involving root with files provider - Resolves: rhbz#1803134 - Improve "unlock" time when user session already active- Resolves: rhbz#1829470 - `sssd.api.conf` and `sssd.api.d` should belong to `python-sssdconfig` package - Resolves: rhbz#1544457 - sssd fails to release file descriptor on child logs after receiving HUP - Resolves: rhbz#1824323 - SSSD user filtering is failing on RHEL 8 after "files" provider rebuilds cache - Resolves: rhbz#1827432 - When the passwd or group files are replaced, sssd stops monitoring the file for inotify events, and no updates are triggered - Resolves: rhbz#1835710 - Change the message "Please enter smart card" to "Please insert smart card" on GDM login with smart-card - Resolves: rhbz#1838037 - Oddjob-mkhomedir fails when using NSS compat - Resolves: rhbz#1845904 - gdm smart card authentication does not work shortly after disconnecting from network. - Resolves: rhbz#1845975 - sssd doesn't follow the link order of AD Group Policy Management - Resolves: rhbz#1845980 - sssd is failing to discover other subdomains in the forest if LDAP entries do not contain AD forest root information - Resolves: rhbz#1845987 - Document how to prevent invalid selinux context for default home directories in SSSD-AD direct integration. - Resolves: rhbz#1845994 - GDM failure loop when no user mapped for smart card - Resolves: rhbz#1846003 - GDM password prompt when cert mapped to multiple users and promptusername is False - Resolves: rhbz#1850961 - /usr/share/systemtap/tapset/sssd_functions.stp missing a comma- Resolves: rhbz#Bug 1723273 - RFE: Add option to specify alternate sssd config file location with "sssctl config-check" command.- Resolves: rhbz#1839037 - Rebase SSSD for RHEL 8.3 - Resolves: rhbz#1843872 - sssd 2.3.0 breaks AD auth due to GPO parsing failure - Resolves: rhbz#1834156 - sssd or sssd-ad not updating their dependencies on "yum update" which breaks working- Resolves: rhbz#1580506 - [RFE]: sssd to be able to read smartcard certificate EKU and perform an action based on value when generating SSH key from a certificate (additional patch)- Resolves: rhbz#1810634 - id command taking 1+ minute for returning user information- Resolves: rhbz#1580506 - [RFE]: sssd to be able to read smartcard certificate EKU and perform an action based on value when generating SSH key from a certificate- Resolves: rhbz#1718193 - p11_child should have an option to skip C_WaitForSlotEvent if the PKCS#11 module does not implement it properly- Resolves: rhbz#1792331 - sssd_be crashes when krb5_realm and krb5_server is omitted and auth_provider is krb5- Resolves: rhbz#1754996 - [sssd] Tier 0 Localization- Resolves: rhbz#1767514 - sssd requires timed sudoers ldap entries to be specified up to the seconds- Resolves: rhbz#1713368 - Add sssd-dbus package as a dependency of sssd-tools* Resolves: rhbz#1794016 - sssd_be frequent crash* Resolves: rhbz#1762415 - Force LDAPS over 636 with AD Access Provider* Resolves: rhbz#1583592 - [RFE] Add configurable randomness to SSSD ldap connection timeout* Resolves: rhbz#1783190 - [abrt] [faf] sssd: raise(): /usr/libexec/sssd/sssd_autofs killed by 6* Resolves: rhbz#1785214 - server/be: SIGTERM handling is incorrect* Resolves: rhbz#1785193 - Watchdog implementation or usage is incorrect* Resolves: rhbz#1704199 - pcscd rejecting sssd ldap_child as unauthorized* Resolves: rhbz#1744500 - [Doc]Provide explanation on escape character for match rules sss-certmap* Resolves: rhbz#1781728 - sssctl config-check command does not give proper error messages with line numbers* Resolves: rhbz#1753694 - Rebase sssd to the latest upstream release Increasing version number to pick latest libldb* Resolves: rhbz#1753694 - Rebase sssd to the latest upstream release PART2: Fix gating issue.* Resolves: rhbz#1753694 - Rebase sssd to the latest upstream release* Resolves: rhbz#1753694 - Rebase sssd to the latest upstream release- Resolves: rhbz#1712875 - Old kerberos credentials active instead of valid new ones (kcm)- Resolves: rhbz#1744134 - New defect found in sssd-2.2.0-16.el8 - Also sync. kcm multihost tests with master- Resolves: rhbz#1676385 - pam_sss with smartcard auth does not create gnome keyring - Also apply a patch to fix gating tests issue- Resolves: rhbz#1736861 - dyndns_update = True is no longer enough to get the IP address of the machine updated in IPA upon sssd.service startup- Resolves: rhbz#1736265 - Smart Card auth of local user: endless loop if wrong PIN was provided- Resolves: rhbz#1736796 - sssd config option "default_domain_suffix" should not cause files domain entries to be qualified, this can break sudo access- Resolves: rhbz#1669407 - MAN: Document that PAM stack contains the systemd-user service in the account phase in RHEL-8- Resolves: rhbz#1448094 - sssd-kcm cannot handle big tickets- Resolves: rhbz#1733372 - permission denied on logs when running sssd as non-root user- Resolves: rhbz#1736483 - Sudo prompt for smart card authentication is missing the trailing colon- Resolves: rhbz#1382750 - Conflicting default timeout values- Resolves: rhbz#1699480 - Include libsss_nss_idmap-devel in the Builder repository - This just required a raise in release number and changelog for the record.- Resolves: rhbz#1711318 - p11_child::sign_data() function implementation is not FIPS140 compliant- Resolves: rhbz#1726945 - negative cache does not use values from 'filter_users' config option for known domains- Resolves: rhbz#1729055 - sssd does not pass correct rules to sudo- Resolves: rhbz#1283798 - sssd failover does not work on connecting to non-responsive ldaps:// server- Resolves: rhbz#1725168 - sssd-proxy crashes resolving groups with no members- Resolves: rhbz#1673443 - sssd man pages: The default value of "ldap_user_home_directory" is not mentioned with AD server configuration- Resolves: rhbz#1687281 Rebase sssd in RHEL-8.1 to the latest upstream release- Resolves: rhbz#1687281 Rebase sssd in RHEL-8.1 to the latest upstream release- Replace ARRAY_SIZE with N_ELEMENTS to reflect samba changes. This is done here in order to unblock gating changes before rebase. - Related: rhbz#1682305- Resolves: rhbz#1672780 - gdm login not prompting for username when smart card maps to multiple users- Resolves: rhbz#1645291 - Perform some basic ccache initialization as part of gen_new to avoid a subsequent switch call failure-Resolves: rhbz#1659498 - Re-setting the trusted AD domain fails due to wrong subdomain service name being used-Resolves: rhbz#1660083 - extraAttributes is org.freedesktop.DBus.Error. UnknownProperty: Unknown property- Resolves: rhbz#1661183 - SSSD 2.0 has drastically lower sbus timeout than 1.x, this can result in time outs- Resolves: rhbz#1578014 - sssd does not work under non-root user - Note: Actually the patches were in the 2.0.0-37, this one just adds this changelog because it was missing.- Resolves: rhbz#1652563 - incorrect example in the man page of idmap_sss suggests using * for backend sss- Resolves: rhbz#1466503 - Snippets are not used when sssd.conf does not exist- Resolves: rhbz#1622008 - Error message when IPA server uninstall calls kdestroy caused by KCM returning a wrong error code during the delete operation- Resolves: rhbz#1646113 - Missing concise documentation about valid options for sssd-files-provider- Resolves: rhbz#1625670 - sssd needs to require a newer version of libtalloc and libtevent to avoid an issue in GPO processing- Resolves: 1658813 - PKINIT with KCM does not work- Resolves: 1657898 - SSSD must be cleared/restarted periodically in order to retrieve AD users through IPA Trust- Resolves: rhbz#1655459 - [abrt] [faf] sssd: raise(): /usr/libexec/sssd/proxy_child killed by 6- Resolves: rhbz#1652719 - [SECURITY] sssd returns '/' for emtpy home directories- Resolves: rhbz#1657979 - SSSD's LDAP authentication provider does not work if ID provider is authenticated with GSSAPI- Resolves: rhbz#1657980 - sssd_nss memory leak- Resolves: rhbz#1645566 - SSSD 2.x does not sanitize domain name properly for D-bus, resulting in a crash- Resolves: rhbz#1646168 - sssctl access-report always prints an error message - Resolves: rhbz#1643053 - Restarting the sssd-kcm service should reload the configuration without having to restart the whole sssd - Resolves: rhbz#1640576 - sssctl reports incorrect information about local user's cache entry expiration time - Resolves: rhbz#1645238 - Unable to su to root when logged in as a local user - Resolves: rhbz#1639411 - sssd support for for smartcards using ECC keys- Resolves: rhbz#1642508 - sssd ifp crash when trying to access ipa webui with smart card- Resolves: rhbz#1642372 - SSSD Python getgrouplist API was removed but required for IPA- Related: rhbz#1638150 - session not recording for local user when groups defined - Also add silence a Coverity warning, which is related to rhbz#1637131- Related: rhbz#1637513 - sssd crashes when refreshing expired sudo rules- Add OSCP checks for p11_child - Related: rhbz#1615417 - [RFE] Add Smart Card authentication for local users- Related: rhbz#1638006 - Files: The files provider always enumerates which causes duplicate when running getent passwd- Related: rhbz#1637131 - pam_unix unable to match fully qualified username provided by sssd during smartcard auth using gdm- Related: rhbz#1620123 - [RFE] Add option to specify a Smartcard with a PKCS#11 URI- Related: rhbz#1611011 - Support for "require smartcard for login option"- Related: rhbz#1635595 - Cant login with smartcard with multiple certs- Backport more sbus2 fixes - Related: rhbz#1623878 - crash related to sbus_router_destructor()- Resolves: rhbz#1636397 - SSSD not fetching all sudo rules from AD- Resolves: rhbz#1628122 - Printing incorrect information about domain with sssctl