dnsmasq-2.86-150100.7.23.1<>,Rd%>3p9|47[*B1]rOv@°T{zqd"MYшf^^_SE~Њ^;6}|!~f( %:חZ~ۑC]VJM*RaQD,WXޔ~pS$ !_(Ǵ̒Dz9Ci_Э}tӍ Yd;Φ2; 5^QZ 3ng<]ʄz-`&(t'+%uڛgSe++^m_b>F0? d   ;  1TZa  @^^ t^ 0^ ^ 'F^ '^)$^*^,,^.l./1(2(820.92.:6'.=>?@FG^H@^I^X0Y@\|^]^^+bcPdeflu^vhw^x^ytzCdnsmasq2.86150100.7.23.1DNS Forwarder and DHCP ServerDnsmasq provides network infrastructure for small networks: DNS, DHCP, router advertisement and network boot. The DNS subsystem supprots forwarding of all query types, and caching of common record types, DNSSEC included. The DHCP subsystem supports DHCPv4, DHCPv6, BOOTP and PXE. RA can be used stand-alone or in conjunction with DHCPv6.d%>3sheep60]DSUSE Linux Enterprise 15SUSE LLC GPL-2.0-only OR GPL-3.0-onlyhttps://www.suse.com/Productivity/Networking/DNS/Servershttps://thekelleys.org.uk/dnsmasq/linuxx86_64if ! /usr/bin/getent group tftp >/dev/null; then /usr/sbin/groupadd -r tftp fi if ! /usr/bin/getent passwd tftp >/dev/null; then /usr/sbin/useradd -c "TFTP account" -d /srv/tftpboot -G tftp -g tftp \ -r -s /bin/false tftp fi if ! /usr/bin/getent passwd dnsmasq >/dev/null; then /usr/sbin/useradd -r -d /var/lib/empty -s /bin/false -c "dnsmasq" -g nogroup -G tftp dnsmasq fi if [ -x /usr/bin/systemctl ]; then test -n "$FIRST_ARG" || FIRST_ARG="$1" [ -d /var/lib/systemd/migrated ] || mkdir -p /var/lib/systemd/migrated || : for service in dnsmasq.service ; do sysv_service=${service%.*} if [ ! -e /usr/lib/systemd/system/$service ] && [ ! -e /etc/init.d/$sysv_service ]; then mkdir -p /run/systemd/rpm/needs-preset touch /run/systemd/rpm/needs-preset/$service elif [ -e /etc/init.d/$sysv_service ] && [ ! -e /var/lib/systemd/migrated/$sysv_service ]; then /usr/sbin/systemd-sysv-convert --save $sysv_service || : mkdir -p /run/systemd/rpm/needs-sysv-convert touch /run/systemd/rpm/needs-sysv-convert/$service fi done fi if [ -x /usr/bin/systemctl ]; then test -n "$FIRST_ARG" || FIRST_ARG="$1" [ -d /var/lib/systemd/migrated ] || mkdir -p /var/lib/systemd/migrated || : if [ "$YAST_IS_RUNNING" != "instsys" ]; then /usr/bin/systemctl daemon-reload || : fi for service in dnsmasq.service ; do sysv_service=${service%.*} if [ -e /run/systemd/rpm/needs-preset/$service ]; then /usr/bin/systemctl preset $service || : rm "/run/systemd/rpm/needs-preset/$service" || : elif [ -e /run/systemd/rpm/needs-sysv-convert/$service ]; then /usr/sbin/systemd-sysv-convert --apply $sysv_service || : rm "/run/systemd/rpm/needs-sysv-convert/$service" || : touch /var/lib/systemd/migrated/$sysv_service || : fi done fi # reload dbus after install or upgrade to apply new policies if [ -z "${TRANSACTIONAL_UPDATE}" -a -x /usr/bin/systemctl ]; then /usr/bin/systemctl reload dbus.service 2>/dev/null || : fi test -n "$FIRST_ARG" || FIRST_ARG="$1" if [ "$FIRST_ARG" -eq 0 -a -x /usr/bin/systemctl ]; then # Package removal, not upgrade /usr/bin/systemctl --no-reload disable dnsmasq.service || : ( test "$YAST_IS_RUNNING" = instsys && exit 0 test -f /etc/sysconfig/services -a \ -z "$DISABLE_STOP_ON_REMOVAL" && . /etc/sysconfig/services test "$DISABLE_STOP_ON_REMOVAL" = yes -o \ "$DISABLE_STOP_ON_REMOVAL" = 1 && exit 0 /usr/bin/systemctl stop dnsmasq.service ) || : fi test -n "$FIRST_ARG" || FIRST_ARG="$1" if [ $1 -eq 0 ]; then # Package removal for service in dnsmasq.service ; do sysv_service="${service%.*}" rm "/var/lib/systemd/migrated/$sysv_service" || : done fi if [ -x /usr/bin/systemctl ]; then /usr/bin/systemctl daemon-reload || : fi if [ "$FIRST_ARG" -ge 1 ]; then # Package upgrade, not uninstall if [ -x /usr/bin/systemctl ]; then ( test "$YAST_IS_RUNNING" = instsys && exit 0 test -f /etc/sysconfig/services -a \ -z "$DISABLE_RESTART_ON_UPDATE" && . /etc/sysconfig/services test "$DISABLE_RESTART_ON_UPDATE" = yes -o \ "$DISABLE_RESTART_ON_UPDATE" = 1 && exit 0 /usr/bin/systemctl try-restart dnsmasq.service ) || : fi fi # reload dbus after uninstall, our policies are gone again if [ $1 -eq 0 -a -z "${TRANSACTIONAL_UPDATE}" \ -a -x /usr/bin/systemctl ]; then /usr/bin/systemctl reload dbus.service 2>/dev/null || : fil(-Eks <-fEwlAlS!0Xe [=lh?^ P# ;l(t.FWK_a 11>2aA큤A큤A큤A큤AA큤A큤A큤A큤A큤큤AA큤A큤AA큤A큤A큤A큤A큤A큤A큤A큤A큤A큤d%>1d%>1d%>1d%>1d%>1d%>1d%>1d%>1d%>2d%>2d%>2d%>*a9Bd%>1a9Ba9Ba9Ba9Ba9Ba9Ba9Ba9Ba9Ba9Ba9Ba9Ba9Ba9Ba9Ba9Ba9Ba9Bd%>1a9Ba9Ba9Ba9Ba9Ba9Ba9Ba9Ba9Ba9Ba9Ba9Ba9Ba9Ba9Ba9Ba9Ba9Ba9Ba9Ba9Bd%>+a9Bd%>+a9Ba9Ba9Ba9Ba9Ba9Ba9Ba9Ba9Ba9Ba9Ba9Ba9Ba9Ba9Ba9Ba9Ba9Bd%>+a9Ba9Bd%>2a9Ba9Bd%>1d%>1d%>1d%>1d%>1d%>1d%>1d%>1d%>1d%>1d%>1d%>1d%>165b25dc51ba9fd414201ed8146f1d23af6c20c3feff364638f136759648d8a423e0ef72da3445640c716e55f0f6460fbb4ff981ef629f068f2fa45d16bb393aa972073229ed3c10179853e656a4c6c34b9cd477353a08687eac65fda036562077eb505f2605a3d121c0995399adf3f25c9f079c00335f5dda1afb9ed8e648a38d439fdd491d1d850b359bf1d3874b086d2a811f65825672c9437eb5eaec6f94c7d7cdf7ffe0158348886cb586d52933914057e0193b92399ee7e079fd8eadf42a6f805243e881f22694015b959a70e39355a514abed0bd3502b66cad24b162351420061961c3a0fdba64576ad45749214ee836cd130cf04fdd33c4e4464bf404ca5b78c85afaf92bf423f74562311e87f3affc52fa07c42a593659d51db7b4c72c174d8ec4f11d8b168e308715b63e2f066fb8f3fa90f3a6c48bdcf285ae1a0c66d732a843e2ae4c8acb678d1fd3715362484