utility- Resolves: rhbz#1626001 - SSSD should log to syslog if a domain is not started due to a misconfiguration- Resolves: rhbz#1624785 - Remove references of sss_user/group/add/del commands in man pages since local provider is deprecated- Resolves: rhbz#1628126 - [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_be killed by 11 crash func _dbus_list_unlink- Resolves: rhbz#1628503 - sssd only sets the SELinux login context if it differs from the default- Resolves: rhbz#1625842 id_provider= local causes SSSD to abort startup- Resolves: rhbz#1615590 - Do not rely on "python" for el8- Resolves: rhbz#1615417 - [RFE] Add Smart Card authentication for local users- Resolves: rhbz#1623878 - crash related to sbus_router_destructor()- Resolves: rhbz#1622026 - sssd 2.0 regression: Kerberos authentication fails with the KCM ccache- Resolves: rhbz#1615460 - Rebase SSSD to the latest released version- Switch hardcoded python3 shebangs into the %{__python3} macro- Update to 1.16.2 release - Cleanup unused global definitions - Remove python2 references from the spec file - Resolves: rhbz#1585313 - Kerberos with sssd-kcm is not working on s390x- Resolves: upstream#3684 - A group is not updated if its member is removed with the cleanup task, but the group does not change - Resolves: upstream#3558 - sudo: report error when two rules share cn - Tone down shutdown messages for socket activated responders - IPA: Qualify the externalUser sudo attribute - Resolves: upstream#3550 - refresh_expired_interval does not work with netgrous in 1.15 - Resolves: upstream#3402 - Support alternative sources for the files provider - Resolves: upstream#3646 - SSSD's GPO code ignores ad_site option - Resolves: upstream#3679 - Make nss netgroup requests more robust - Resolves: upstream#3634 - sssctl COMMAND --help fails if sssd is not configured - Resolves: upstream#3469 - extend sss-certmap man page regarding priority processing - Improve docs/debug message about GC detection - Resolves: upstream#3715 - ipa 389-ds-base crash in krb5-libs - k5_copy_etypes list out of bound? - Resolves: upstream#2653 - Group renaming issue when "id_provider = ldap" is set. - Document which principal does the AD provider use - Resolves: upstream#3680 - GPO: SSSD fails to process GPOs If a rule is defined, but contains no SIDs - Resolves: upstream#3520 - Files provider supports only BE_FILTER_ENUM - Resolves: rhbz#1540703 - FreeIPA/SSSD implicit_file sssd_nss error: The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Fatal]- Resolves: upstream#3573 - sssd won't show netgroups with blank domain - Resolves: upstream#3660 - confdb_expand_app_domains() always fails - Resolves: upstream#3658 - Application domain is not interpreted correctly - Resolves: upstream#3687 - KCM: Don't pass a non null terminated string to json_loads() - Resolves: upstream#3386 - KCM: Payload buffer is too small - Resolves: upstream#3666 - Fix usage of str.decode() in our tests - A few KCM misc fixes- New upstream release 1.16.1 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_1.html- Resolves: upstream#3621 - backport bug found by static analyzers- Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile with no specific host/hostgroup set - Resolves: upstream#3621 - FleetCommander integration must not require capability DAC_OVERRIDE- Resolves: upstream#3618 - selinux_child segfaults in a docker container- Resolves: rhbz#1431153 - sssd: libsss_proxy.so needs to be linked with -ldl- Fix systemd executions/requirements- Fix building on rawhide. Remove -Wl,-z,defs from LDFLAGS- Fix building of sssd-nfs-idmap with libnfsidmap.so.1- Rebuilt for libnfsidmap.so.1- Resolves: upstream#3523 - ABRT crash - /usr/libexec/sssd/sssd_nss in setnetgrent_result_timeout - Resolves: upstream#3588 - sssd_nss consumes more memory until restarted or machine swaps - Resolves: failure in glibc tests https://sourceware.org/bugzilla/show_bug.cgi?id=22530 - Resolves: upstream#3451 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds - Resolves: upstream#3285 - SSSD needs restart after incorrect clock is corrected with AD - Resolves: upstream#3586 - Give a more detailed debug and system-log message if krb5_init_context() failed - Resolves: rhbz#1431153 - SSSD ships a drop-in configuration snippet in /etc/systemd/system - Backport few upstream features from 1.16.1- Resolves: rhbz#1494002 - sssd_nss crashed in cache_req_search_domains_next- Backport extended NSS API from upstream master branch- Resolves: upstream#3529 - sssd-kcm Fix restart during/after upgrade- New upstream release 1.16.0 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_0.html- Resolves: rhbz#1499354 - CVE-2017-12173 sssd: unsanitized input when searching in local cache database access on the sock_file system_bus_socket- Resolves: rhbz#1488327 - SELinux is preventing selinux_child from write access on the sock_file system_bus_socket - Resolves: rhbz#1490402 - SSSD does not create /var/lib/sss/deskprofile and fails to download desktop profile data - Resolves: upstream#3485 - getsidbyid does not work with 1.15.3 - Resolves: upstream#3488 - SUDO doesn't work for IPA users on IPA clients after applying ID Views for them in IPA server - Resolves: upstream#3501 - Accessing IdM kerberos ticket fails while id mapping is applied- Backport few upstream patches/fixes- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild- New upstream release 1.15.3 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_3.html- Rebuild with libldb-1.2.0- Fix build issues: Update expided certificate in unit tests- Resolves: rhbz#1445680 - Properly fall back to local Smartcard authentication - Resolves: rhbz#1437199 - sssd-nfs-idmap-1.15.2-1.fc25.x86_64 conflicts with file from package sssd-common-1.15.1-1.fc25.x86_64 - Resolves: rhbz#1063278 - sss_ssh_knownhostsproxy doesn't fall back to ipv4- Fix issue with IPA + SELinux in containers - Resolves: upstream https://fedorahosted.org/sssd/ticket/3297- Backport upstream patches for 1.15.3 pre-release - required for building freeipa-4.5.x in rawhide- New upstream release 1.15.2 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html- New upstream release 1.15.1 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html- Cherry-pick patches from upstream that enable the files provider - Enable the files domain - Retire patch 0501-Partially-revert-CONFIG-Use-default-config-when-none.patch which is superseded by the files domain autoconfiguration - Related: rhbz#1357418 - SSSD fast cache for local users- Add missing %license macro- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild- New upstream release 1.15.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.15.0- Rebuild for Python 3.6- Resolves: rhbz#1369130 - nss_sss should not link against libpthread - Resolves: rhbz#1392916 - sssd failes to start after update - Resolves: rhbz#1398789 - SELinux is preventing sssd from 'write' accesses on the directory /etc/sssd- New upstream release 1.14.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.2- libwbclient-sssd: update interface to version 0.13- Fix regression with krb5_map_user - Resolves: rhbz#1375552 - krb5_map_user doesn't seem effective anymore - Resolves: rhbz#1349286 - authconfig fails with SSSDConfig.NoDomainError: default if nonexistent domain is mentioned- Backport important patches from upstream 1.14.2 prerelease - Resolves: upstream #3154 - sssd exits if clock is adjusted backwards after boot - Resolves: upstream #3163 - resolving IPA nested user group is broken in 1.14- New upstream release 1.14.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.1- Add workaround patch for RHBZ #1366403- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages- New upstream release 1.14.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.0- New upstream release 1.14 beta - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.0beta- New upstream release 1.14 alpha - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.0alpha- Resolves: rhbz#1335639 - [abrt] sssd-dbus: ldb_msg_find_element(): sssd_ifp killed by SIGSEGV- Resolves: rhbz#1328108 - Protocol error with FreeIPA on CentOS 6- New upstream release 1.13.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.4- Resolves: rhbz#1276868 - Sudo PAM Login should support multiple password prompts (e.g. Password + Token) - Resolves: rhbz#1313041 - ssh with sssd proxy fails with "Connection closed by remote host" if locale not available- Resolves: rhbz#1310664 - [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid - Resolves: rhbz#1301303 - sss_obfuscate: SyntaxError: Missing parentheses in call to 'print'- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild- Additional upstream fixes- Resolves: rhbz#1256849 - SUDO: Support the IPA schema- New upstream release 1.13.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.3- New upstream release 1.13.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.2- Rebuilt for Python3.5 rebuild- Fix building pac responder with the krb5-1.14- python-sssdconfig: Fix parssing sssd.conf without config_file_version - Resolves: upstream #2837 - REGRESSION: ipa-client-automout failed- Fix few segfaults - Resolves: upstream #2811 - PAM responder crashed if user was not set - Resolves: upstream #2810 - sssd_be crashed in ipa_srv_ad_acct_lookup_step- New upstream release 1.13.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.1- Fix OTP bug - Resolves: upstream #2729 - Do not send SSS_OTP if both factors were entered separately- Backport upstream patches required by FreeIPA 4.2.1- Fix ipa-migration bug - Resolves: upstream #2719 - IPA: returned unknown dp error code with disabled migration mode- New upstream release 1.13.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.0- Unify return type of list_active_domains for python{2,3}- New upstream release 1.13 alpha - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.0alpha- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild- Fix libwbclient alternatives- Backport important patches from upstream 1.13 prerelease- New upstream release 1.12.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.5- Backport important patches from upstream 1.13 prerelease - Resolves: rhbz#1060325 - Does sssd-ad use the most suitable attribute for group name - Resolves: upstream #2335 - Investigate using the krb5 responder for driving the PAM conversation with OTPs - Enable cmocka tests for secondary architectures- Backport patches from upstream 1.12.5 prerelease - contains many fixes- Fix slow login with ipa and SELinux - Resolves: upstream #2624 - Only set the selinux context if the context differs from the local one- Fix regressions with ipa and SELinux - Resolves: upstream #2587 - With empty ipaselinuxusermapdefault security context on client is staff_u- Also relax libldb Requires - Remove --enable-ldb-version-check- Relax libldb BuildRequires to be greater-or-equal- Add support for python3 bindings - Add requirement to python3 or python3 bindings - Resolves: rhbz#1014594 - sssd: Support Python 3- New upstream release 1.12.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.4- Backport patches with Python3 support from upstream- Fix double free in monitor - Resolves: rhbz#1186887 [abrt] sssd-common: talloc_abort(): sssd killed by SIGABRT- Rebuild for new libldb- Decrease priority of sssd-libwbclient 20 -> 5 - It should be lower than priority of samba veriosn of libwbclient. - https://bugzilla.redhat.com/show_bug.cgi?id=1175511#c18- Apply a number of patches from upstream to fix issues found 1.12.3 - Resolves: rhbz#1176373 - dyndns_iface does not accept multiple interfaces, or isn't documented to be able to - Resolves: rhbz#988068 - getpwnam_r fails for non-existing users when sssd is not running - Resolves: upstream #2557 authentication failure with user from AD- Resolves: rhbz#1164156 - libsss_simpleifp should pull sssd-dbus - Resolves: rhbz#1179379 - gzip: stdin: file size changed while zipping when rotating logfile- New upstream release 1.12.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.3 - Fix spelling errors in description (fedpkg lint)- Rebuild for libldb 1.1.19- Resolves: rhbz#1175511 - sssd-libwbclient conflicts with Samba's and causes crash in wbinfo - in addition to the patch libwbclient.so is filtered out of the Provides list of the package- Fix regressions and bugs in sssd upstream 1.12.2 - https://fedorahosted.org/sssd/ticket/{id} - Regressions: #2471, #2475, #2483, #2487, #2529, #2535 - Bugs: #2287, #2445- Rebuild for libldb 1.1.18- Fix typo in libwbclient-devel %preun- Use alternatives for libwbclient- Backport several patches from upstream. - Fix a potential crash against old (pre-4.0) IPA servers- New upstream release 1.12.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.2- Resolves: rhbz#1139962 - Fedora 21, FreeIPA 4.0.2: sssd does not find user private group from server- New upstream release 1.12.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.1- Do not crash on resolving a group SID in IPA server mode- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild- Fix release version for upgrades- New upstream release 1.12.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild- New upstream release 1.12 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.0beta2- Fix tests on big-endian - Fix previous changelog entry- New upstream release 1.12 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.0beta1- Rebuild against new ding-libs- Make LDB dependency a strict equivalency- Rebuild against new libldb- New upstream release 1.11.5.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.5.1- Fix bug in generation of systemd unit file- New upstream release 1.11.5 - Remove upstreamed patch - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.5- Handle new error code for IPA password migration- Include couple of patches from upstream 1.11 branch- New upstream release 1.11.4 - Remove upstreamed patch - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.4- Handle OTP response from FreeIPA server gracefully- New upstream release 1.11.3 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.3- New upstream release 1.11.2 - Remove upstreamed patches - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.2- Fix potential crash with external groups in trusted IPA-AD setup- Add plugin for cifs-utils - Resolves: rhbz#998544- Fix failover from Global Catalog to LDAP in case GC is not available- Remove the ability to create public ccachedir (#1015089)- New upstream release 1.11.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1- Fix multicast checks in the SSSD - Resolves: rhbz#1007475 - The multicast check is wrong in the sudo source code getting the host info- Backport simplification of ccache management from 1.11.1 - Resolves: rhbz#1010553 - sssd setting KRB5CCNAME=(null) on login- New upstream release 1.11.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0- Resolves: #967012 - [abrt] sssd-1.9.5-1.fc18: sss_mmap_cache_gr_invalidate_gid: Process /usr/libexec/sssd/sssd_nss was killed by signal 11 (SIGSEGV) - Resolves: #996214 - sssd proxy_child segfault- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild- Resolves: #906427 - Do not use %{_lib} in specfile for the nss and pam libraries- New upstream release 1.11 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.0beta2- New upstream release 1.10.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.1- sssd-tools should require sssd-common, not sssd- Move sssd_pac to the sssd-ipa and sssd-ad subpackages - Trim out RHEL5-specific macros since we don't build on RHEL 5 - Trim out macros for Fedora older than F18 - Update libldb requirement to 1.1.16 - Trim RPM changelog down to the last year- Move sssd_pac to the sssd-krb5 subpackage- Fix Obsoletes: to account for dist tag - Convert post and pre scripts to run on the sssd-common subpackage - Remove old conversion from SYSV- New upstream release 1.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0- the cmocka toolkit exists only on selected arches- Apply a number of patches from upstream to fix issues found post-beta, in particular: -- segfault with a high DEBUG level -- Fix IPA password migration (upstream #1873) -- Fix fail over when retrying SRV resolution (upstream #1886)- Only BuildRequire libcmocka on Fedora- Fix typo in Requires that prevented an upgrade (#973916) - Use a hardcoded version in Conflicts, not less-than-current- Enable hardened build for RHEL7- New upstream release 1.10 beta2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta2 - BuildRequire libcmocka-devel in order to run all upstream tests during build - BuildRequire libnl3 instead of libnl1 - No longer BuildRequire initscripts, we no longer use /sbin/service - Remove explicit krb5-libs >= 1.10 requires; this platform doensn't carry any older krb5-libs version- Apply a couple of patches from upstream git that resolve crashes when ID mapping object was not initialized properly but needed later- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during realm join - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by default for AD Provider - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file parent directory when logging in- BuildRequire recent libini_config to ensure consistent behaviour- Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug in ding-libs - Fix SSH integration with fully-qualified domains - Add the ability to dynamically discover the NetBIOS name- New upstream release 1.10 beta1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1- Add a patch to fix krb5 ccache creation issue with krb5 1.11- New upstream release 1.10 alpha1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0alpha1- Add a patch to fix krb5 unit tests- Split internal helper libraries into a shared object - Significantly reduce disk-space usage- Fix the Kerberos password expiration warning (#912223)- Do not write out dots in the domain-realm mapping file (#905650)- Include upstream patch to build with krb5-1.11- Rebuild against new libldb- Fix build with new automake versions- Recreate Kerberos ccache directory if it's missing - Resolves: rhbz#853558 - [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist- Fix changelog dates to make F19 rpmbuild happy- New upstream release 1.9.4- New upstream release 1.9.3- Resolve groups from AD correctly- Check the validity of naming context- Move the sss_cache tool to the main package- Include the 1.9.2 tarball- New upstream release 1.9.2- New upstream release 1.9.1- require the latest libldb- Use mcpath insted of mcachepath macro to be consistent with upsteam spec file- New upstream release 1.9.0- New upstream release 1.9.0 rc1- New upstream release 1.9.0 beta7 - obsoletes patches #1-#3- Rebuild against libldb 1.12- Rebuild against libldb 1.11- Change the default ccache location to DIR:/run/user/${UID}/krb5cc and patch man page accordingly - Resolves: rhbz#851304- Rebuild against libldb 1.10- Only create the SELinux login file if there are SELinux mappings on the IPA server- Don't discard HBAC rule processing result if SELinux is on Resolves: rhbz#846792 (CVE-2012-3462)- New upstream release 1.9.0 beta 6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta6 - A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. - Fixes for the support for setting default SELinux user context from FreeIPA. - Fixed a regression introduced in beta 5 that broke LDAP SASL binds - The SSSD supports the concept of a Primary Server and a Back Up Server in failover - A new command-line tool sss_seed is available to help prime the cache with a user record when deploying a new machine - SSSD is now able to discover and save the domain-realm mappings between an IPA server and a trusted Active Directory server. - Packaging changes to fix ldconfig usage in subpackages (#843995) - Rebuild against libldb 1.1.9- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild- New upstream release 1.9.0 beta 5 - Obsoletes the patch for missing DP_OPTION_TERMINATOR in AD provider options - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta5 - Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation - Fixed an incorrect default in the krb5_canonicalize option of the AD provider which was preventing password change operation - The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds- Fix broken ARM build - Add missing DP_OPTION_TERMINATOR in AD provider options- Own several directories create during make install (#839782)- New upstream release 1.9.0 beta 4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta4 - Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules - The IPA authentication provider now supports subdomains - Fixed regression for setups that were setting default_tkt_enctypes manually by reverting a previous workaround.