eff6ab23877df608ac933bc9164e30dc229f359483f95f6af0a2d886a8f9870585380f7de906f462e1b46a76cf4a021a74cd3ba67985484c2e23381226820266ed6cc46ef657fc8a12f8333f4e02777e4eeb3440bd834286c258bba713905fcaf3eaf38f86a646be53f6f62e1df525ba862047b58c71c645ad3b9af10e54dbdbc2f75292c4dc08470b219a0a6b72f7c3bfb9c73d182acd7d8751c9c3fc1926db100f22dae0d0f71c98de090c78fed0ec432aeda33fbbab97b82b9d4eae3a1ded3710243beab2f344c6ca588949ba7fd5d2bd7858a440ca1a10e85c87c4af8d11aa02717ad4c823f17689112fc131e61ba13d73df9acbed61bf16c2590a39f2c8a681afc569851916f80df6c100497db11f354b4bd156d178f055e0e25e2cfcdd6ee95f1dd3bb10ff184f3ca90c8b4a2fdfc7a6dd0e11e02a5d4e45e36440250cdb1f77e3b592b470ad563d68e3d3f899c0c3fbaf6928dd0ecbab809e6f633382dbfbf33679feaa4fcdb121d3943c938e734286f2e0796c7eb67a135be6a5fede02fe749daaaebe3510d2b023f4e6d6f6d293acccc857ce8233aa355989f55b9ebbf610dc97f7b90e85e330ecaa2656b204b48f0bd8c5df471d37cc08246023dcf813c189b17482a66b0df0b2535206f5cdad324a77940c7e10e6d496f9e9705c99284e6f1fb850145cc86bad597b3ede8429ad624596b6525a40248896790dbb549bf3a729bc9c086a253908808cd404f467ac923c398e89e29467519b740cff6bb1a842d56dd4a37bb4fc8384a8cbe71bf06395ac6bc6ff529e7238f89b08735eee3ff53b20552b23bfe8ac42dd20a519185c0ec606eac4e66e34020fd3703c8d4947cc73dfd13d473666f8f5c9fafe6be51614edf260539c9b47a46d955fc82d375eb30501eb17818a6ca5b21d0804b9a07ce1d0e0fbd58a736285a18713985817e2b408cb60e7f29ce0a115e0ea2a18d2b9609bffcf001131cebd7ef00827c33e91a94227387f55c2d1cbdb06060291ef0776544b35eb0817bfa1371302a691cba5d6a52ee3668b65984d08d6a28853b7e40fb0f71d741aaf87d0da18e688efd697c39eb884efb0807ff9ee1fc47e062f1077e108f1dc4eddf91d04a7db2ad23d07929e2c91e28e4997104dc4cf493104bdef53e05c105465f3314384deda5c8553c81088b789b350ac6f1fd52aee74521d39e8145a9d17c656c852c11cbe9069382b6f42ce3ec3f75cf060d9c98d4e1c4a33ec2d1325d57c47390cb46fd763aa1b30dd1c6b6ef813563cca1a1034e815282aa6265b2c9dc17d6b0df97874518db2515c073d16d845d13bcda98d196f00d6cacee33e78a2a8c56b2420902cf70c11bf3aeac54645c6bf093d85ad89524beeee4222c838354a43a29e747584b885a9f6288ee44747f80929c982e9fb863e933f682362933749abe46b6074226252dd68d09b3e86c26b1a77c0396fec5f060083f61900237d77f10604ea4d8e60ecff1bf4fae01f2d63d4a9865e94577c0c54e164dcb9324bfa2e6520a01b05f77899ac66105614b1582ff2445b8cb5eb2d16434e6c77fc760e98a8aaa3cc0df6695b91036505fe506b9b4f1891b01914b6ba8dc2696c1e6f75893d3337893124a44e2525018b4bfde9d858e11fed9db4f97eeb636244a5e1b5e93bd7423155ca3877211e916447a09843afccbd14385130a6d3e4101b049bf4f623c53e4a1ac9bfcc0471fe11d3f40478324730f0753032927178cf86ed2f50521db57e2adc3a3655a0c5d561a43e2b7d4a9b265b25dc51ba9fd414201ed8146f1d23af6c20c3feff364638f136759648d8a423e0ef72da3445640c716e55f0f6460fbb4ff981ef629f068f2fa45d16bb393aa849369d66fe229ab2336ead75a3a4709d579241e7f568d3fbe33288d4426ee9ffd48fd3efe7741a470156a9b251d58145956dbefb61b638480b6cf04ce1885b1dcc100d4161cc0b7177545ab6e47216f84857cda3843847c792a25289852dcaa8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903b1f8455f5601b2d5494b54cc5c71ac5e7c1e0610c01a013ba1058e4576332470887969e872ebe3967969e84114c1487b029ad8c0d66cdd0665f86f076c17d73042c6e8cb473670be1934a8c1397c0ab969f122687f1088190082564eab9605b66d0ab25bca3f59a86243b2f7fe046fe0226dd998d98762ea0266b0046be8ceb8d37ee7123ec882d34497d330221af48de6688a358bce68a5783f3b81b71b08dda3684c6a4940e3219c505ad29794b849b3084d000c59561838985119edbefd2e808830a41204d27dc664ad5f13815e7eca266969e2c27f1361b525879bb7f6707e54f7ea3a2a18cf502c14f8d6e44e02b7e09af36d1d1ae1d7f05abf64b5c55328cce53b2af67c53fee5b8615c94a1eadc63c88b2347d209ef2ed9490cc0d1ab5545373301f55dce38303be9045898fe78cb8d036044eb450a449babc0ec10187b869dbaf672f04cceeff53529339e32d0c3e6e889608c6541216a8ea39045963df6658d9fd68ec9799c946df1cb53b53cc2f91509d435eea0aefc2c68e0fb7f03073f3112b14a8d1cd2679cc9b2499a3db9b33512d4b2c60d736cce1cf1e036servicerootrootrootrootrootroottftprootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootroottftprootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootdnsmasq-2.86-150100.7.23.1.src.rpmconfig(dnsmasq)dns_daemondnsmasqdnsmasq(x86-64) @@@@@@@@@@@@@@@@@@@    /bin/sh/bin/sh/bin/sh/bin/sh/usr/sbin/useraddconfig(dnsmasq)group(nogroup)libc.so.6()(64bit)libc.so.6(GLIBC_2.11)(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libc.so.6(GLIBC_2.9)(64bit)libdbus-1.so.3()(64bit)libdbus-1.so.3(LIBDBUS_1_3)(64bit)libgmp.so.10()(64bit)libhogweed.so.4()(64bit)libhogweed.so.4(HOGWEED_4)(64bit)libidn2.so.0()(64bit)libidn2.so.0(IDN2_0.0.0)(64bit)liblua5.3.so.5()(64bit)libnetfilter_conntrack.so.3()(64bit)libnettle.so.6()(64bit)libnettle.so.6(NETTLE_6)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)2.86-150100.7.23.13.0.4-14.6.0-14.0-15.2-14.14.1dbL/@a@@apaLl@aD@a@`@`r`}p`!'