- New upstream release 1.9.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta3 - Add a new PAC responder for dealing with cross-realm Kerberos trusts - Terminate idle connections to the NSS and PAM responders- Switch unicode library from libunistring to Glib - Drop unnecessary explicit Requires on keyutils - Guarantee that versioned Requires include the correct architecture- Fix accidental disabling of the DIR cache support- New upstream release 1.9.0 beta 2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta2 - Add support for the Kerberos DIR cache for storing multiple TGTs automatically - Major performance enhancement when storing large groups in the cache - Major performance enhancement when performing initgroups() against Active Directory - SSSDConfig data file default locations can now be set during configure for easier packaging- Fix regression in endianness patch- Rebuild SSSD against ding-libs 0.3.0beta1 - Fix endianness bug in service map protocol- Fix several regressions since 1.5.x - Ensure that the RPM creates the /var/lib/sss/mc directory - Add support for Netscape password warning expiration control - Rebuild against libldb 1.1.6- New upstream release 1.9.0 beta 1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1 - Add native support for autofs to the IPA provider - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory - Support for sub-domains (will be used for dealing with trust relationships) - Add a new fast in-memory cache to speed up lookups of cached data on repeated requests- New upstream release 1.8.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.3 - Numerous manpage and translation updates - LDAP: Handle situations where the RootDSE isn't available anonymously - LDAP: Fix regression for users using non-standard LDAP attributes for user information- New upstream release 1.8.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.2 - Several fixes to case-insensitive domain functions - Fix for GSSAPI binds when the keytab contains unrelated principals - Fixed several segfaults - Workarounds added for LDAP servers with unreadable RootDSE - SSH knownhostproxy will no longer enter an infinite loop preventing login - The provided SYSV init script now starts SSSD earlier at startup and stops it later during shutdown - Assorted minor fixes for issues discovered by static analysis tools- Don't duplicate libsss_autofs.so in two packages - Set explicit package contents instead of globbing- Fix uninitialized value bug causing crashes throughout the code - Resolves: rhbz#804783 - [abrt] Segfault during LDAP 'services' lookup- New upstream release 1.8.1 - Resolve issue where we could enter an infinite loop trying to connect to an auth server - Fix serious issue with complex (3+ levels) nested groups - Fix netgroup support for case-insensitivity and aliases - Fix serious issue with lookup bundling resulting in requests never completing - IPA provider will now check the value of nsAccountLock during pam_acct_mgmt in addition to pam_authenticate - Fix several regressions in the proxy provider - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#799031 - --debug option for sss_debuglevel doesn't work- New upstream release 1.8.0 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental) - Include the IPA AutoFS provider - Fixed several memory-corruption bugs - Fixed a regression in group enumeration since 1.7.0 - Fixed a regression in the proxy provider - Resolves: rhbz#741981 - Separate Cache Timeouts for SSSD - Resolves: rhbz#797968 - sssd_be: The requested tar get is not configured is logged at each login - Resolves: rhbz#754114 - [abrt] sssd-1.6.3-1.fc16: ping_check: Process /usr/sbin/sssd was killed by signal 11 (SIGSEGV) - Resolves: rhbz#743133 - Performance regression with Kerberos authentication against AD - Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - Resolves: rhbz#786957 - sssd and kerberos should change the default location for create the Credential Cashes to /run/usr/USERNAME/krb5cc- Change default kerberos credential cache location to /run/user/- New upstream release 1.8.0 beta 3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta3 - Fixed a regression in group enumeration since 1.7.0 - Fixed several memory-corruption bugs - Finalized the ABI for the autofs support - Fixed a regression in the proxy provider- Rebuild against PCRE 8.30- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta2 - Fix two minor manpage bugs - Include the IPA AutoFS provider- New upstream release - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental)- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features - fix netgroups and sudo as well- Fixes a serious memory hierarchy bug causing unpredictable behavior in the LDAP provider.- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for new LDAP features- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild- New upstream release 1.7.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.7.0 - Support for case-insensitive domains - Support for multiple search bases in the LDAP provider - Support for the native FreeIPA netgroup implementation - Reliability improvements to the process monitor - New DEBUG facility with more consistent log levels - New tool to change debug log levels without restarting SSSD - SSSD will now disconnect from LDAP server when idle - FreeIPA HBAC rules can choose to ignore srchost options for significant performance gains - Assorted performance improvements in the LDAP provider- New upstream release 1.6.4 - Rolls up previous patches applied to the 1.6.3 tarball - Fixes a rare issue causing crashes in the failover logic - Fixes an issue where SSSD would return the wrong PAM error code for users that it does not recognize.- Rebuild against libldb 1.1.4- Resolves: rhbz#753639 - sssd_nss crashes when passed invalid UTF-8 for the username in getpwnam() - Resolves: rhbz#758425 - LDAP failover not working if server refuses connections- Rebuild for libldb 1.1.3- Resolves: rhbz#752495 - Crash when apply settings- New upstream release 1.6.3 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.3 - Fixes a major cache performance issue introduced in 1.6.2 - Fixes a potential infinite-loop with certain LDAP layouts- Rebuilt for glibc bug#747377- Change selinux policy requirement to Conflicts: with the old version, rather than Requires: the supported version.- Add explicit requirement on selinux-policy version to address new SBUS symlinks.- Remove %files reference to sss_debuglevel copied from wrong upstreeam spec file.- Improved handling of users and groups with multi-valued name attributes (aliases) - Performance enhancements Initgroups on RFC2307bis/FreeIPA HBAC rule processing - Improved process-hang detection and restarting - Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries) - Cleaned up the example configuration - New tool to change debug level on the fly- New upstream release 1.6.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.1 - Fixes a serious issue with LDAP connections when the communication is dropped (e.g. VPN disconnection, waking from sleep) - SSSD is now less strict when dealing with users/groups with multiple names when a definitive primary name cannot be determined - The LDAP provider will no longer attempt to canonicalize by default when using SASL. An option to re-enable this has been provided. - Fixes for non-standard LDAP attribute names (e.g. those used by Active Directory) - Three HBAC regressions have been fixed. - Fix for an infinite loop in the deref code- Build with _hardened_build macro- New upstream release 1.6.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.6.0 - Add host access control support for LDAP (similar to pam_host_attr) - Finer-grained control on principals used with Kerberos (such as for FAST or - validation) - Added a new tool sss_cache to allow selective expiring of cached entries - Added support for LDAP DEREF and ASQ controls - Added access control features for Novell Directory Server - FreeIPA dynamic DNS update now checks first to see if an update is needed - Complete rewrite of the HBAC library - New libraries: libipa_hbac and libipa_hbac-python- New upstream release 1.5.11 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.11 - Fix a serious regression that prevented SSSD from working with ldaps:// URIs - IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 - address being saved to the AAAA record- New upstream release 1.5.10 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.10 - Fixed a regression introduced in 1.5.9 that could result in blocking calls - to LDAP- New upstream release 1.5.9 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.9 - Support for overriding home directory, shell and primary GID locally - Properly honor TTL values from SRV record lookups - Support non-POSIX groups in nested group chains (for RFC2307bis LDAP - servers) - Properly escape IPv6 addresses in the failover code - Do not crash if inotify fails (e.g. resource exhaustion) - Don't add multiple TGT renewal callbacks (too many log messages)- New upstream release 1.5.8 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.8 - Support for the LDAP paging control - Support for multiple DNS servers for name resolution - Fixes for several group membership bugs - Fixes for rare crash bugs- Resolves: rhbz#706740 - Orphaned links on rc0.d-rc6.d - Make sure to properly convert to systemd if upgrading from newer - updates for Fedora 14- Fix segfault in TGT renewal- Resolves: rhbz#700891 - CVE-2011-1758 sssd: automatic TGT renewal overwrites - cached password with predicatable filename- Re-add manpage translations- New upstream release 1.5.6 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.6 - Fixed a serious memory leak in the memberOf plugin - Fixed a regression with the negative cache that caused it to be essentially - nonfunctional - Fixed an issue where the user's full name would sometimes be removed from - the cache - Fixed an issue with password changes in the kerberos provider not working - with kpasswd- Resolves: rhbz#697057 - kpasswd fails when using sssd and - kadmin server != kdc server - Upgrades from SysV should now maintain enabled/disabled status- Fix %postun- Fix systemd conversion. Upgrades from SysV to systemd weren't properly - enabling the systemd service. - Fix a serious memory leak in the memberOf plugin - Fix an issue where the user's full name would sometimes be removed - from the cache- Install systemd unit file instead of sysv init script- New upstream release 1.5.5 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.5 - Fixes for several crash bugs - LDAP group lookups will no longer abort if there is a zero-length member - attribute - Add automatic fallback to 'cn' if the 'gecos' attribute does not exist- New upstream release 1.5.4 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.4 - Fixes for Active Directory when not all users and groups have POSIX attributes - Fixes for handling users and groups that have name aliases (aliases are ignored) - Fix group memberships after initgroups in the IPA provider- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication- New upstream release 1.5.3 - Support for libldb >= 1.0.0- New upstream release 1.5.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 - Fixes for support of FreeIPA v2 - Fixes for failover if DNS entries change - Improved sss_obfuscate tool with better interactive mode - Fix several crash bugs - Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this - Delete users from the local cache if initgroups calls return 'no such user' - (previously only worked for getpwnam/getpwuid) - Use new Transifex.net translations - Better support for automatic TGT renewal (now survives restart) - Netgroup fixes- Rebuild sssd against libldb 1.0.2 so the memberof module loads again. - Related: rhbz#677425- Resolves: rhbz#677768 - name service caches names, so id command shows - recently deleted users- Ensure that SSSD builds against libldb-1.0.0 on F15 and later - Remove .la for memberOf- Fix memberOf install path- Add support for libldb 1.0.0- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild- Fix nested group member filter sanitization for RFC2307bis - Put translated tool manpages into the sssd-tools subpackage- Restore Requires: cyrus-sasl-gssapi as it is not auto-detected during - rpmbuild- New upstream release 1.5.1 - Addresses CVE-2010-4341 - DoS in sssd PAM responder can prevent logins - Vast performance improvements when enumerate = true - All PAM actions will now perform a forced initgroups lookup instead of just - a user information lookup - This guarantees that all group information is available to other - providers, such as the simple provider. - For backwards-compatibility, DNS lookups will also fall back to trying the - SSSD domain name as a DNS discovery domain. - Support for more password expiration policies in LDAP - 389 Directory Server - FreeIPA - ActiveDirectory - Support for ldap_tls_{cert,key,cipher_suite} config options -Assorted bugfixes- CVE-2010-4341 - DoS in sssd PAM responder can prevent logins- New upstream release 1.5.0 - Fixed issues with LDAP search filters that needed to be escaped - Add Kerberos FAST support on platforms that support it - Reduced verbosity of PAM_TEXT_INFO messages for cached credentials - Added a Kerberos access provider to honor .k5login - Addressed several thread-safety issues in the sss_client code - Improved support for delayed online Kerberos auth - Significantly reduced time between connecting to the network/VPN and - acquiring a TGT - Added feature for automatic Kerberos ticket renewal - Provides the kerberos ticket for long-lived processes or cron jobs - even when the user logs out - Added several new features to the LDAP access provider - Support for 'shadow' access control - Support for authorizedService access control - Ability to mix-and-match LDAP access control features - Added an option for a separate password-change LDAP server for those - platforms where LDAP referrals are not supported - Added support for manpage translations- Solve a shutdown race-condition that sometimes left processes running - Resolves: rhbz#606887 - SSSD stops on upgrade- Log startup errors to the syslog - Allow cache cleanup to be disabled in sssd.conf- New upstream release 1.4.1 - Add support for netgroups to the proxy provider - Fixes a minor bug with UIDs/GIDs >= 2^31 - Fixes a segfault in the kerberos provider - Fixes a segfault in the NSS responder if a data provider crashes - Correctly use sdap_netgroup_search_base- Fix incorrect tarball URL- New upstream release 1.4.0 - Added support for netgroups to the LDAP provider - Performance improvements made to group processing of RFC2307 LDAP servers - Fixed nested group issues with RFC2307bis LDAP servers without a memberOf plugin - Build-system improvements to support Gentoo - Split out several libraries into the ding-libs tarball - Manpage reviewed and updated- Fix pre and post script requirements- Resolves: rhbz#606887 - sssd stops on upgrade- Resolves: rhbz#626205 - Unable to unlock screen- Resolves: rhbz#637955 - libini_config-devel needs libcollection-devel but - doesn't require it- Resolves: rhbz#632615 - the krb5 locator plugin isn't packaged for multilib- Resolves: CVE-2010-2940 - sssd allows null password entry to authenticate - against LDAP- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild- New upstream version 1.2.91 (1.3.0rc1) - Improved LDAP failover - Synchronous sysdb API (provides performance enhancements) - Better online reconnection detection- New stable upstream version 1.2.1 - Resolves: rhbz#595529 - spec file should eschew %define in favor of - %global - Resolves: rhbz#593644 - Empty list of simple_allow_users causes sssd service - to fail while restart. - Resolves: rhbz#599026 - Makefile typo causes SSSD not to use the kernel - keyring - Resolves: rhbz#599724 - sssd is broken on Rawhide- New stable upstream version 1.2.0 - Support ServiceGroups for FreeIPA v2 HBAC rules - Fix long-standing issue with auth_provider = proxy - Better logging for TLS issues in LDAP- New LDAP access provider allows for filtering user access by LDAP attribute - Reduced default timeout for detecting offline status with LDAP - GSSAPI ticket lifetime made configurable - Better offline->online transition support in Kerberos- Release new upstream version 1.1.91 - Enhancements when using SSSD with FreeIPA v2 - Support for deferred kinit - Support for DNS SRV records for failover- Bump up release number to avoid library sub-packages version issues with previous releases.- New upstream release 1.1.1 - Fixed the IPA provider (which was segfaulting at start) - Fixed a bug in the SSSDConfig API causing some options to revert to - their defaults - This impacted the Authconfig UI - Ensure that SASL binds to LDAP auto-retry when interrupted by a signal- Release SSSD 1.1.0 final - Fix two potential segfaults - Fix memory leak in monitor - Better error message for unusable confdb- Release candidate for SSSD 1.1 - Add simple access provider - Create subpackages for libcollection, libini_config, libdhash and librefarray - Support IPv6 - Support LDAP referrals - Fix cache issues - Better feedback from PAM when offline- Rebuild against new libtevent- Fix licenses in sources and on RPMs- Fix regression on 64-bit platforms- Fixes link error on platforms that do not do implicit linking - Fixes double-free segfault in PAM - Fixes double-free error in async resolver - Fixes support for TCP-based DNS lookups in async resolver - Fixes memory alignment issues on ARM processors - Manpage fixes- Fixes a bug in the failover code that prevented the SSSD from detecting when it went back online - Fixes a bug causing long (sometimes multiple-minute) waits for NSS requests - Several segfault bugfixes- Fix CVE-2010-0014- Patch SSSDConfig API to address - https://bugzilla.redhat.com/show_bug.cgi?id=549482- New upstream stable release 1.0.0- New upstream bugfix release 0.99.1- New upstream release 0.99.0- Fix segfault in sssd_pam when cache_credentials was enabled - Update the sample