`U`_ @^U@]Y]@]o@]6]%@\\o@\HW@[ͻ[j@[@[[LZ%8Z!D@Y*@Y@YXlWWbV@U@UUa@U4@T@TB@T@TT_W@max@suse.commax@suse.commax@suse.comgmbr3@opensuse.orgmax@suse.commax@suse.comjsegitz@suse.comgmbr3@opensuse.orggmbr3@opensuse.orgmax@suse.comdmueller@suse.comgmbr3@opensuse.orgmax@suse.commrey@suse.cominfo@paolostivanin.comdimstar@opensuse.orgmax@suse.comstefan.bruens@rwth-aachen.dematthias.gerstner@suse.comjslaby@suse.comdimstar@opensuse.orgfbui@suse.comcrrodriguez@opensuse.orgjengelh@inai.desean@suspend.netcgoll@suse.comdmueller@suse.comkukuk@suse.deidonmez@suse.comcbosdonnat@suse.commax@suse.comtchvatal@suse.comdmueller@suse.commartin.wilck@suse.commax@suse.commax@suse.commpluskal@suse.comstefan.bruens@rwth-aachen.destefan.bruens@rwth-aachen.decrrodriguez@opensuse.orgabergmann@suse.comjslaby@suse.comdimstar@opensuse.orgnemysis@gmx.chnemysis@gmx.chseife+obs@b1-systems.com- bsc#1209358, CVE-2023-28450, dnsmasq-CVE-2023-28450.patch: default maximum EDNS.0 UDP packet size should be 1232- bsc#1197872, CVE-2022-0934, dnsmasq-CVE-2022-0934.patch: Heap use after free in dhcp6_no_relay- bsc#1192529, dnsmasq-resolv-conf.patch: Fix a segfault when re-reading an empty resolv.conf - Remove "nogroup" membership from the dnsmasq user.- Use systemd-sysusers from 15.3 onwards- jsc#SLE-17936: Sync this state from Factory to SLE-15-SP1. - SLE bugs that got fixed upstream between 2.79 and 2.86, but for which we need to keep references when syncing: * bsc#1176076: dnsmasq-servfail.patch * bsc#1156543: dnsmasq-siocgstamp.patch * bsc#1138743: dnsmasq-cache-size.patch * bsc#1076958: CVE-2017-15107, dnsmasq-CVE-2017-15107.patch * bsc#1180914: Open inotify socket only when used. * removed dnsmasq-dnspooq.patch - bsc#1173646, CVE-2020-14312: Set --local-service by default.- Update to 2.86: * Handle DHCPREBIND requests in the DHCPv6 server code. * Fix bug which caused dnsmasq to lose track of processes forked to handle TCP DNS connections under heavy load. * Major rewrite of the DNS server and domain handling code. This should be largely transparent, but it drastically improves performance and reduces memory foot-print when configuring large numbers of domains. * Revise resource handling for number of concurrent DNS queries. * Improve efficiency of DNSSEC. * Connection track mark based DNS query filtering. * Allow smaller than 64 prefix lengths in synth-domain, with caveats. - -synth-domain=1234:4567::/56,example.com is now valid. * Make domains generated by --synth-domain appear in replies when in authoritative mode. * Ensure CAP_NET_ADMIN capability is available when conntrack is configured. * When --dhcp-hostsfile --dhcp-optsfile and --addn-hosts are given a directory as argument, define the order in which files within that directory are read (alphabetical order of filename).- Added hardening to systemd service(s) (bsc#1181400).- Add now working CONFIG parameter to sysusers generator- Change to using systemd-sysusers on TW- Update to 2.85: * Fix problem with DNS retries in 2.83/2.84. * Tweak sort order of tags in get-version. * Avoid treating a --dhcp-host which has an IPv6 address as eligible for use with DHCPv4 on the grounds that it has no address, and vice-versa. * Add --dynamic-host option: A and AAAA records which take their network part from the network of a local interface. Useful for routers with dynamically prefixes. * Teach --bogus-nxdomain and --ignore-address to take an IPv4 subnet. * CVE-2021-3448, bsc#1183709: Use random source ports where possible if source addresses/interfaces in use. * Change the method of allocation of random source ports for DNS. * Scale the size of the DNS random-port pool based on the value of the --dns-forward-max configuration. * Tweak TFTP code to check sender of all received packets, as specified in RFC 1350 para 4.- update to 2.84: * Change HAVE_NETTLEHASH compile-time to HAVE_CRYPTOHASH * Tidy initialisation in hash_questions.c * Optimise sort_rrset for the case where the RR type * Move fd into frec_src- Fix building with lua54- Update to 2.83: * bsc#1177077: Fixed DNSpooq vulnerabilities * Use the values of --min-port and --max-port in outgoing TCP connections to upstream DNS servers. * Fix a remote buffer overflow problem in the DNSSEC code. Any dnsmasq with DNSSEC compiled in and enabled is vulnerable to this, referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683 CVE-2020-25687. * Be sure to only accept UDP DNS query replies at the address from which the query was originated. This keeps as much entropy in the {query-ID, random-port} tuple as possible, to help defeat cache poisoning attacks. Refer: CVE-2020-25684. * Use the SHA-256 hash function to verify that DNS answers received are for the questions originally asked. This replaces the slightly insecure SHA-1 (when compiled with DNSSEC) or the very insecure CRC32 (otherwise). Refer: CVE-2020-25685 * Handle multiple identical near simultaneous DNS queries better. Previously, such queries would all be forwarded independently. This is, in theory, inefficent but in practise not a problem, _except_ that is means that an answer for any of the forwarded queries will be accepted and cached. An attacker can send a query multiple times, and for each repeat, another {port, ID} becomes capable of accepting the answer he is sending in the blind, to random IDs and ports. The chance of a succesful attack is therefore multiplied by the number of repeats of the query. The new behaviour detects repeated queries and merely stores the clients sending repeats so that when the first query completes, the answer can be sent to all the clients who asked. Refer: CVE-2020-25686.