configuration - Fix upgrade issues caused by data provider service removal- Fix upgrade issues from old (pre-0.5.0) releases of SSSD- New upstream release 0.7.0- Fix missing file permissions for sssd-clients- Add SSSDConfig API - Update polish translation for 0.6.0 - Fix long timeout on ldap operation - Make dp requests more robust- Ensure that the configuration upgrade script always writes the config file with 0600 permissions - Eliminate an infinite loop in group enumerations- New upstream release 0.6.0- New upstream release 0.5.0- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in without a password. (Patch by Stephen Gallagher)- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild- Fix a couple of segfaults that may happen on reload- add missing configure check that broke stopping the daemon - also fix default config to add a missing required option- latest upstream release. - also add a patch that fixes debugging output (potential segfault)- release out of the official 0.3.2 tarball- bugfix release 0.3.2 - includes previous release patches - change permissions of the /etc/sssd/sssd.conf to 0600- Add last minute bug fixes, found in testing the package- Version 0.3.1 - includes previous release patches- Try to fix build adding automake as an explicit BuildRequire - Add also a couple of last minute patches from upstream- Version 0.3.0 - Provides file based configuration and lots of improvements- Version 0.2.1- Version 0.2.0- package git snapshot- fixed items found during review - added initscript- added sss_client- Small cleanup and fixes in the spec file- Initial release (based on version 0.1.0 upstream code)2.5.2-2.el82.5.2-2.el8.build-idcd1decc898536000f2d3cca9ea8cd3ddd11a80ebsssd_pacsssd-common-pacCOPYING/usr/lib//usr/lib/.build-id//usr/lib/.build-id/cd//usr/libexec/sssd//usr/share/licenses//usr/share/licenses/sssd-common-pac/-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protectioncpioxz2x86_64-redhat-linux-gnudirectoryELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=cd1decc898536000f2d3cca9ea8cd3ddd11a80eb, strippedASCII text/RR(RRR#R,R.RRRRRRR*R R RRRRR"R&RRRRR+RRRRRRRRRR R'R$R%R R-R)R R RR2utf-86974114bd08efb5c2c3e8229de6a03d881e3c00fd2918cb131618773dbe0fa32?@7zXZ !#,b] b2u jӫ`(y-$Zt5,vrN8~ݞIM @'}@;x)ɾnRƄt'I=q&O&1@hdls:m s!5-uIzJ5"NF%_79a(h6"zGVU>'Z-oI0`3!P6BTp{ MK}.;)DcI'o>H]Ur %%"\\0F>Z^> $EAK@ ~Y9↹@*_r[jk-6̎Fx*:vt }X6ߜX&^7ʙ&Fpi]ӥ;hSR/5s#ˈO+82Mjv/ލY_x\IK}f n2cT! `*$S@ßs̤I%4֦K@T W@[KA;/cآNq$gBcza6ÑiX F^e%?u;rutgOOjmEHn EaO2bj޼&S)M戍_Nu'ϣc8[ +AQPUYS~4A z*y;P̉q^>xiWc>1%_/N Ȟ#,\r9Wln<.(Xu;6S xˡ(z&|HzW[Θ_а$g R@:LS症~@=z.Ɛy*M.=|%#r*+CR4O>(0~:Ƞ!6}a{n3ʺ:Y;Rx!C/VIy#G-R5J6I463t lO*һ$s$-koȾu)[ޱ{I fb{&|r$QkޝHmsijcg&~:pjDMqr@.-QXD A\A:;,d!iz00ΕBP+>SF3M6c[ o)ff<7@^ҧZHQ+a`rZ]Jm 82ᲢmpiVփ\xVrD}F|_Oi~8ufހ1<u LJĞxqZl3_n@e(1`>wun# Fǟ:'[gj6f?"O ۢ6 NM)*Gϑ;o ]7k-tǷm{[j_c8Z -J e/6=MwkGY4w 2jDFv1NPB%Sߞ.,E@Js"$.Vi`B/ Kd#ɚx+Tۙb/;8{a6&y$~+S>LQθ .?FwT+`9>3c"۹7ҫO4D4qz",!ëB9q̘RtMPĴ  q cP"=pnip#;PvmK;JTP4k/ZS^R=5ä{=.)Yx Fۨ<:Pg?[xuVIe]#mr|5Rԇ*Q&v>RdTȎ;uQ)q52QfJ+60C^2хW^<@3/?A ^n ƼqFq\Х4Vʿ@C78)ɜR\ [&OCqt1L="3LD$qXDXC9p<<|*Mo\QYyYSRѕ;Si7A8zSXN| > 3lwOugcM'د}|7^]GK`՞;lOԘ4kvھIg6碪}0BV?E%/-qe[9%3-xְ-K$[d''2[8*5go[UK 7f%_ٿ߽2۶ѵ`%#}@QsOBY%_8+zUYnm nVgKHfw1,>,4ElzD:фЛfuVNIoi..+SB~ۿCgDW݀- ҴG1f?…p/o]AF K-__GaUGi;hmNkiNz5Pk W– F]9Z劶&-u* vPΞ]Qw8 D̍[e 4͆36`|ٯKA<tՄlki#_|bK="I|kyz6 r=:̆gyW9JW1*ZJ, aK5fK \u7u q?Vqղb'>eԮ Gwy"&143 CK(*I]mVskG jQUw=}4| @ UNlpddMޕH߃O9몧V/HѾz@=oy<|`p>h6H/M-%kt62up#O 2!2-py+RaZKMl_;G0+tta` uP0ch Ť=4"'EzNPҖį:+a{'Ҟߩ%I]5T`DE$t oufruLg#cm]}deKv'̓/W}Xը×>2^äWDlY+,TqF`ĩQgpo5؟TR!'S`PKI$-+A|WZ4/ԄlP>!ʷV71d EE*Q |n!_Z^%P̯?*al5tOju&WK#R2~Yı!ߞ@{˰/}g*2Vu{0VM+?~M2-KF5YEfv^ۑ0Ej#jpwPĆSe^VKDr3~I0jHԍIA.*ġ+EΤ$OzMtJClv6>*.1&\ji;0cPj~DGC4}8u=+]\&JČq &qոk ae Y1o]^W@ՕԳR鉭* T5@ߴzy_Djs Yu#$uFwx$Z$.\Kg qzJtД6鷠:d1K]'b|BQ&z~Tg?ٽ)7'rޛo13Lә=`]4͝dL䑝gsw"y-FTr>V)h"p\=gݦ+;o4S@p8/DW C);͖Dkt )iFfi`GҽC] by Ai&CN3W<^M*XEKP?q]ػ<ENdGT~{wSàܧrKs/ü7ْG۷pTCbkR`o%Ř23"}" BiVR#b) DARJ)Eg!n;o&=5bYn [leR:ڤ=}ȑCJ^R$+{:^Ҕif}k^$[^h]A4~h J+F")zysz K;9jrc],!zb-a PpT.cim./ˀ;[~E" Z6NAڨ}XL& gè-$rQ ٬a?H 3n=ұ1WDtBl;ڵ5=C5${pd:T]:^ th>w  X#g0[^5ۻ昤YDS0WLrpuzg?U;.aXLJHca5O-i̛1AM3yk,ny=@=JjQІ:RFGJS*^gIse!EBveX~!s% T@NV/Qʄ4H.**xZ ÏXmn&  t􀘍9?4YMj@rTDȋgk@@b@vt?[\o-ǞOXL!.ʠmLAr t^+K t -Ŗ'=fk7F<)w)dݰW#7Z>skl{l9$}~]zg02p0V 4$ws+3=>')ZL UQ &B ً6=1쵬#?L@MCA 0 XBgC Ɲ CƪND!L3'ˁS(}yקyA^e[~7e|jmE B^CG]%q%%"x eYf9Յ?`Fq+#T{x=yAZǿn ܾ9/h.{yٴ6cl `%ՓI`iij14.,vZ 89=uP\% W nQUKd(0: W-9'Cd"j`?N9~Le\~sÃ9l§; ߊ6lG\ kf8ܱppƎ+ZpSSlO[u;CMF=f%@0Km 0~W>Zz$ND_#!)ya٘(᭵? ^17A8y>pA[ej ywJڀes\nƨ*KyNKY yy6|GJ ܯd\ְѿR^;}ۧWxá P`P~;'G@Dӕ0LDSI`%'lx7=q!flg(FΘD/5 qݎwbV+9x>)T[ LMHB՚ܭL#jK@~ {<  \|#%(9CB|}[۾ k 䂃^&jٹ OfɸZT$!?r@Ƚ5C3#Su4bڕ2%dPݟ(aHjYsžkñ!yxgةכ\j-7N \RD[eH î@QoIU~4e6Dp.E<,]0^SdWf8s"qҝvW;sMʘK% GnD9Y2l^)/Y?> /ހoAϐ?ŸHa YJo\Ir[!HV'sQ IA%bբeq{`|&0σ3&n b_UKk?wE!X̷1/7QP;aÅtvxW Fp V<IȦGqM^UX0+W?ʓa?uԔ B>-{n({/H튒G 0umW="K~{Vd|51?P%r3;TwGLaSv E)m#3=%u,c񡂪ɸkYֿJ<Ò{ Ay&eyj+& zh,1o Dh-oFiJUԗj\x@#kB;^9 l˻#; BlbjխlZ|?fmeܩHM% -&ǔ:|0B٣3ܧ%8m z#䟚P-2Z1n)K 3]x>Hb ?o ȹ迓 4>]TQ_Yg3dGҋHˆbآPY0ݾESuHo:o`jԘMBKq0 Ζ& eoT{A2|_g3c>n_vyDv3d 4HP[ 7@B0a[ίhmnzSGԼs]Y|x= (J4vS[U?C'XT'}_;+]o{i(daUh\wx ͋NstD`X4P{^ɴEq`d[Ucϼ$3L~"2SE rmޕ:ֿ<";Ԭ{ۆ8:gZ4KhH&zbs6%8Ի?>) sAX^qm<^:R3@d@L?z/i;ҚJ)d^Az2 4$Tm۴T1\e5XaRQtAjG{LC ֦Wp19; iX}A] J*HGQbRѰƃAjm{b yesA6t|j_Bq+t|@pBc5>t;vC1׵/6sD+Ȥ Z1ɒEMC1/!`<¿wH7L`x好lMjiA3zn nGK. _9+z (r_9f&n},7g*AÙ}RcWK+ bHE) L0J㶡zh]BDɯw@VN8Dwy'[LK$BY:?EuyQFyviհT1|ǟ,3$ \[V\x?̹ G:"QUewSB: /6ݜ. Ȱ!,kigm2_]:T ZZ[ 5ݺ%ώAvq"b<u^#vDAEk%IXP+L9uߐЦ+5ZbMڬ0G هxף W=qYz FAM痱<&Xޏ7pv')vbA)Pu5 AsvO K !F71UpcrhEi87~RL۱$*>EbB{y \O:QFq<|i>\@q>K&*Yrؐwҷ8~Hx(C!vL&Q~jX{xMY2z"/〫WgB~dJ}K*cՙC*} y!(<Ew-iv5KUT&^|χpb=nQPDx'KT6,ߗЅC:4fyө ˔jjPotJ޺@^>/r5NAᕝP4̂CU~VB ӎ:,M&iR 1͏;9|CM)~f:H惠aU9LyĶkÐ앞$6YfᐍL^gn}e(-ڍQ}K,&>7Uɖ0_IvG^xAuqj*ײk&l]mqZkaedkxln#lɢ,,/!J:X8mCO6lM 0&fi&[<:+9Nz4sbDZڑk1Qfj>Z2QI c(6-I/V1`Iw 7/-uÕxXW/T=4ٽwN_ߝW5N(^&)BB둮nReII汑dA ]X & ֮";, \I+Y? _5!d!F/q8uÈ%>Wtanfg8k _ꆊ/OR>z˞G[JHb10#F𗮙"ɭ(E;KE^ۡ/~ӤX()fࢰ{y28# _}jiL @ W|lٰ2CyRg}+!ͧ[aK;^ͳqlO#u%BK^˻#ԞV{Դˊކ?':"C׹c2+e/`W-B팽nHݭ.MSQf)8qSA mM+8.F3yw3 K62V) Q冚u;ƒ歕U?@4Ƃ|6JE/=A鲶y11vT[ ]|$RX "ͩQۙ1-wāٝPz ?ї&$0Qo$ܐa$^,}2O?Lq,6JĽcn>".8pl>QO}YaFksLI }}Fv)x ~zá!DVlp4]!):愴a[)HHnwB5Tci9iy }-o0Ǵ1m7Ro$CzOd(V`@QrY؊!70/4-X {CŖEܸ;q鸵5,z رA8a|ͮC{4M}P5boA:,rzs!tt0^kA,8@ 6ʛ}|^d"JaS#O]ҍCat75fT*8k>w `&jS`]E4:aC0Ezstu3:P,-ARR:^bi!(TMCFORn`;\ec*eDUX%ӻ^~QHD:%=Z PQҍg*_\PR#+VQ.`_NawHXM>M)[9A2Ո@)x(<ͷU-rfTV^-cP\M)@?$#Zvmy B@Dsŷfƿ'჉8_-Cl''MqSGmZ|Q(-Vy 5_OH@!PTONB:/ʵ!(f;CvRm;D%˥[N4cڥ Xai #D?\˿4Rfp"ޭPro0xx\DCs/2z',yY4>`d yכ%7:ͦ=J:҅!# QLbϾ[pj~:}A/bj%qjrdD9$'HskU{mm;yC-ZJ7\2[`LH&/o,~tkCKYV&l{vbx3}KbW_@ \|u 3V sirW de?3̓P ޡ27$0Na@'|*2J:N Ǝj7%١>![Y6.r٦*⪏1ШsA7DR 1ʁM۩zP}HEh8^cX *6NɁ8w\0X_4\1[iIܘù>2r#kW% 2@W 46NRݩ.S@]8AtMAKy&[2Īv-AwDc_8NgEjFpͱĥNsLLX5)PsYݎ隃ilHŃ&\pZERBĶA0c^{tLeTW$L9ɈZ(-Φ]Y6@c):CFcܓ8&mZbuk:^nΈɑ/*vt#ʘh`YϬ}#Ap:-U"j >D|yȞ!Y:)6{,"@2F!aj5!r@$$: (oYEuF΀/x:}yv.k[ x[i ٴ}g)sE4ǘ }Xkl; & ^RIE?pTK^m &U ^J!}^N8tYNl05Rdb<;0SW =+4jRvJğ U+H5XK[ւL4д-TS/ S>7 % ˊATmQYq4Te]GqJ)$  Zu4}9Zi;=8ԢE -0[kBWkBn$©)&5Z `ʫ:O:Rֿ{a'Iz1=G%l >%o9H) cѲ1{H \DwK .)ls 8J5[0l.~yWЏo *HEh#C=ܖ'o"9_/cݪ ]/$|X'x{]̩%8S6ǎrj(AO_aa9Rd)O t&)T/"rTz5[DminQ 㱉¸uhlon{Nk [Å&5tJˉLAT/N;;%ഓoL1"mL"|c!75KLc]b:C&%Lt-+GVw٬Z=EI7$Ku R7tl>B,RvB~xh>E>P.mc:q3]!W;86O\U2GIre=i orjc0xǪl}Ȫ[ MC?;+֐)#(%?4 zUȴ mD 7џ]:qc _xPp7s`&C8Tk[w">W5D|H,vack#MJ?2~vVܶ9fa, "HeGjHHQaqY8>&6}*1FzI7i[j>pj48 =s*-w\:$B(Y†] wNqy vy^JN}̊&!lSd hx5I@ ;TݙBNtdǀ>N{)9/ZbDg&)YRDx''\^; KzyN8֟{,5ȹVc_*,1wH$ 3>7< \Y$fMem;+"VNP=*EF ӕ,#y+.iC[i/&{Pˌ(l ޼O M oO߆Xꆜ2V l|XJT0d$᧐ka)sjxD-yy8 Eقs~R#;01~*W]hjv?lT$"HY& TG~"T48{TLES$./YTj‡MF^ϸ_f*K w=UkID!""b9K!7;b?{Vb?2+7d $ئ ?1ɮH ?9ׂߟE- YQgR;SbhpC(A"[9~Nҏk"пT,53y1;BD?B/nMy,'OӰ#ʴsW4.d$Cu4 YNw|%(iz냥O3?e=R[3se, TyQv / Pƥwcq;m!p5^L. iYZKxZC))>>ݵzOˢ4_d):U3Y;eMd(oE`{cA BKfs6`-^% ^ϲZ.k<"]8_Νa+͔OM; ?T* '% BrWe#>tw3C غuqPPI|n}؄gCPx^6*2k?z$[]ָ* ra"s9eP6N:Cؼp}c/w\dGN#upOCߺNDf #daX$FHrNcN"2i 4EAg8.Z6 3/37Q2#0龯Nͅt2r)Ar)*UI&KnekQFs !ß^{g4eXhv]0 gU_^!n-҆8cN> !aW+59gexuS pLsԒʥ`s$v۸;d598gMNɓU= ?2̴1(º VþsAG35o@醦v2k:} i~Jo+],`tB)zD0]#ӆ*{|VY TbPM/[iLRO<ܥ|G} . jX}JԂIO۾;mzqw| +[7x,v0\*t᧤m=w:ܕ?8#C#iҮ5"iXv6-G6agQ#ip%f2O.[@߬f@Q1\:`#nA[8pmEf E奌>^DL^mQuJgֶ%fTo7}->!6HmkX72م]?a':i5#oY>A8"SJ@BOfm|[AתMr3%Yx?>%R,r#?DS1E:fݘ;Zdg"nI_7(FL}`g$\x}2rN-C:94ɖn5<{(5R` -4؉齤 e~Z]Yr v_E/S2% ڬ9(gDe}̿){b;4&`'(nyVzz]%rs* ESH'|7U}_ h. /=Yڙ(gCmx"H:[X<Ёe@g*cP1ƻ"Z 1 wQ]/q:rB.Dmkke$ĵk{j7"P#vN0 $k )YEnY7j[#:f/ȻionH\&kpmf3;Ag&̝+`JnM!]E׸ԃO8EP'e6u!?V %rxu-T$17Q!8'%^8$*O'q7"YRM?.n<\< ݥ{xO\\d5v`Wn>T 'sToBS[hӢ=B U,[c hs&BlX%Ϝt6^IQk.OdwT>`QH~okן˭0/\ƚB kAlF2̀hB:GI Ӄ%eG?ЕGVx:,,HVz Z/FI9t>+ E+Wך37Ɍk>:;tc6Q&Ѷ{Ϥi*8NI54n&GZ(OrY]4*9) XX1~QAɵxaHTdks%$ʚfxR'יh^M\.53׵p gzYa6aȨ蔌2EJ9Wmvw)nCQpZm|.2GgKt7Nt I ;RXsOv|Z- Pp z#'Kyh{%)OW7 1mKNw{@o7#--B˩ ǻ\\jѴg?u$t!'VT,'dCO{­4DVMt ǽ%}Qs6Z)[mpM~$42*]mJդ2 Lp(t`rnvG6EȒsҗ*/FPI%:Ч(؍Cq>&0 I,&@d&E!r1{EN &\\-}94`qK eq/4s2r8|Hf‰6Cho*zK _}Vq'`1f7Y_nwEڡ2DZ_ISΛœ9AړBM ®έw88@A u~^`M.-u?*x  eLNi_7K% e,~捄si2 ew|QŁ 9h"aMqJGfeA}KrԱ/rLAa$&%0ge3&,U G6sne#R27^CT`йQk}.R`9l̞wsc0lQyKY9}ﭲf"FWGeQaNl͋ .1Q츤Y%DRZO]ڤKBL!&f&}\ZܟmNAAÓd0W4{6QKve$ O%ĺ(H& 1SHt 7kq p}G[Z*ۀ;\$#F1Ƚ a̪g `}JԕsWCEAu+ 6Hk?'c\B&rlN/ *~Ig̀(5DЫdP 7v\^؇o_r^k|Co۳C~'C{[Q0㱢Ԓ ˦|(=^+ ogvڅ&K1Vi&f<0L]*Ehlq@TచJb5}edZJ?5RF elXQ F1|i֋ |T`gug eDDr_b,W__QEl>Rf|OoK=h!s۟bqt)+0\u(1} r:-VҺag0>3Y )PiIoDiEJ 8P̉/]SPo"q`C|.dp#EĦw$٢pUt(bSv% 7}}3ä?rKKS|W732"*K§Aǰ= Z EY.U2lҎ"{u X- mlZLgj_52= /8|95;hdܧQt`K3rwWPyk?+P&B`l\l O3Ä[FQkR⿓mǮSVFIGjOt+31%&QKT-N/b xԟTkc C.&3ނ&f 5E|o] Z0UE[SGprG`X`^t+LERL,H)$Ezj \;e@`vhD𣐐1@`V"WJجW;0;NO8Z]sHɍRvmX΃[2ĕSDk 5#2<=ϷԒ@)Yầِ59@fmteiAj*3ϙ^; lD|X]*sK5S :hMwHi ٯd uB 2{xb/l~K(]~Ɔ=*gԾm0ƁHf&_lxox}4uT Qv|;(gw/7` 9LwF.L/?TP k .ݑJoq/Q1„fJ!1? ǡoHS[bes&FǕ^.7`^`8]-Sۨ]>GLY7je,{E˟S ׃$Tj4a{E {̢D8U>(d*SW{2RLCQwq]{9mZ@D/E(Y.D3&=,4d☔QoZoWQwa{9ZO W`]G"l r",aΚc?[TִAnTʝUo"W@pG GϔxeZhqJ*4 ml:v/+޵bl)cVi5lYrMFV)vˏ2:+0Hoyd'Ҥ' LHR/?,)]ߐrOQoR1w]X[lF? a0 )tQ67<Y.b:U*e]lG0LMf!Tȸ1KE>舠n'd5 K1 Q0vyLS?