- Update to 2.82: * Improve behaviour in the face of network interfaces which come and go and change index. * Convert hard startup failure on NETLINK_NO_ENOBUFS under qemu-user to a warning. * Allow IPv6 addresses ofthe form [::ffff:1.2.3.4] in - -dhcp-option. * Fix crash under heavy TCP connection load introduced in 2.81. * Change default lease time for DHCPv6 to one day. * Alter calculation of preferred and valid times in router advertisements, so that these do not have a floor applied of the lease time in the dhcp-range if this is not explicitly specified and is merely the default. - Reformat spec file with spec-cleaner- Update to 2.81: * Improve cache behaviour for TCP connections * Remove the NO_FORK compile-time option, and support for uclinux * Fix line-counting when reading /etc/hosts and friends * Fix bug in DNS non-terminal code, added in 2.80, which could sometimes cause a NODATA rather than an NXDOMAIN reply. * Support TCP-fastopen (RFC-7413) on both incoming and outgoing TCP connections, if supported and enabled in the OS. * Improve kernel-capability manipulation code under Linux * Add --shared-network config. This enables allocation of addresses by the DHCP server in subnets where the server (or relay) does not have an interface on the network in that subnet. Many thanks to kamp.de for sponsoring this feature. * Fix broken contrib/lease_tools/dhcp_lease_time.c. A packet validation check got borked in commit 2b38e382 and release 2.80. Thanks to Tomasz Szajner for spotting this. * Fix compilation against nettle version 3.5 and later. * Fix spurious DNSSEC validation failures when the auth section of a reply contains unsigned RRs from a signed zone, with the exception that NSEC and NSEC3 RRs must always be signed. Thanks to Tore Anderson for spotting and diagnosing the bug. * Add --dhcp-ignore-clid. This disables reading of DHCP client identifier option (option 61), so clients are only identified by MAC addresses. * Fix a bug which stopped --dhcp-name-match from working when a hostname is supplied in --dhcp-host. Thanks to James Feeney for spotting this. * Fix bug which caused very rarely caused zero-length DHCPv6 packets. Thanks to Dereck Higgins for spotting this. * Add --tftp-single-port option. * Enhance --conf-dir to load files in a deterministic order * Add filtering by tag of --dhcp-host directives * Remove DSA signature verification from DNSSEC, as specified in RFC 8624 * Add --script-on-renewal option. - Remove Fix-build-with-libnettle-3.5.patch - Remove 0001-fix-build-after-y2038-changes-in-glibc.patch - Remove dnsmasq-CVE-2019-14834.patch- Remove redundant %else without meaning (if/else/else/endif?)- bsc#1154849, CVE-2019-14834, dnsmasq-CVE-2019-14834.patch: memory leak in the create_helper() function in /src/helper.c - bsc#1143454: Require user(tftp) instead of creating it ourselves. - Package contrib/lease-tools/dhcp_release6. - bsc#1152539: include config files from /etc/dnsmasq.d/*.conf .- Add Fix-build-with-libnettle-3.5.patch- removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by firewalld, see [1]. [1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html- add 0001-fix-build-after-y2038-changes-in-glibc.patch- BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to shortcut the build queues by allowing usage of systemd-mini- Drop use of $FIRST_ARG in .spec The use of $FIRST_ARG was probably required because of the %service_* rpm macros were playing tricks with the shell positional parameters. This is bad practice and error prones so let's assume that no macros should do that anymore and hence it's safe to assume that positional parameters remains unchanged after any rpm macro call.- libidn should not be used anymore, switch to libidn2- Ensure neutrality of descriptions. / Replace description with new upstream description. - Do not hide failures from user/group additions. - Replace old $RPM_* shell vars by macros.- Updated to dnsmasq 2.80 * Add support for RFC 4039 DHCP rapid commit * Alter the default for dnssec-check-unsigned * Fix DHCP when --no-ping and --dhcp-sequential-ip are set * Allow zone transfer in authoritative mode if auth-peer is specified * FIx missing fatal errors with some malformed options * Fix crash on startup with a --synth-domain which has no prefix- enabled lua scripting interface (FATE#327143).- add missing prereq on the group to be created (bsc#1106446)- Don't require systemd explicit, fix spec file to handle both cases correct. In containers we don't have systemd. - Adjust pre/post install for transactional updates. - Use %license instead of %doc [bsc#1082318]- Update keyring- Get rid of python dependency due to examples. (fate#323526)- Security update to version 2.78: * bsc#1060354, CVE-2017-14491: 2 byte heap based overflow. * bsc#1060355, CVE-2017-14492: heap based overflow. * bsc#1060360, CVE-2017-14493: stack based overflow. * bsc#1060361, CVE-2017-14494: DHCP - info leak. * bsc#1060362, CVE-2017-14495: DNS - OOM DoS. * bsc#1060364, CVE-2017-14496: DNS - DoS Integer underflow. * Fix DHCP relaying, broken in 2.76 and 2.77. * For other changes, see http://www.thekelleys.org.uk/dnsmasq/CHANGELOG - Obsoleted patches: * Fix-crash-introduced-in-2675f2061525bc954be14988d643.patch * Handle-binding-upstream-servers-to-an-interface.patch- Fix /srv/tftpboot permissions wrt bsc#940608- reload system dbus to pick up policy change on install (bsc#1054429)- Handle binding upstream servers to an interface if interface is destroyed and recreated (boo#1018160) Added two patches from upstream: * added Handle-binding-upstream-servers-to-an-interface.patch * added Fix-crash-introduced-in-2675f2061525bc954be14988d643.patch- Update to 2.76: * Include 0.0.0.0/8 in DNS rebind checks. * Enhance --add-subnet to allow arbitrary subnet addresses. * Respect the --no-resolv flag in inotify code. Fixes bug which caused dnsmasq to fail to start if a resolv-file was a dangling symbolic link, even of --no-resolv set. * Fix crash when an A or AAAA record is defined locally, in a hosts file, and an upstream server sends a reply that the same name is empty (CVE-2015-8899, bsc#983273). * Fix failure to correctly calculate cache-size when reading a hosts-file fails. * Fix wrong answer to simple name query when --domain-needed set, but no upstream servers configured. * Return REFUSED when running out of forwarding table slots, not SERVFAIL. * Add --max-port configuration. * Add --script-arp and two new functions for the dhcp-script. * Extend --add-mac to allow a new encoding of the MAC address as base64, by configurting --add-mac=base64 * Add --add-cpe-id option. * Don't crash with divide-by-zero if an IPv6 dhcp-range is declared as a whole /64. (ie xx::0 to xx::ffff:ffff:ffff:ffff) * Add support for a TTL parameter in --host-record and --cname. * Add --dhcp-ttl option. * Add --tftp-mtu option. * Check return-code of inet_pton() when parsing dhcp-option. * Fix wrong value for EDNS UDP packet size when using - -servers-file to define upstream DNS servers. * Add dhcp_release6 to contrib/lease-tools.- dnsmasq-groups.patch: Initialize the supplementary groups of the dnsmasq user (bsc#859298).- Add gpg signature- spec file cleanup, get rid of redifinition warnings- Update to 2.75, announce message: Fix reversion on 2.74 which caused 100% CPU use when a dhcp-script is configured. Thanks to Adrian Davey for reporting the bug and testing the fix. - Update to 2.74, announce message: Fix reversion in 2.73 where --conf-file would attempt to read the default file, rather than no file. Fix inotify code to handle dangling symlinks better and not SEGV in some circumstances. DNSSEC fix. In the case of a signed CNAME generated by a wildcard which pointed to an unsigned domain, the wrong status would be logged, and some necessary checks omitted. - Update to 2.73, announce message: Fix crash at startup when an empty suffix is supplied to - -conf-dir, also trivial memory leak. Thanks to Tomas Hozza for spotting this. Remove floor of 4096 on advertised EDNS0 packet size when DNSSEC in use, the original rationale for this has long gone. Thanks to Anders Kaseorg for spotting this. Use inotify for checking on updates to /etc/resolv.conf and friends under Linux. This fixes race conditions when the files are updated rapidly and saves CPU by noy polling. To build a binary that runs on old Linux kernels without inotify, use make COPTS=-DNO_INOTIFY Fix breakage of --domain=,,local - only reverse queries were intercepted. THis appears to have been broken since 2.69. Thanks to Josh Stone for finding the bug. Eliminate IPv6 privacy addresses and deprecated addresses from the answers given by --interface-name. Note that reverse queries (ie looking for names, given addresses) are not affected. Thanks to Michael Gorbach for the suggestion. Fix crash in DNSSEC code with long RRs. Thanks to Marco Davids for the bug report. Add --ignore-address option. Ignore replies to A-record queries which include the specified address. No error is generated, dnsmasq simply continues to listen for another reply. This is useful to defeat blocking strategies which rely on quickly supplying a forged answer to a DNS request for certain domains, before the correct answer can arrive. Thanks to Glen Huang for the patch. Revisit the part of DNSSEC validation which determines if an unsigned answer is legit, or is in some part of the DNS tree which should be signed. Dnsmasq now works from the DNS root downward looking for the limit of signed delegations, rather than working bottom up. This is both more correct, and less likely to trip over broken nameservers in the unsigned parts of the DNS tree which don't respond well to DNSSEC queries. Add --log-queries=extra option, which makes logs easier to search automatically. Add --min-cache-ttl option. I've resisted this for a long time, on the grounds that disbelieving TTLs is never a good idea, but I've been persuaded that there are sometimes reasons to do it. (Step forward, GFW). To avoid misuse, there's a hard limit on the TTL floor of one hour. Thansk to RinSatsuki for the patch. Cope with multiple interfaces with the same link-local address. (IPv6 addresses are scoped, so this is allowed.) Thanks to Cory Benfield for help with this. Add --dhcp-hostsdir. This allows addition of new host configurations to a running dnsmasq instance much more cheaply than having dnsmasq re-read all its existing configuration each time. Don't reply to DHCPv6 SOLICIT messages if we're not configured to do stateful DHCPv6. Thanks to Win King Wan for the patch. Fix broken DNSSEC validation of ECDSA signatures. Add --dnssec-timestamp option, which provides an automatic way to detect when the system time becomes valid after boot on systems without an RTC, whilst allowing DNS queries before the clock is valid so that NTP can run. Thanks to Kevin Darbyshire-Bryant for developing this idea. Add --tftp-no-fail option. Thanks to Stefan Tomanek for the patch. Fix crash caused by looking up servers.bind, CHAOS text record, when more than about five --servers= lines are in the dnsmasq config. This causes memory corruption which causes a crash later. Thanks to Matt Coddington for sterling work chasing this down. Fix crash on receipt of certain malformed DNS requests. Thanks to Nick Sampanis for spotting the problem. Note that this is could allow the dnsmasq process's memory to be read by an attacker under certain circumstances, so it has a CVE, CVE-2015-3294 Fix crash in authoritative DNS code, if a .arpa zone is declared as authoritative, and then a PTR query which is not to be treated as authoritative arrived. Normally, directly declaring .arpa zone as authoritative is not done, so this crash wouldn't be seen. Instead the relevant .arpa zone should be specified as a subnet in the auth-zone declaration. Thanks to Johnny S. Lee for the bugreport and initial patch. Fix authoritative DNS code to correctly reply to NS and SOA queries for .arpa zones for which we are declared authoritative by means of a subnet in auth-zone. Previously we provided correct answers to PTR queries in such zones (including NS and SOA) but not direct NS and SOA queries. Thanks to Johnny S. Lee for pointing out the problem. Fix logging of DHCPREPLY which should be suppressed by quiet-dhcp6. Thanks to J. Pablo Abonia for spotting the problem. Try and handle net connections with broken fragmentation that lose large UDP packets. If a server times out, reduce the maximum UDP packet size field in the EDNS0 header to 1280 bytes. If it then answers, make that change permanent. Check IPv4-mapped IPv6 addresses when --stop-rebind is active. Thanks to Jordan Milne for spotting this. Allow DHCPv4 options T1 and T2 to be set using --dhcp-option. Thanks to Kevin Benton for patches and work on this. Fix code for DHCPCONFIRM DHCPv6 messages to confirm addresses in the correct subnet, even of not in dynamic address allocation range. Thanks to Steve Hirsch for spotting the problem. Add AddDhcpLease and DeleteDhcpLease DBus methods. Thanks to Nicolas Cavallari for the patch. Allow configuration of router advertisements without the "on-link" bit set. Thanks to Neil Jerram for the patch. Extend --bridge-interface to DHCPv6 and router advertisements. Thanks to Neil Jerram for the patch.- dnsmasq.service: Order Before=nss-lookup.target and Wants=nss-lookup.target as this service may provide name resolution even for the localhost.- Move trust-anchors.conf into /etc/dnsmasq.d to be AppArmor conform. (bnc#908137)- The change from Wed Dec 24 messed group w/ user IDs. Switch them back and be more careful w/ what is changed.- Fix symlink of rcFOO to /usr/sbin/service, resolving a dangling symlink lint warning (and remove the same from rpmlintrc).- Remove from spec group_and_isc.patch, forgotten in previous commit- Update to 2.72, announce message: Add ra-advrouter mode, for RFC-3775 mobile IPv6 support. Add support for "ipsets" in *BSD, using pf. Thanks to Sven Falempim for the patch. Fix race condition which could lock up dnsmasq when an interface goes down and up rapidly. Thanks to Conrad Kostecki for helping to chase this down. Add DBus methods SetFilterWin2KOption and SetBogusPrivOption Thanks to the Smoothwall project for the patch. Fix failure to build against Nettle-3.0. Thanks to Steven Barth for spotting this and finding the fix. When assigning existing DHCP leases to intefaces by comparing networks, handle the case that two or more interfaces have the same network part, but different prefix lengths (favour the longer prefix length.) Thanks to Lung-Pin Chang for the patch. Add a mode which detects and removes DNS forwarding loops, ie a query sent to an upstream server returns as a new query to dnsmasq, and would therefore be forwarded again, resulting in a query which loops many times before being dropped. Upstream servers which loop back are disabled and this event is logged. Thanks to Smoothwall for their sponsorship of this feature. Extend --conf-dir to allow filtering of files. So - -conf-dir=/etc/dnsmasq.d,\*.conf will load all the files in /etc/dnsmasq.d which end in .conf Fix bug when resulted in NXDOMAIN answers instead of NODATA in some circumstances. Fix bug which caused dnsmasq to become unresponsive if it failed to send packets due to a network interface disappearing. Thanks to Niels Peen for spotting this. Fix problem with --local-service option on big-endian platforms Thanks to Richard Genoud for the patch. - Add dnsmasq-rpmlintrc, for false positive scripts and symlink - Add BuildRequires for dos2unix - Use sed instead of simple patch group_and_isc.patch- fix logging, PrivateDevices=yes kills it (bnc#902511, bnc#904537)/bin/sh/bin/sh/bin/sh/bin/shsheep60 1680162355  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^deesfifriditnbplptroesfr2.86-150100.7.23.12.86-150100.7.23.12.86-150100.7.23.1              !"