\aN ;ЂWϰe6f`?jur?8J5 qM`#kbaJw54r6pjʉ8"ynu}e&jG5?mI (E_Rn xOӬkQ5"CSlCuBJ=*D7* ш`6[[>_e)VrOx јVrmt8CY̅G'T+lbq׶Ef]ْ,i&IɕbWKboЦG{ݬt&_ysedrכc8`i .ZGk~]v-˯={E`#|5͎Hl!mUvyM̻ T+N`R5[(dF"W:>q :7`nkYFWQaD)>lks8೸(F_tj7*8$sJҬ6l_lIEZopިP3pGBvOk1+lfP0 JŒTcGdr t;b79:Y2|饁"čDj)=8J: D` CYX.Z*wZ *Kj2AzhV>;%5a \1Ev'hى;5K_8MC|%^u* \@cáWnvj8EQߺ}`˦>c '&+^+e<Ϙ=ĸ3_')Qt #U L?FLXp5UTR4;Ph¥!xߜV$3Os{=fAcU o~Wߣ<js:#G r<|]'Q49YiAzK(2J*Tva DyO34A.#G TQ,{ e;!c"Mn;n-*ҷu(zW"'Va|IYXh;)gyw32G{&>Ӝ Sj>F`AI!pC<%@gFR4"QqfeEi;)wۄlD޷4 *rkQ}afAAzKGBՈJ`*%^zttYĽ|"(UGDZ*D%3H̨ {hr줇;.G^⼦i;" Mֶ-/)!R^mcroW-Wd}~J|9%|JlxA-Y6$C|o q;^3zy>ҶYsÖ#ůx5nnJ/ ݬThrx=|^il$ê$FyHd;S2iv!XY7 ..TS_tNhUVPk}"Sʕ僩QGϦMojV=^Ȱq-eV_:u6#C1] y!t |B\98>*vE,9|y[9Wq ;8Ťr-n;7tV UK96?^:@76,m|ԑ+$חaJQ>)eߦ=ih>ZGvu&LQiZ>] {Xѹz&e N4Fk85ѿG"L#Ssk^I:5 [Y)YylE8z'a=^e:@K@3Ee`~%5 x2`s*4c?ܶ(tͧQzьHdzmԬ"Jl;(oZgBDj%wt)l_ƀNYiٽo%G"b?Yw.-^Mj줩f.d{Um(_Q9tL,aJRۇ.NM:5QsZ%ELGR*ߐ:B*?.5qByUxя{P.ϭ ML,\{h!`0D ~7K"KdWimeh)-B eYO#$M/.aeRvBݱTwx81EOqHMc7bwMtɫ*"k #*WC'dȇX4ü!綔2tU}d{G>8@tb\:Ӽ۳Br^a}F0FifTg$随 dXIMnMU0tlIVw oBNו+A+شR#2(*ɮaKW.U|A | 1 ǥnqk3tWӟT1)dOH}dTLWhptys3ą{Wy4%!t3Soܿj £~-Xf닳 #Utڶ9ZAI!@"\TPoRzn1E HQpyS}9<"hAHՏ&z&$4}Fj^̊Qx;镄w:OEl̴X}g'( Qlс ?֖+PD_ $;i26:| Igo`;qEGq<0ϽcT s'gGxӭQjX\ wc_[5y82 JD잴o2n3tUX2,Z3 W1=wi,vmZZ/"= 6tfW .uO.jўtr$пa΍YzLBr(x%I#AM=(lzM<llc&h~C+{5H3Fs7Q܇A$ py7zb@:G5drVʮ9O@oYrl [fHJa).$}9"7dnOKc`2*A%[ ( Am g& 5Z R4eεgk<3Hg C/)CM\S3I+4\h>{f뵝e7g~g`8Z".Nc±E/}O06GeS3t&l<~ܭ5 _!CA&%9N>Ă*mD[ 4ts]mNV+,'h:sw؅j&YD{r 7f&hdU}3'{;PVw~N^t"ZSvĂ0nOq%%`즻Y#G \0֣ ̶ZҩO!n=DN3:j,&*cؖY~S_ =@ܫ:i zsmլ|ĵ.,w35{'Xx6\ș6֩͜H?0+)<_;O"{p<:i3;$,Vo_}/S^Nm8 WKɨInek:&q \:^xޜE0!IS3qʊ}#쿄SJ o及) }&g&&YG^q-=J] Ko.eP Q>1͡؎iK_xUAZKx ,;c=A]X(?1;>+{6hx5@avMY*au+Jiq=im߶,=Az\HmlJgG`nXZ #4..\u,}MYU!T%`T&sY8 :qcLD-gL'-+0}:R/hƘ#0|j|"hOJM^m~U+4'h"zVhoQ|:b(4y |TSʑkj3=3!Ѹ~V-WCQ8^DK, zg-tRrq|ÃEi0l"Sjs ;3HƝ%G'Ajq֤ 5 bvN3#uUVo{%by3ʹ(w1rA$d-*O%@~FxT6~u OqF|;#f.' ] (łZ}œꋐs+  \P<[guNlzft 6nyWi@)aGUGA^DNY>ӡ֭rat!8iQ4va?:vTɷ٩g639\rxFmءc#I)7^ Q8 _PG3!PӄhVB/8_1ߔF'WT`LV*YZuӯlo,+Fexva]]>ػ,yg1|ZgrE=u} Nxݱ8=2A$JV, jL@-F'^)F D DBL|vHe$WТٍ]n(t0;_|b[ d֝,&H6UyZgPٟݔzZJ2ygs $JSr#&6[tjDSNY8|r6f%C.W{C"u. N#_4+^'YE\#݌JԚ{5o&a,/!aOI;DZսoorEҨvD&4 ]?tĞh'41O~ʁ3an5q\fRtyKRXY R"mNU}i.#<>!KP!niY9{1y0.t*_+/g~⑺n4WCbbjϾᏹoϾ+˝ɨfHLb.R;̝KCF_;yfu[{T4`Bn̥`f<7cҾAjչ2eƒ3l>4bzv%Bpt/*&>6 닊gmtXQ˾?c3y4ނKze^PExSln5)#'Y25-b `dmM7}ۀ`3("kmC6.90_:n\ %mn)/fv5wH K\.+:z"WK]\H :Z#5VEjgک Pvv]JĐVivL;aܧk:# Ƀk/R?[oηind*9OI(X]\`";CO)>h6X™y2_~V&R8s8y/! g,݄o5wRMMMJ.3QErC& U4mѳ]?E>~Vg7MۻJfWZ]vXxc>4 \)QBċ?^Hқ~O YRc5Ye*3e.аątWX/`(VX"U,7JPY OgIJ2?#Q,#ڈ4ě8>n^HaNXOd]IҜoBMrS!A }<٪ذe[ʍi߲EH ;qYk)zkn= ԯUq ~wGE܃ cXgf?=rl,K_y[!B>b2$j}^3N+^;g&z pc*dQ?XJ,E.D3a.@|S*I dH ߵm Tv?%Ď|JS&9N?=l'x5~j Ed'0viH1JݓKE H \~{ӀhCIdWbbĒyØIh$f[SZojn~aԪ(q{W] AV(A`sj M+Ⱥ5l\CSv_ HE30EV36>g "EQ1e>,"4k*6SŀSC"G8cqJ ~F )WOG {I{WcAmoW݁o0r2Ai@4m~ 1{2|C"qoc  nR0WLi&pyZoL` ڼ`KLIuAr&@v0vҮv9ç0Pl촫xzRMR1gYk{,&LȬo3r/r\y2PrNELL($+Q֏&tcJt R'5Cׇ] v^DDL%} q`:AByL)=-Wm.P i$0vEn.REPZ9μs;P2 ;j&!Lh @`r98κ[`Q6*\C ;gDʪtO {'t%\UYڟi-NN}Vʰ%G/-] q|.(Y jȿ.!mmI]%DF={, ːbD3}F5ZnND+ .~_I$GTcʹGE EwOi~B%p]EFe\㥂2S(a:xR -r6\&J=}%&$qDW/eN@{GfNbjld&гDp?IPm k+ >c1$Mӕל 1'N tMJ_uu1Z5ЭIHGl (12w m ;ӮU<($'gqȍrp>sqFXD=}ŵU|Q,HDӊPWjk:H-=p-0 F1>@4('xU!`Iy/`5$Kf* =M\KJ}.:?4AFU~†0ZW$Re1&1tޫ{rZΤ Ԥon]t9]jJs_Ul{ЕSqI͂P#Y#f9F\U:O_`x?In[3L&F{(,٭|WZ*`5@d2!~cm}XhT;- ‹ԕSt^DT/l7͸n|rpwrYd lI* ΎPqwA~5ϽO*25KSZxsUl 97[1KlfPdJ=p$ B i))#~U; ܟxHEN_h'骾yj.n깇\-lRgVsr>un5\tV"7BPV-8LA~[׾Dcơ1XCm4eG/CY0^jpF ُGٌP+l~D0يߧgΦ%7?Pk-0z׽k9@/ Cgƨ`vZD Fn69( IѺc]v,3 2 -ZOW!W"Ƞc.5_5΁l$,c.z{֮sU)Ap +Uó<v͛l|LCOG2uX QMm 9@:0aXr@xs lDz6Sq`@Jp-I~qje(پjjXg2R(Cz ` To `,s-frkd][CBu^>B\?鼤F&_> PS6Oc4 3:4g,nf~/˵8`lʑj, dglHT1iՐoufVSSe&lD='(9ӥ""Xt2bat^F`dJkxdl2Xhr\X*0g=QRgSGj9% qPE3D7_ՆBfx:OׅQ*]j6l ڟbE5ύWNogV?bYi=Õ]h)Sm#.MEz rTg@/vljmE[#*865/2I$Doې,(4}otkNJȂS!6@+ikU~&L&(BOCPiP SqO"zAA'ɒ;y/H:{c~%&z8ZjQO%y}Mu+[+F_ЪHһYTpZzﮰK0 ʙ RjAj3ʜgEO ?7{ a 1? {Z~kˁ԰AJO27|UxɩY _y2Hv=)I"*齏F7rh:BWHzPcw7KN^|R+~<>:@EJ./38U&˭0s/|Nd|PRX.5e3~g<|6]=}PDkD<ʕ6O RMo]=co+W%6;Q/p]XCy(:՜`*pj<8ArdeSV)-&^"uލSˉ$3-?`7VWp *4.̬Ο2uxQ4z|~a3=C2UZ45B^G%4\4rQ岛ͻEH`^&<QJ J#]ͣ,`3{zBRb$9\ l{xSTd ,ݨK~zNnQ;41\#Iv_"t\4k9z'y= T 4[3Z^&RA/ukz he[9hg~~Ot=1xKaIL YG& =P? +lzrFExZ%OLs3ATV!x{Z_Ȯ:,hׇ8NRQykS)h4< ;0&/ΜmxA.Wrq‚R?2ʩ׍V dٱcD<'d4ֻ3 h[FX]Z L4YeH'JxRIqyұ^2< mU.V9[ݒrP؇bn^  R~0Wk[4?V_J[JnkVc3UWD )^+rAo1W O6Tm@uz'i:QgyfGzc+F;g31ۛý/%둀 צ8mMݝ%M:Re[(&UhU*$4W%.mV Ў\PFCQW 93l KuڜΩd)9ߪ,XHH=xS)ʿlt'@ *VNu}idždba>YFRF{%'`#EAwthI"PAKz6 mg] wLĤu(J!v5gr4'C} `&,ӌF>£9p/ iFPp+g??s.ױ4(]rd$Ϫ!=WX3KACo`}"8nt܁4T._̒ҥ폥٩<أ-R.ɑcۤ &__P[uH.Ed4&^ӽix+DVȃ(S?1 29ŮO$(?擽uHIx~6(+(8'@@*=AfYR5l7H<6bֳLplyj>i/™'%tEҳG_v/H "yYFCPtn-'J:-CNnal5/8'h%ӄNû m}x"2mћph ѝ ^D E&0ӟ,{A">G WK{ЙI:lZv|u*r[g,$p~ƻ-x'^m.KѤ"wXm42RҚBWS?1D>D/uKҠԔ|| τFnplM7Uj9_a fP!{Rd4.c-)> 4~l ֆGRA ߱_j T_W ~޾HGu4:;ߌ <}y*߿꧊ߛH`UgpÝGH>]d2I#|^"igXu9Y`cv́Z9rm>63'Tg,]s H% \-j!5[0 )o$t)|TYXP`T+S[3[c]<:.JVF8Pc%=ݟ>Yw3a/˧LFla$"/|dF}_{dm8[[kLvn>.$|",f'yvH+i׍ CS}$˜cr~0xv;씧zJbӪcW9k]'.[f5b#+ νZKx iXPG-hs/~*KE u3u|̢n*nơfR>geo\!&+Eu6kd2dF^|<L*N9i'3<"Px=7q7 K%i/H%ە*&力8GZa?3CAU؆:hbg!T_BEJ n5;vƷX/B xh-gѝnK<m|1Td=C4{tQ/>I4)WO rnB$chʃwe<)Z%j_|3aMRtCV0E9h15V*+0lLjK<*`MrcAD䝳/=L>;z@6Vb*jgz_/>smAdri:@h*-R,t!@ދg\v׃'vXq]UA[\ (XfH.uHq`{3p SNV5j tBRЬbVhC)Cϣx͟?s#o-O?j9 4oa/hi(􍤏jv) R nbdl]><#qP{ e22Rbrh4,40nc0PFn4|%G*U["ˡd?ɯlN}S+w eF [؝Ǫp}Kl-G  lNIecw5q˦K.X*Ej+b+)y\3/aQ)f߁xR9Iaͻ$LrZu7#oSGt':$ZO$sX?6\q3Qq,# GcKϥK07IH. &U/Adj{ECK+d'Y&(g8Ix/Ӭf~CLDkb`xR ="{fI۞DKI-c&]wd+@c /i u稑d|Y(YС*E(t#/:?wu)Z'j8֭LY,қ=y]Ϣ}.[A*PH@-CbFa퉊q{RF^jQsKHĴ ѝ XӉLri5.p]W$t yŬyg| @Ui`bEoŒLJwy݁|S MYd:|"pha`qX}Klba,f~W'-[L#<ɇ/h34Bzp=(1v₶2ل TwX(}kTΚIܝؙT!-^3^T|Y!R6b_Ge|a?;= ozpV7JB@a"u;LmKiX ?UjH/(X>?At¨9(tC5`][9\"xqgט͑n $2bF5k@aCiH +)˃2P-.&U݅ |8V- Xι'Y %IwŠb$oG\U!T P/:T`5>Fb}f uخ.HGl^M&b.ܑ{K=K&KGFG}XO }vHt/.(c2WmM \>m޲&t1|UbYX TQnGU}][ukGՔvk@Xtp!~ ^b1 IQ 0&g3AkߛmD):@;=^6+m^;Nوw L䇳9UAEg68ؕPzGb D}* &t$)uU 2MBd[k{KK5Ib'k^.㘃\٦n&*Jҿ6HmÇV%8X-M!+B *U/vxkqón c^mUyMas2;#7ӿ Iخcpkcg*k0(9`LHrK'ԣ8G/,JHҹ?A# }֏g<\X+9zg}YDG*OMM N }=] ث/PxM&psD5L7c[׫w`N7KCH5`{ {:,G3A\A\[b"Fpn 0H!_ @}~g[M2HVn"E VqOD@kZص2=oo +**lQ4bmw~-Pe]`Y IЯ1qN@שW2?W/\ {{sG}SWn3eE\fzHRE{WfCA[!LK5lD2CrT=-629f$dF$m\ln5}9ލ*oI?P '%[bLG($e&>jf`>B?k`lCnMviuVlH >^U뙎6;:ҧb|?>VlN~;,=Zv0Pc`okB;id~z(ΜH"zo]RJc(/]`z)!4/HKu3φDu0_@߫pގLk2kR)%Jq䚮\RTO򮃦#[d>66X36L̹@I!n4&"m#ȅ9L&RI#6M֩ `dR]<:ei G-9VC[CR KfqԿuD}EH}Lۘ ~]':_:j  DhU)>/8VMi:5Lq OO.:M*JH<߭}{Yj&W89sיW8Py6|}D x0; |Z *j>5 4xiߛ&̄%g\N= Lf{\\90bdȊ᜘nBjmvM>ArL0SG]+ kxμٛ {*KbdlfW˯P%c b?pp]]43 w U¬rѪAr)WK< `R̬BV$"H$|-%WZ&uEQM6DRf+ D]7e$JA8O4(Y҅㴭#e1^Y>[fGT2 9Ȭvynp BJj)=$,5~a(Zd-ȅ+btё^IRKA6q*s$y鼆.Och"qsҊn;@:ğsmh4qQO\g73M3(#AFOJjN]psڶÉA/&ʈͽ :PnDyNݩS\N$c{bVz{9aс8lY]t=aq˻OrAonݼ˜I&NP8yN|biaA@l('W0taOJ#w,[Y HV&=P@Q$JbV&QGg۞掕K7^-=DL!I{ln1uvx?w3`5!}ݹQ뚽 vS aS$ut$#:CCL͕7r$V'Q{XHfIy\p}ׁzZ-o*4:u57/E˜^d{X D&p.&חQ~;3uG5sХj%c[2ыxcIePw}W.l:)vвNa(Eͤ0b-wL9${MN9gtj-)ӪÇvmRzJ²i8~ +GN[! odG"oL:se\8M7<@T+Gz;e!wӖTȤMZj,g7Nh[Miᔃ"V ܱW" udiD4oa{))2,sW }vIJauOA~l])|ٳԤ7tRO5sIV awt鈰9 {>u=Oa,9^^d>ޒժQ ;i0h6m~_0iE^4fia [g65 Ѭ yHFM Sk7&5٤kmZ7&!5kk ԧ}LSk_PiD5yV_nws;b9E,mPp1]$,D2ΏunS{>@A@ !.t ZƸ#R_d^<`(ީk'{vFQvMBj!<8,/);o+jub "Wf:[^!LXfJydDC&RVO4o\_^,uI|[t(N%ٙpU-+1vKjM!XIlta"oPiH?M+wIO= po@b%|^|rB wTHr4)RJ.PSH8iҙKO.iV߯5Ϯ nUlbO7oəXXkMZ P5֏ф\JZ=Q@D<[_HpB\LL)PH79tRm 6<2zp'bӸ,1lU}4iũlJ\.|7Dsf^H:VGN~;?M gb]f937w HN07#^ 8N{g>||ˆfɽ q}/os8to^^m:OAsF16sqյ^imcP~D/D .-L_HHD]+*-O=t¡` ]8VK\c$.5xTZ̴x|rF:[).apTz]|#x QodN@e !?V<Űb`uz]:? x)JP2%xyFj㵨HeқtԌ(5QQ>v>`54OG75bK86 .t$U?[pb"JҘ6$?„ y]g_6:PJ|F#B3ڦetR'[$>TcxLXjt.2<+I+7eȴHi55{vm+kQ/LrD T\T皪=͚ˡ^.)yM* ѱ~Ů>Iօxygl Igzs{Md+KyuAu_ c<"rL.ɕr`ntZJxUӷZS霊1&j7Z-|_q,3ifW#65D zL/Z_! B$g,oAdlqv`;(Fl).ޱ7V) %&-3~&r,ĞbY!ǒ/:eMc.Yi Tաf}Vu!cYws -|o$Iݾ4`n`h o(0Ih_Y`]1g"3-=/">^ R^ީ vaTh}@Ԩ?h!( 삀-֋N \LfmIH,>&yAŅ[Ys`ilyD17k;D䏜%֤6}{JnZdN62aN3d1[4Qw`bz|"@9wIx.|gݨ4343w[BU lS%3T,]vqZ׃s.$Gu? Ou4?)*myRj;d\RtwI,!2BL+1C+/{f]Y<]mpRFN&22 *E[)D1X4L\M{o@naF^#Y;q;` &3s"S}&6S>x6;A3?Nsj5Dmϼ%{v Hh6o:9 j '욨iam{ndeC4eG1WѤ/k\襞LyDi1DחЧB5`KS.9 ;;(L)P Q*t?@rUXjs yiSFx]F禟wXZVK b; fY!nGM`[4}%Z?߂_5s՟iPLESBhK&&/|oV$#&=b_.%-=>1ybE2/^t]Ǿ**uwh(,PIĔISfwl:=Rk"[Zɯ)9t[x_Y虷U xN%_pd(S Kۿgޭ  \\o.L:+#ɢ7xR %&dǚ_DV<<#ƭ(6ObP: 3sCq"YC)QEF|\+pħTDG?%Svg\WG(!S qW T0MZCo9@'LvUMUcGԆv:{)_'^SZbς׹҈ TظkqzA5թMbsM6ENէzvc*R͆ FS27פb[qN|P| P{>'r;Gq{oulc|]q=5 O&Q߮mqsn2y_|U9)U=H}bu؜CΐpAffQT)/wirjQ3F_z>n~&7s@h+GW+kV07){,"],.WTk; Jf (sg[_ٯ@h_:R\c8 [Z mD˧?75ӗfJv_8Ͷ;H _qٝd=҈,Ko$㺲ô|&ph%ø9MjX}diaL[_)OIQSƆ A$ 4cv`.P怼eVi͏An Ȝ*~XvQikWL+?52.XO.Ue`JGb]+ qYSB/"oFPG+QX"GaPZ"sI1"4.ZP CpMH\&|y6I3z%+pʧzy6 ͸JoYSh&7b2;|gfcz{qͶhI#Fn&Ԩa?JuBei$K^du)8ЙҶ`!+<V$.>m7T쉖H)]8a/D-Fik$̷iʳk\Ϫ3""1U.%rʫBxO|![Gos:c”±|ȇy*t[~܇)UhS%8c4jѻ1víF| x Lj~=(cuºi>_#uZ9Ԁat KOfEZ<!+h~_F:"! `Hs0!ŬZ{mx/J4Q4k[Rc(ɂ2 սZ]nÕQC4u/Rab&֭vYǷ1.rǛFE*I-Dj <sJۘf[Pۙb RJ~隑pE-kģ;$z+&LV\ة"C Ѓ<~ò'( Vhh7v`TxRrzb3/$z6Oi7 I}o3M2'A$ksX]0\sNNQ_x.z%iz%Ĭ[[,W& + kɂ"Skՙ׬r%c5ۏa40x/X)="pWFT\K8v-$4 RXMϿڎ{Ν6ZlT( nI^U<+P {ZWi2e(X4bpcioN~O\̟o~/iRtlJ̍6CziFN(5CLQ@dN \pw_$0KkZ+\;HdOIGx$⍈H2KjgT`܂s󠍙f/oCNY8hIݔT"#n(똫[6]iz&Cn܄G/Arl%`ҮjٖQѱ3m/qqW1GE:`;?܁u9!Q}T; PY|RfфGLR Ŝ=6wcu!Zles3d8V9M *Gv elP|ib /'<`{IfN.[ǖtP*v[1.zL2)n0H׵@* xvK}vb H~?YUX~5[infF& )/LODdPk?Agn- Z^{ ;%uB􀉣kL/: `ܫK4Rjaq2Lj&f:z b[w3|ݝ)=^Du.t>~0G?X+3/Up47HDH|̗OIb=\[H9^cl>%iCOKLy_țN0Idh޵a;O]R~vb:aDhSfe}g}Xx^l(Z[h UcN+s@n|Pov^se<;bG _n`"@8um$>)IsP: Kϱ >tIQHv[t݃y`KTd qPT|>}e{dŸӇ]QļPo IC!]B[g D.b'0nb7%(l 6gt@MISoqq{ÓDݽܹPCt D'.VGB͆yras*f W[oR'1E2ø;h3mУީ1SI =ۨTJHv|4b_+c?MF H=H64 O? f$Q%νI=; ?:",e8L=B.NcE\xUYf'}z._cpZ0^ _!4Vܶ$6`y?CvoިW$ xhYxPnܟqߦQnhFFDRqG~OvB+?Ҙ c_:I,qVG|~Z4/ӽ~TnźџK#OKA2ufō"lԨ7)IU2 d*YuB@EsI*9 [[c|֌1wn^[P2 a@U2r+EMh%bڜGp˩xCEkKw*þ&7hyT!Z<ՀW0u]Ym[ kxz|T~U}dm~tS6J (i;#89abe \O8CsN!WS<"d4 zLC[IŧabJ2HDRsmZ_]&oDBNԨw7O#ȷľ=:$p~zm!Ds!  ~euHUg> W^J;P1ރ1iROH.sdrn_JalGĝ.- A-eC/K| M {NC*9Lx bͭ1]'w̙-Wο^ꗻhGsΩ3}e G+-Xw݊y?.P2~oRQ:Mw21TzL `qxyxz E~HŹ ՒcG4faq0hWjo*l20CĵIч8x&jm r^d k^.B"_F3h{/A l!_-zokJ;9D1&o7bXؒGs kŏR)XqkgW;/@P_ƫfzy%w,PVğWQEWcYZTЇ:ƟOK!,z{ANBAPQhD'Kg0 ZRajM ]#d 1LGc)28h߶FԜ}gKިP㴦vAY-e@w~mj;8fkvBY F*ewq7Lj4A &6!s$cAoΟl k`4|? L3̧;aqAM{ysһ)O>ꤊ<3G` 2[tY첰P\oҬ3}TqBw25[Z|t>7O1(N?3!