#$%&'()*dnsmasq.confdnsmasq.confdnsmasq.dtrust-anchors.confslp.reg.ddnsmasq.regtftpbootdnsmasq.servicednsmasqrcdnsmasqdnsmasqCHANGELOGFAQcontribCPE-WANREADMEconntrackREADMEdbus-testdbus-test.pydns-locREADMEdnsmasq2-loc-rfc1876.patchdnslistdhcp.cssdnslist.pldnslist.tt2dynamic-dnsmasqdynamic-dnsmasq.pllease-accessREADMElease.access.patchlease-toolsMakefiledhcp_lease_time.1dhcp_lease_time.cdhcp_release.1dhcp_release.cdhcp_release6.1dhcp_release6.cmactablemacscriptopenvpnREADMEdhclient-enter-hooksdnsmasq.patchport-forwarddnsmasq-portforwardportforwardreverse-dnsREADMEreverse_replace.shstatic-arpstatic-arpsystemdREADMEdbus_activationdnsmasq.servicetry-all-nsREADMEREADME-2.47README-2.78dnsmasq-2.35-try-all-ns.patchdnsmasq-2.47_no_nxdomain_until_end.patchdnsmasq-2.68-try-all-nsdnsmasq-2.78xx-try-all-ns.patchwebminREADMEdnsmasq.wbmwrtREADMElease_update.shdbusDBus-interfacednsmasq.confdnsmasq.conf.exampledoc.htmlsetup.htmldnsmasqCOPYINGCOPYING-v3dnsmasq.modnsmasq.modnsmasq.modnsmasq.modnsmasq.modnsmasq.modnsmasq.modnsmasq.modnsmasq.modnsmasq.modnsmasq.8.gzdnsmasq.8.gzdnsmasq.8.gz/etc/dbus-1/system.d//etc//etc/dnsmasq.d//etc/slp.reg.d//srv//usr/lib/systemd/system//usr/sbin//usr/share/doc/packages//usr/share/doc/packages/dnsmasq//usr/share/doc/packages/dnsmasq/contrib//usr/share/doc/packages/dnsmasq/contrib/CPE-WAN//usr/share/doc/packages/dnsmasq/contrib/conntrack//usr/share/doc/packages/dnsmasq/contrib/dbus-test//usr/share/doc/packages/dnsmasq/contrib/dns-loc//usr/share/doc/packages/dnsmasq/contrib/dnslist//usr/share/doc/packages/dnsmasq/contrib/dynamic-dnsmasq//usr/share/doc/packages/dnsmasq/contrib/lease-access//usr/share/doc/packages/dnsmasq/contrib/lease-tools//usr/share/doc/packages/dnsmasq/contrib/mactable//usr/share/doc/packages/dnsmasq/contrib/openvpn//usr/share/doc/packages/dnsmasq/contrib/port-forward//usr/share/doc/packages/dnsmasq/contrib/reverse-dns//usr/share/doc/packages/dnsmasq/contrib/static-arp//usr/share/doc/packages/dnsmasq/contrib/systemd//usr/share/doc/packages/dnsmasq/contrib/try-all-ns//usr/share/doc/packages/dnsmasq/contrib/webmin//usr/share/doc/packages/dnsmasq/contrib/wrt//usr/share/doc/packages/dnsmasq/dbus//usr/share/licenses//usr/share/licenses/dnsmasq//usr/share/locale/de/LC_MESSAGES//usr/share/locale/es/LC_MESSAGES//usr/share/locale/fi/LC_MESSAGES//usr/share/locale/fr/LC_MESSAGES//usr/share/locale/id/LC_MESSAGES//usr/share/locale/it/LC_MESSAGES//usr/share/locale/nb/LC_MESSAGES//usr/share/locale/pl/LC_MESSAGES//usr/share/locale/pt_BR/LC_MESSAGES//usr/share/locale/ro/LC_MESSAGES//usr/share/man/es/man8//usr/share/man/fr/man8//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:28475/SUSE_SLE-15-SP1_Update/f7988697555db4d8227dfc732a6d3dba-dnsmasq.SUSE_SLE-15-SP1_Updatedrpmxz5x86_64-suse-linux      exported SGML document, ASCII textASCII textdirectoryELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=f469d13ba88b60b7341cd1f8e0df19859ae70458, for GNU/Linux 3.2.0, strippedUTF-8 Unicode textPython script, ASCII text executableunified diff output, ASCII textPerl script text executableHTML document, ASCII textmakefile script, ASCII texttroff or preprocessor input, ASCII textC source, ASCII textBourne-Again shell script, ASCII text executableASCII text, with CRLF line terminatorsa /bin/dash script, ASCII text executablePOSIX shell script, ASCII text executablePOSIX tar archive (GNU)HTML document, UTF-8 Unicode texttroff or preprocessor input, ISO-8859 text, with very long lines (gzip compressed data, max compression, from Unix)troff or preprocessor input, UTF-8 Unicode text (gzip compressed data, max compression, from Unix)troff or preprocessor input, ASCII text, with very long lines (gzip compressed data, max compression, from Unix)RRRR R RR R RR RRRRRRRRRU )ZM7[utf-8c4132aa71037a922c6333284f5bc7c34df4fdc8a1ffe9a1913b23f0368cc5d03?7zXZ !t/]"k%w uӿ8`V{jPU2j>l{4XjB] 9Njl >}h/{8 }U4beGT -x4,~ڲ4BWy  gHp#wmQ/d*q[ ч.+8KM2 5ߧ73X"g my,?)fn؆Of *ᱯ8F;/S:h$.bīnɅ^DJOBnH?{b6{%Ep# LQ~V2~0{V'gMƢV@r?H#"VdtῘ!z;ca='7% LvE4B#f rٚ 18Z$|w1D~;KJ+1@ćT$7~*7eSzP\`s NFKo5@ To0DW]äZ[dv8,V})5^5LD [5U#{VHDKKG2./nKz0 +;*geC2 iz(HY藕|،rscX!4s-EQNJKlȑmr-7x9xGp3 -8?TQ5r%5uw3(@n?W*eR~Y;4EZuck?!a %Ok *dTFbNpzvrɴt3#:E ry7{6]&ԹעIJ"y_<mAKͅ-vS_l)K@׏- a)8W/ۥzI1ҩ"k% Rf$⬴x6 )yˀLG?8Q2EK~J@4E9rlT7 3 XAoGKdsr@e㈴< 08Bg26װ1d$ b-Q7 x r$`wqw\-. gE:@-obY] UL< }tWXhbtEJ=:{ɝ 얠PFˬvlrǢ.%qX;JT:k ^'ʷ唛 }7x)Đf;52X[Z"o o7Ր6+Q(C^H49}:f'0B i(憯{̫}G v{1(_)_]mR ^Z h" ,XWo}g՘[)Rp؛.WtI`ȲktRfǚq=!4?tav,.v+oeĝR(kR5˨ ϷaR 9U~fYWrMIƇ/0Wc5ozdmoǀ*1>" rh;+b!\`InT>6aMJUAPE˜Ve W9fϼNPŭI kϸr|P-hXnŊַ6} ǡ=2zUo} >AL4'=JIhz~|S_><<W۲O뙲,2;E" iŒ0=Gq-[)XX;>P*vzi=ȝeKW6R^ P4bZdXz5ax 0zO?ddf-+d޳@ S/Cr^3CգqWkL O.