˶cȌdRfXz, 4=dU+5}hU 2 ,BwYM-\t,-y{ Qko"p+n|I0̛[)ߗ\a *r-qǻf2IԐ)0}MC ~z>n[7@𺾶%k;|<ʷOd j0oW.Q. >f~-r >΁? N\G\YH*) Z ]  NyW19Jk$w3WRmJI|ٚ9T1W}11rM) sM[Z\fy>E}@pƓLUq/Y&T-֢qb:ĝ>tx'NttNTì&+ ViU) %rP~X$Vˆ(l#(m&L͐Oa~'*a(CUuM/ȩ^չPɉ{CmFm'MV=):*BU/ KCZ3dOjh,8k"6a.).^Oc%(*uN\'6Ot'E+?M'tyw%-|p(${JT'Rjtsn#̠BkW6U^EJz~s6!$l&"#{T&|hYcaXNa}41M 'JHLlUzY>YFPSpYue'u @\i\{2tF kuPLԝ](Tnjo~n9*4[NYJ=!6O89Bi#5+qܺlp"W_sFX(P9ƇkQye3=4t%r[a3|&%ЯI\pWʦKپL1w}Ԛ5KNsvwT9gZE6z:z[zT2OgVL­O(:Nj~ f˒?n)J٧0Ir U#J8!TuЫ!YkRA}, Ԫ-eaάVXo)Tf"*X۷Q5# vyasƮ2\ދLW#a +x&`Z(pMpM\/f4л3S֠JuyP"0!p͚r\Շ(u_BM7s}hgQ?',7&h«h 6UFslOTngR2-".Qgc,?(ܮK_zl gH,=Y^eVidGAp#i𾿯7x@Ӵf ^Xb f$#WE.F[C ~S*qۙsIZ'8 ~Uj4UCK2@Ȗe9(%TwzVaZ0=*aޟ4 Q|h+l 4zv a &9/^ p$d|xy6h^aA_RJ J  3aXP>?<[JDiU4=e}JpQǘ "aJY|Nٯ{4\_6z4IL;=Ak^8)ulMzg<{߬Ռ sHFo!&_JDqH^\QfEt=L7pS5+≈)nZ By(YQtl/@[D@OLSL.-j w( &V&T[W S@zɫBv| a]٠`tn}u z'f࿪۪rOisTf!:1 L^րiCpe:6:ɑ9t7U?jɡTIXIwiZ~ry*m2/T=hu8qqY%(@ݖ B؟G0㬢%5z̝phxxctaD]|2*ly_X`6- Z vEӊPV5ta_IۆnIUШ5ݘS<{ѺH!~O؀K OF ӿ/eb;QI b՘mw>R,bdGAMgsSu)9Z@d ,Y<+-Qaq=W&}` 4ڌq,!0@xɔO#b3}*:f,<쮋c#4 D(>@*°h[fY-٪fӡ08, WXMp)][TnDA­vq *RCOVpwb1eh8Fc G#lH b,RzMjk=;AKX+K {2*+dL\pamPw ꎾ6vx]PQHPg; $~Q lwOxkz97?C ϭ,]N]9KIlwA^ɽ,O@R>O^$/e{Cib(f{ Y\,FՒΙ߶֗FU :x6~q`%iiPOC 4a6*xXg^EeqHAg=o.Чdl'R"=ck[BPF?{ߺgZ- / _>9gIF]Tܑ~}n/Z,[Ž&  gR N/]V "X=^GHBI ̑ˆUp2MW8QA;-T\ZXBϒuݙU>!bN܇$pԯwiJ906ePIJ*9HZMI#N( ^*5{<[qJc *m9CcAx! spBzoϫ/ vEn {\2F!j/$54dOb @;%Ĕ i50R}4sCGx=@x7BB`'bKtr.=EmHo&/^Mv)Qk? (zN!Eg_jLOɩbY?hEMk¡zO'+|Y,O<P i3\!# qm~7ˠO^v\zHU@`rk0?WGؔ;)̲<tnc5w |T]i#o)>\BQ H"#b^:_` ~9VO,9 Fv @wb.v]|~Q6f`zmhBqM(9\5̉;mKe:xf[n5Þ~!/]n[2Br,EզbW?]87cX]fw4bhO* ]K~(2Isk•xsݻrǮzH*!Nv'uq#20c=U&{|׳^׵VyQ ]Nx0 "6&m;jE}'Vhk8 U̯FTA6bsyWRŵٵ%kSqzb6_*#wIUG${NGD48.1 J@Wܗ lyb0IJiAf¼ʷ0agDs &OC7 !Քy.!Dc;o L=>'oABHv|7 B)' Na{avU ?382B4h2;և]sdut OXPm07Kvm:dA@8e돞+pS϶"? N֥H1.ҭ^Xaz;/e~ &8UK[B2۬AB #vQ5C)8<"׳6g"`Pv%{:C+m2lsJ.- %s#qȟ(1M=uTpG z4ҏ3 7PH7G:̅aL"-;%L"K9fHq8i^ϒϤi3s 6K'82$BT\KBoC.Jz DGWMh}?Vm9BG 2X0b#K{ހ°bgycɊ(!01Z׳3}}ĤѲI EjP.ʦVD;WR Kln}ؚ/)G[Z,7Mצ vK\r/$ aqf$|wc1U2zj8v%EAt(tf.۾ .U{CY|7ޕ /)ڈiaJqfVh>gOeNoszI%Ԗ3Fx4uW<% ]z @)hNBR#"Dg.:/cň63 B7Ri3ϒÎpY,x(բ|1 uIoR(uH{S!POB/RሖIBdۆhL{I} k\1OdsMF^%t3"TڑS/</%kYfжVPOcO"!Ծd^ =*9\WxV$?o b- q VQ-s4!IYKľҏ:9*"0$e z rk DQ! L(H;.Gr/Si[ئDGSizw~?C,PE3@X|GƂT ~(SH'{+(J_S|J L%=&9S6{,n.;Wa Y-5UO{Vb.wsUCϖl?iB>J5^p+kb/DVkcsg"0^ܳǍYg7<烛+i#آ}?w_t  +KwN^[ 5,33bS4jBvBX$, \K ]i7RՁ: =>q#_a.6W6&~ >T`q0ƨ)۷?ˮ+ɕ$u֟cOKR̝q_7ؼ6ێ\'Җ'^x5nVh(\3 ϙ]"}~b%?oCn䫪ǒf@<(Fg2ZjON%4Y݌]؅` wSmHAKϩ^] svߛDmzɍV0t;/# i)+!صx"L[0*0&S y;?W$ĦZ@Fi?P^!&`/-N16z&Rܳz TuX=T(+lPQsJ1<ĵUSG$gݠ¡o+*a")R3pX$"Tid]Pj#mg(3L5t<|޶&N kr rbdc( ~MfZWs6lBbit;S:jH]QPiAoX<ˮ]4RYA}h& Xy7a h XKZ[PjNFHp8{D8L.4n$oqi3D4)J]5((_rXܨ]u7Qಟŗ`$G}cȎp@돷!b]$9RB pZ\э$BH(3*ob<3F0tSB::cr}$MTgr@PPoۗ ܷc,wQ\IFlYsiiCPYTgRj#V,UwL!׃~SFeѧqW%ԂEp9qYE^-(ӎ&KkRryF,]/h ٮ(ׅHLցDۄ}`N&T+`Huxg"K%Wz3a#I|Z8+s> )EQHnbm*!@'&NՐ3!.1C="QDlQfi;kX aTd̜(񠓗SjgFmG/4>`kr)OD/ f<pDBmn[ד@#!u'Y{3l|ABHׅ&,+%ԏ_*w:4 *s#-#s/ݠ 7M~m(N+qm|XVBE))Nڮ\0NV@cռ_|^5bBnGG@cX'V_Zd%0l2,#Bз}Rr`-Nr|-Ӿr pĔӫNr&麫t{kآCw7%{ޢ4(as~6#><8Vii^lPᴬv"Π[u} {iXB[{ \&}ڇ;K} ۻn{^6m?wʎHܨ\eJP[)ڔw#aޓX|]PkD5 )l0L~ rg+iL^M`yckFR{ݙ-?&ЛzGkҿFiS%4D&º sҞGު4мTji_]aro Fdd@QS+UJ7DLMhC΍QmC;x'4S)GW~P<)Z_WA"nJ^ք}mWυZg^D ܂ϫ 8u蓺sj$-՜0KIi_̓ k5j#Uo$41_ۺ(;zkn9@ˢ]iPN~5Ecj/`}-z>{4@32钏.2^bH?qVW9 (bzu]8^a" "Ӂe0]B1mȣp!wZ0^tK&"@9f_$R]#r^/ "P,uu\W0HUxN-1(WzL9 et͆" ~zCqshMY@ xΣqw Dȏbs͗^#K4%J GH-S?Үv e] 5̛ Gޙ\'c5V].$ =}6v#@d_+sql‚mc`Ds-DN2#py짼l" Q 1?CfZ!ڤ/ꦡW-I1]MҀ2CXEӏ(_OW>渕W}6"fgѶ~Q<Պ2uMz(z#yT)Il\w(R$n·],F")8 8>z[Կd &6(L<])8YUF2yԳXs:gMy'2!)RfFR 6W \XOuJC7[/"LHpӻO`(0n9 <]Z߀g8dkgo 3tr+{XKl* vݬR~ r'FɲR/6E sECLyé[vV+XO·#Ϲdc9O!8s$ޫU#.Mc\5M5 Ğ8%W:mQD]x6 R| AIŽ{k!D;+;˚nˑj &cmi.tϫgAU@=DHG@H UI1x1mE=7ɵ:jj0=čT%vbђgjB2܄ާq@c+/NϿRNh |*S~&<妇_;7ND>C^m]UO_NZ&Rӯi Vi6 %nI Kadt\@XZ\O. L04ลQ*1|kԲWU"=}ltD-A dj~tg+u.m@jv%kRb*S|a7 ܢ` ^(J 駼~ Z{W#,9,k3^ox %/_4T"&WC%(]D.6gL"NEɟV=@ۓRb"?;D]m6[63 m(+HY@)<`kb.0K@톑"N{#:T%\ `#%:jyˆB_Hu\gKlے4`:I#k#?B P9~B}hX}Ӓ|FQҥ|Tzm`i(.Ka¯x2!!c\Ks}m_/ :77*0BF22֎TqS uu^:U jB1k}C,)N.d QȨNX"ik dhԊI߄i"LBO!)5WaXr.G#=3'[ | /H`|U F#O@GnFr64#e(4&?ffo^ 6LB|Z';!尣It];3a1ڭk^(h#3O 躌D-aU:eu9 L(QCF[ r-Z3&KD.dN6RFM!|ITlb"l ډhQ1а<Gk[3 9m8 9@mJͼ"9ӱ =d.g &ASFtIviM@P_NwS瓛8J+Jz/Űޭ9-rHΏBe!9Тnw N[kV6'x>%z-5P/4:bU i,\MgL"`J6(/ h8"u-lј0'o @8?6:Ѹb; (P'SS\7_|{Tw,Ka.Gk! [_GGU} E^*ssi1aּ"_F ng&37uj( KaIQ+fR( )r 046EpJ{YڃK+BLd!O}"sNَG3/MBK9,EYN  \FЀ;JlQ7C2c`n"c Uv`NTi*gl*=*3 (dX^0[m/P|bXog& :NL 8 )m@Fi_xm<֜~hO<Z Ճa#IZXokm!6pE ;9H]'q@O~EC^J 3A6+–1-۶\5*-(y܃ugתe|feלkLM4fmtrmǮnDikߍ'{" Qf`V':KDh׎ u\8SI}6kѝe .7^fT5$$uHxX ۂ u\+j=v?1pI29f J =md Py$[za /cm%}?Ļ: #dG@wVBׂʒZfxDWS)ªZI× ݟ=-ڄ^FGtr^'̃ t] X٠?BnPKaW 9oal:uVZC\*?ujeLudIRb-z@!U%gjeL4UNXW?9D7ʆ_9G9_Zi$w(P/ ˟+?cyv<~|1Qe=熢*iT=qüi)MEiѕ"`Stb>?Ȼ;0ߠcnk$0anl8>= ٚ mv&agºlki,ƶɷh#zaX=h(A$ (Y9LO8n@<OH "` Nɹ:zU+wΥȋ3_'^ڞN-SådsWD9]Onpʑ;[!ܡ+rs@ԭ[ z|pv C8 %p{6 ]PkLv4M~S9N{ xS3,"h,Lo s'ĸ%}]y ;".qR]T^Jl"58E$\R@̬m/ ػs}T^0mL.c%ķ[~>MCp/ƿPU{rGf;I¯dNQ#J#O2fV^4{ "/X%JRFY[)-X taz(*VnKj??|'99)` F?C|0XœKL}dZ\ױ1:|A2?"dNg>Ԯə&=A+MޗK\dIDm@h$b+hrܔ^Vuz[dZ1E1oNJ5ȋrjfg' \tZT 42A4Ȅ?Y,ax.\B#j'YI1X7SUf *30Du5r/ŮF-9k1_7cѷ͟ {;V̗+.'|aZ*&碀;GG0/~UNJ{rR<}Paju2*]V0GᧉjζIa>lI+KϬgݏvuոޘﺈZ!m`}]RdZk2˲Hf*db{ XITBIP[ht_x`ђ0d׃|3y}A\?"oPMѸ9M[$ E2 [4Z%7Og iPzO&EMNlee|$iGXrJ&g AkH.Ptʉ:؉(c A?8$WUCoxF=ChZ%=/Xm #(g$#HvG[A7xXtn%.i΃8l#X z6#YՒ/O^0-EjQ8>B6"}MhTvB+}G)+~7(m^FgwO"' v)X JA%~Fr#IM9zR`VYD%TWp`WT}2Hqe[}`Pc6KSŮIVqQkc`ɕmrXa0):Ca"1_0zwan|YʆzlK2fuy;{{&7,)"jz, { bhn /. TWrI&X&[<\TH$/~70T{,qƑckg\):A1B8vl')76HAO!JT%a"c1/TGQ⃉^`٧+X Bg =(RA9 gV'ag?z%J I1~b7l*{|ˤǒ/-؁tB1bYG+<.R}{曽ohK'My JvwD'@I@`v}}JTWI%B߯{|z(a%!xjm@Ֆȟ!Xʴ9t3(X.}`Q4paEJ+-bE +~:@jȲ9^Ȅf`VZZo8!eܸfy񟤢;*,]gN.z'S&'\z哬8^md˿;.\E) ϰt4|¾$ 5H6ht4MhDWZ2>z!i1j* :L-@aе~{,uaILuξnUDAh: 4yͤQ*nz-{R;ԿT=S> գz̼I%.Ν&ݗؑ|3fArм#S+RC#AƉVըI3֟<n}S/S:JL]d\bVY'qmĽCKOE^a(Gk≂9BP!a/;H\vL>qW|"1)0R;$G=T((elcv KWg*Ă|&z'H}ZE?a1"ܿYwyh߲@,33+\I8:bA^w'D#wI;3_ Afg4=Ll?9aО̂s w2\GU|Ƭ[wn+ biv ߭QvߍON]$󇷯W/c 0.y*ˁ㞁j+`r='e÷R8 I#0 ;-jJʷQ_u|i>hF uƵƾ?d_ "]X/%!pՅαHWtP @\Ϧ^8jS&}3 QS-3#$nv0jN5 ܟ5k]7"ajEs6P^ -{&H8E&tuI#,T-FS9 9H1-hS+kӷ3OqiA(|&Sѫem*K_LA:ijXn,>2άeل!hԎhNyk%;=R\Jvě\X8Xc7bh%#Tp5~ȺP4{oU8cXEpX:V#hIdwBrL"bnx \0rW;f!mšT xf(wQvC0iC+ ԖyuDD:k3+DԱ6$XPLɗ/8V Xz!yEmo[72|(=?Ǭ+F4}!2wݮgUf">Pldm7~B# +ª 5SՃL[x.BIwsߝf%-v4[~@3_t"㵻wJAE^Q2.fWtHK"% 22>4o?ߡgMDWw@W7&>)Ԃ&h5׶Ig̈vm_EBT1|."ϧMl$47ަ[YE-;6,'^l1\𖏒mDE{jO B)h-bY6{oAB)îIz檁!3KT51Ľڅq)0ߥoxv(ۛј|k?%s=jh惘dtu`| y6NM$?Ck+*'wƺx8AhiO[}lvP,V VIUMB+Fֹ[ ,~G?%uKU|?opKZRT# t cni@q5ӄy$Uv:t` M t[Y9ɈI c&iAP1jC" %ZX7_{I_ݞG{4B[;Eʔ\wPഌD7Fe?ʄhX';r  uw' H76 !'O0S~d6U zszԿ(A*4]J*B^%@81EowF/?!/;86p8+,ɪڼ3{xLmJ"#Mn-C=@eB3(nUo,/2v$)[SqqlanDj, pӠ\xߏ+.9GkOulALɫt>Ci*jJ5YWo&)jہLy!Y5MQ;6S ^ !Q"va)Z\C8~o%#C !@w([/'}(ZȋGZJl0@7Nb42.6 "Ad4&us/ nGC%m$L?F'Z v1Bz ƱG$.mk2(?;h$:Ǟj)2g|HrD6|'+0utN#ijYgINg‚eMm]uސ X04ph|ٵ@Zbg&w_GIaUS+}СY.v3 [:JbFAz$bp"vK5W-ɻҚ?x(eΕc`?ǥye `j{KVGT,ܽ$4ו!m>dNM:G-˓ ŕ(%E̦&)'POAm{LvH]Wc#5_4)*P4VHlYOg)|6G.o51zyJk-?ra۽`띄/2hz\{^D)&,xO,eS|pnߒ!{Cl2{IĆ*`w]eD9W/ GLL5%"(' pAJ ƻ3SbwkeK )HL+\;ο. 44/gF:;KZa ؉ R+tS1Tvgc)  ;u_JJG>@!([b#e菀.pWˉc0,E$z +8m5hß9j3X4>OxyR|?Ҡ/#,Џ?rb6$:ݷ?bM{v*3bI CTU?- ]%pc<7FA1ԿhCѬawc/PZɍm@cMՓ @bQ {$M#*7Q g TKCŖ6/}\ xA6-CwXV7A=15VYv(n0Qt$z@_q[2bhi8%S"3OOludbКώį7`*rkyvRkGQ"(6|u$K-8o"ǻ=c͔b)4F7=_ /{貛A J˅$ꪻܫcw[_Us<{_8S" 7in3 =5S3RS! -wqNR`a,Wy|X+RjXCcPpպphjqPV6⩷]*&cy7hZb,tFwXb)3>D`6}RPGĐf5=+J*`@ж@L6 $T? 8uMڹ")+*{)p$lҏ=}nuvS^06giO8!_)"/|QEWE`$NTf@|"!|~0t.\[8nĠ4\·_1NOn1н{8j|LE) CK֗)̣C_۪pg Ks7; 1-/&] *-Eb!\Դz9 O:ߝYKl$ tORx & @j;VUґpw0)*cOєx`4qʧiġu`^^m߁S&o!dKD3O%#x;@(vl~ݮj֑L_) ?xo 837c~3fmsh!u20#doӖf'̄b%ݸ@,vfǙsV`ZA׃{KSi]G+f3R,ăU!T&''ϤPmIխ@>}vjm*}*Y@*/( wY ).#Ibo v;܀l<`XĀ\7-Ff9U.!5F' kLf=o=ة伦`h_?y8uP5l4=Ois*W/$tcg>hLpK-Tzۨrh?H endWWDLkdwc Anޥykk[\Z:"z-ͲD#.׫xҼO8ŶU٩$*vp`2efehY$6{H)]5e 2H.O)`qYn WXyhlaYmMEY։|к@3rƥwVu tHD$۲xk9Vg|:9 >i:Љaf P x7jsiVwrtvjuV3.囔t~+g779Yk%􋣔z㤝~]Vl&-t .X~nD ikBc ,B[O4µ6w/_+@ĪűzN^к1ꊾMjLm=K4 71ˬʙE2uI͠+j]k: C^/eIYXEEK-{[:y|EJ~a2S)W8&D;t0(c4! UCh4L|RC1%M[9z9S]BSnqϧig;kKF~ HHYx3n6M~6{e>dN^'4<卑Q=57xo[]a)]Uz(0IR xmgKB9 d`^9b(^/訓 5$)F"/^Չ=բU1~NRߑ8FyCp~N-pm{ħLdh^P̮֟J,Zv*D,he`sGAm"ƤƿG F*[O$u`W-5'q Ȇ0R̒V4I̱wᐙ*oglq}NUYhz ߷)~|^k<('.\֞ \ԭ>BmEGMnE )(IX\(hpKd2+3_uש\2CXC[jqS]P`xn7G*?x-U>b)~ En)1tF~l+i/ a+,4ٗ6-h/> JoUSDK!Eƪ^OFcfw?ҥs];wF9YwgxrƤdêj29f`\ȡq;V].(GVh?TWTqQ$Z{jq ω6/!LXV9mQ Cq)Yl3:3,ͥHZ MuPɯ߾ד.?@} `.ТJu%J!|}bł^KyeO|! b)HQl+S9}">']FL i~]^6x~gƐE` <<=cdqY"8Sk+~%ITƾ)θ8pq}RXRA 3 CmAR 7)eŁ%yLHɌErd'Űȳq;*Oli$=o NSxmHk379?iMĨR:²h#!vUV6oh Q Ÿ`b/is.7 CuyeԫBQ19r8 *X<8//;@U[ b2)FDU@1r>R$Qs910:% jcgfw3tkҒ]x6rn\|]}l-2/wk,8Lwk5BŃPlZ]61?\Ѧ3xy5MXՉ$8T(^X ,٦<ydlxA9fr|wӋe:Qπ'̹kVP͌!Ʉv#ڪYPi}HZX=eW;vnUzIc kS,+-,F2-w*kjET'JƩnw2茘x0;W,4Ǯ@yQ`]lA/4U'@"2oĩm j-wFxѓQML{~D_c*˿<(ڐmx}INzk\HטeN_@b{ z7diAEW~18ߚw.Gz3;%?Jrh_3N/tn>?MlWŹ1]YԲbďRF[lN#{/Zѿڿa̟s/ W^;XA e9J|X+L<ZEJNu& l?4)Ձ˰p0Lj-b: aE>yWY߶,E m 탙xb &xT)L@Y2va<2ѿUMqs&PFUǏ2>-zohtLc7.6=CƢ7W#.~EiC3/ԥZ͹IڭNi-)j i&#<:NGc!7l(zy O\L_H~%X lL3b$&dQ|&9mp=ur̩hrWe-*QAp?PI.?a7gBRM;Tk#EgY]qC,twW]s}Dd/7ztK‡.)HN%'NceQe HHߠ;|[M ` f$#MBpSuAw8C)o~)}hFqcX ݑqz`Q (bihg1aghmsjbyJ'} v<$]B\VC!,['ԄD #ꈟdF`rrVW0ׂ|,O *SԵF+aeKdM XS?O%|@Xǡz $'d _@[3Zym</3<Fqr7b$ۊQX(;(f5O+#ߛOD<׮cIMJ4UYN1Ȗ)nzmZkIy%ok[K;4_*ߨi w\0! \$OW0-ˢ^ Ꝛ45U.;+s-yoFx#@FGkϚoG`?h(Sx 8R`>L\9@{h~F8ݫG{H-ˣ Mᛵ@7B`MUgnW 6TjR΀ϫU q4!O- /rtR*uDsGn9V *;٬}DCwISݻhvYF~RWٝtqsm^9g\b&w\ ,;GQ6Y:Tdo8b"e{2[#Y䑴೗KCOhh 8܌B ܣVb"#(PGx0+On+>%un^|DBۮ51isdWbm5 j *d[?^O]m _n_ NN)8eSSue0x(DQaoy og;J1aY ᙅv $T2эM)U=UJFo*.ptLeP5NCBM3ϠnӜ'd}!:_ ywXg ٝ[.DKHqy֪-^)-2אI%EvKZ׻fzUrrT>ُm&Lm U~lAt74zxDgC9tGK"¹MK@7e/T$oDl+(#Xbֽnb0j5BJr慔]ZKHRs/~F(ݡk4725~b>٫1|v$dz!?j!Oc{ܡ ` \_Gh\̊VyP|KSbYḦ́a"(p PY1#FndgOwa 9"JbS v?()=me|@֖+0[5c1RaSL< 2dBw4YSVT /=` 5(g1@.8xpo$Y<vbC.DA7x᷏2iVM#|o5W/qHbzڅCx19FjPOiXc:4*ªquax(&UZ%~FԒ{ M=yy Wcy8WkA NQV.&_ϖ0,ވE/>0]g|F6뀏M,Qv*"f;4#Qi wF.9sYCh6O@TˍXG.T1 I/@b'qB9y4PR4=3!BI^:G2؋Bt^@|$©*|ۢRg%dQP([wa-ˬ7z£ea/* 6p\fNZ4Sz*# WyC0CzEt_ݡ| T*O^2.6`ڗ~FL [)(K.0l6wri$'Cd7H @|!0{Lud Qtׄ,*l0GE0n]G`^>mĪF7uIb`;b6˸rI(;I#qAQ]!ggҁL X9#z]nSҥo:T[ֳ87_+#WrE౑PDɺ,=DX pb2NAks¤$hw|Pr7AF72Ei5Wݙ=S7'. Ch+*{ǀ8.u^qȣ#9iDSrDH@ЬLO2 f&6Ik@%*q [#u7(w/F]m ugmSV>b |HOqqf|j%>8nvAx:U$[@ed vz,F l\Ees:u'LWUu4Yuj>A8wt{* ZߖvOthrXW}Z5]^ZOI!yB(jHD+{w|d][W&8zYh4+_ZwiwgRrqEn;7c2{{$iܭW%b fm$\TD *xT/63WAHLawLP[~6iFAEBf|_j252ݰ;Y*əb?JQΕF%G‰&}ZBֆԻfM_k~|5+EYh9 YZ