#b"&?9.W*B+3D8ᇚ#5?3HbS&{j,`l^fVbKpap;.S%G[Cz&6M\, nGt_V!H+r t+ll &l7:#T|h+ eVvo-Jp1@ %Ԟ|f5Xp1{i-Phw+=W~\?NJt7f<5p ur:W\kmОQ,۞$䷒Zc!ͪ4-oCX:Ik~YEȺ"WXڤU8QʔIgƷ懵4 u4N:auv# r )Gcrn[Ut _^ qC+1.?i@_=vftOخ`P,1 -r翡O|gtL5@И7:2͎LȊ]'™>Gֹ<3PX]AåV!"<”<{F{$v\:]"pB༄9ֽ[q0>.X rJq'jjA{*5Hxy㕽 ~3H芉@b!򸵻R|Q㿄}~6>J,EG W-_1Em[c _䎛Ϻ"0 ÒmQ<o B3T+fǁ_@N*~Y 1b5J?=y\\JFYhB)%c=G(c˼PDh*cd3 K4$%ٙԀ4|SiD7&{ݙjkISp gvhu{̏ F%og;mE7ɍCgs~@uG94_`f4i?L GwFr{RUo O!4%Ґ9X֥@W 5/amZ|NFԲndw2ΆSA`mhР#yu7qzSz!_{.P mfz 6{9'`+d"+v PaLTXXNWKp`+d!fE ,Ԃ2 <.5a 0|9cyƴ 1NkpvS11ìrZ-1;/Xmﲸ S?~"f9LV42ޜiϭQ 6WaE܁iڒ~hI4F N}EZna*gVMdq'NUL{+O >4R ?32E_V.b@,>߇?qʢ y-ݴ=^Ҧ|uC_g\Փ$!o;OR3K? D)J5dԨMKa,md[{H Je8t:q #cW&BbZ38qUnwZO}# */8/Qӗ\EK@?5ڽxRtqX*wU'}XùZ@1Oe ɥbg"* HP:rvGRD17gD3#Jm -Fg;N)V,ّ)F40[vAUN{8pд4BGL@ukmlh|Na_ ٺ ؑLŴ.~ӌMm6="/#GUK<.ڈiHqZ~lg塗Aba?#ZwZD$4bSgPfvD~<:yi9A6i*]!-@5JfyBej| Y j}ٟ}0ha]]J4g!쁘0SuHz΃H 1K"Ln ?!FV':Fb(1S5=o35=\K:-g#"LY]7Zy)Qw4\OS' GD$˵M9gVTc&)A.qaRIBpsABepsɡD%+Y|v JDdaT$ZVUݰFզwP ~\h;Nvrgl %cgvuʖ@E/USv)79ЫpXGbG|Ǘ*rwj{֣ y)"59c2| SmuК"21lж8:Uߺ&ћNzX5CCծ#|֧`&SEIbk\AmYfK{QXIR1ҙl, ~&vU12lTP@DӴED2҉ބΜE}/]_}luF59N6S>ʰ_kixkMrͫ%\J-RWg0Va `ڦKbUi^Ś`Gb+^*).٠.SyqB,urpCm \ t\f] 8H"2N4H^+Ѡ@J@Xl7zd<7!O qc=a2PFE[P5b{q2dOV~476d 0A>hy2pg YaAO^ӥ/"Y[tuU8lB>O# U&-Pg#41 ̌(gnVT}̟7=ļYX"5l;+b7H QlHE꿰cm (YQkfrzmV|>^0ͥ;(gWMGb :Vu׻!M6&Z D6oQcڠFڣT`0S  i_W ۹|wڪGvig Я U{g=`9"Q$$nfzvYN. Vѥ R[<.$|v_^[9W4U g} "3 Kc9bMth'KR_W|FGANKuA Aq[h+WK)zWYSF5ȑICuDi:P8?m6G3̌(܂Bn6% қJn$+DhnZ^ʾV0TZD9 VNva5E)U}tի1QBͱ4q pޛ wt2}'{$/5VFSm?OL& > f,|6q[) &}+aW̽Ez}ƛ9/C%ys&Xu'I25)g nFF>ޢB ,`+jR: Wxӳ3l׾X5#M.21q4܏ph;ٔxG,Hm%BY ʶqv,)S(y_Ө7a T{Fk gPxso63D>,W_6e^hf$ۖ"g\"yE̮W7508ăhϰ#1sSMJ#zMJk )h瑌!18 -FZD_ĂnԦHIX؀E`O஫72xsf IˑW8bz*M^ O>ńu2N_IzUv׽u|te&֍{足*MݲjGMq8&PT3 \lTeCUD^~y63YĜXp n64mp nALVYu̻,rUe x"藒u"t !ƴJWW'L[?G )g?f}/Gre"n1RlvrQ R7X|cA _9=/*+ u(k gg"DԻ,{N2)\c#>hu;8.1G"Jmט򠅾Iȫ=a^ .8UMimY"x;- 42ק\#Vkڷ YY=ȐOA{7h]S270?j(\bMLՈh"wV]M40 0&չ@{@mU S3ׯMu*paI>۾6ÜwP:7NOyAl dxt:A=sϴ\%کsWldA:o9_@ <ԪnNCܕ:{y7-% _exV»9=Kvքf6pUlS;QWf@ kָI0.t=zJjF%lMiTQ *קF"1XUed;6r~Oi$ԩn5/᳹kR,!u y`Ќ)㵹/={agpj%kҞll{]}q IeބMhH0+(}fC+-/H}t=cQ k=!+"LǴ4=oS3X )/W:ŀtDsXFKTX7vF L߉]y8_up[ׄt*9Ƶ>(W@`x2eR ӇQ`6B~sgvŮЯž a!C57/V6t'J˩\px,:!kwвsg-)?2@V9||MlɯX*֖XIT01' Nz 'DJh'oIVQb&M<qU_(&n 7f#gPtwfzL:2 zWQ}Zr 6n%woX̕KQ+m v~Fp0\:,vjz2K5y٦BZـaĝ6VbaWl"1ԚC9l4h,lhMmOɂIid ѣC`15`Zy4}bky;%#}%(wZAЈ|vkWPP戆h$5ȎJZ5%F)Ф,28Bfͽ"Cͯ4^lY_4ԘB%?iؖ\|Hq%0s78f ONo]Lm{}%w(~t-_Tk]]_tpv7; F((vGCsŽ}Š]=8`霶=jR)biqe2Lv #oY .S7 =-0KQSFG/L@CD!ġ(sϏlIλG!8-f?9ے=8CW&ˡ3.BNDOP:?Pw}IGVv+42AOC)O( +c"#lLUK> 4-^/ V AUts6T2 -ҔhvIoJ@.R*%/ k weHj<ν y5%H"% ijXp"p܇wIk1wy Sq4pY\~]nc$q%t^f跈rnЊdUPiVˢdUf ^]5w~ [ O[{غty4 ފ6kL}Oa ~ָ8*{ϼ0B3kJ?k* ·MGPRI@ Z3n =-?^j^i]'3Jʹ?K(SSfz5,םS`4I={:_:vE@s[xDP]M583T?އB*YMb1ɾ_MM3}%Re ,waӔ,eMʳhP7)EXc.1J&.:q<txSþ7rX(qbc9[Cj-q{mf08؃Wp$OFM^ݤ0,ϕE Kcj:yUGdR+HPNϻB>!:b))œ/@|7 KDtw|J;=QmPeVe[`SDJFɴkGuߗcPN}pх<-Uܶa)\e:_}P W~{LmLVoq8Xs7s-O/nDr;}u;6@T["DuIa*vς=1hpLu<} h7a%BE9J@ e +*V8b;*2gQGkwH&Xj@s'LFItC4b[Wl 9cE#$|tMpO{GĜs~V\ (*trA#ԷP4J=GibKo_6Yl5c jKV4; <(Ltpa3ix7]c88%tV`\6M17>zA',H6LFVziCNHf9؄xrJ6#T9SP^,Y /D#s'<gm)63,*RxbgáyhG+C5+N!DcX/k\^U/[x`q 4prݯ3бl{.,:ky?Ǥ 3 dN`4Fsyi,29M]`])!(h(䜙H_2M!r|Ma[aѲWЕ-rKXO8V$K(# Z \t?S2ŠsV Q-yƪ E;ƯJ9dή1TO5Tfr`J#zr崾d*b?bI%菱u![ ĵa>@A!,&/]) k@nKBFRSb.XA\둂`m&ڭUu؞>MuG*Ɠw@/@,n^}32hJ4~A{YSnMkRppflK8-r>-2TI<#Ͽ:YrIJq)]6>;-\̓qLM˒hHN3΋hY+yD_}H>"{ҳ8RA#e#'V9xNs!wC'ɍ/D5v0L"~}PW2GR#}xHJT[BAȸL^k٪sr5SVퟀFS9X3sG:3qBePٻ;Lr*q)E0?_RܻIU(9nkWu 6>BA>C}ZJI-9?{9xmy꧰t9im.-d et:4>IL(@((y̴Z͈;#dzeہ گAl>Hv\ 68͠"yU Oօ0)kTg v=5NS_냵h\b{#JKШr0`fA\ؖvEaiٍ Ǒ<;!6/8*]ʹsp`&6Xyv"rl/,t_GOBKȵ  eXL[51 iRL6( qdZU?E ĈtJ5?1ӴU*-Z^ƊZ dMB/T _O$19'ꬁ@Uo$AD1YfS h@{s\%/UnۂPUe{vݪ9ts\xLM-5'D]鴘SΠ1.@ޱ2vY1ٌ4ϴJ*H>` tug#j tA6Xy܃K\Flv-5U \0PɺRuM,O6g!D860f0'dc>)NShy"44SPEĔ9 S=t`M|& cF=DݳG r sv9,mŁi/f(zS&s7=% 5|HF7zrXN˴\=!,\@E tzLy"yoܪyo1W_}~Kۿ 1@TTv-W<^";#8YVhSMtπ9(0!J@PvX\񲳣D<< `S+Ke*GOߨb_ uj3@gmޞ5.,3}:n1b̧!b>{`A.W40*2lϥ*!ySvrnE%Ь6EX"8.0RL+tOgi(H)ʻؕw@mz_8R#R",lu En=c;=wVG?6& &RdCP!( A,FA=ҡ^ RI S[潠< *fXD7I;t9,m}u@9p1KXn<.:ʘШG (M4WnWcaL;3%!c\ qکkOC7|M;'üiq:o`)^k mz~]QU+/l٠+Q w]A6؞526rh懜dPg  ?CprtLܑ hm6g[ C8,/ăǯ h>EOtiuъTZƥUV.7虁iT_PkTqJ p2z;X%:[E$T0 5̿Ueadu M^I4]6^yjw/7k. Nʕ7Ѻ&vuBvΨ5 v#'TO;+ʗB4'`yI%IBJ2.Wn-+'|bJ :G]pb9GrSYk\C4uիrQ#!+0ѯWזJNpkT;ꕗ˜X:Pܶ`ݟd?8pՓ>?!B!JΛ8B)mx%&86ID[Nm / 4& NrVQBB :} 즘[b@y4n:Nv=*x&A,x{}~A GfHx렑|U&d*GIx eME:S+pyR;:ֹ1BR};] Zt^'M#Mg]VلPANwWG"Є9!L-_vts)Z% X!5Av$VW蹯Z#f{`Е -Ou$8ɩ灳.8ć;EG_ ner㸅% m /]CcsIw{JſA:Y Om%*S?'G\:&)2Rr%kUuԟhLIǠ\vt*& vK4G[)Ai= >R2;ޓv-@ء--q hh"1zx?+Truڬck/c,ګ4TRC(C;NjˆM $2)snDe oyR8hk| vHT*02;& c28|}fYd x|aHJ9XCw_J `ΓD`l<jy"Z_…qgViq[ӈnT8vݗz'OU%⩚&Pl" 5Qn 8ʐ&eXîc7tT3(LDyPmuWU7x#F=#z|UY/.S߫?c\ʢgnkzbS̒Bڀ *k'uμaqJ]3ra̝ܽ>1,2Pxs;(9$Νl4$&N@v}tڝ쿕b #pm @4"M;hͻZqY~xF 0ܘJFNziQqH)_RC~/{w?N0nVS_:ff ᾣN8 _͍7"Cp{կS>w~C?$6le0'U?5$7o%hEI"wLVjER=B*r2 Hg26<Ž-f+ ϩ.h fްFTޭˆj9!8mdf n TZJHca,6DvZZB!j ȩkv!XT->b _f14\b "T5)hzR񕜑sdàYOH}+/9,.ٍ%$bʧl_ F{J3u_@>֝?R|=.b?I"©ϓw1 ֨Q.C!jQhxD]K:D'*8t]c{?ᢨܥum2xK۱τ2W]]$g_Krlnp됇dOAV4ڀ3@=,Ya;XHNf<4(܍5uO:ܩNvtG[}aVSd1ָ\HZiKIA*H|N`"xMU|zUɻ+*]KIdaL * U K ?ٍWhLQkɣ|;7:\/&)q \e\w4lHgD96.g> +E!hn  IKVuޭYp_hȾj'O7n_8 PPwI l8O(t1^xMksn$rVŀ%9B)R'#L~ {@wF̥\}J^9Kr ExӨ"$4#$-fKG]3w-iaf]9!;S<ض<;aXnT_,1)w]^#YGK;<;æ;SIP^8 ӏTm(ƴۘ q P쏡j@V&i!UX~;<ݪCA"X-,WqBhy?W췪ODΙcZ=D-ހRJObH`G `đ1^R~h,V , 'ҋm$c`6qjH'*B2ǛѦɓ'v4gMZ[xP9L\?U%P.|^,O7izdq|&uSs8!϶' rU.$+]8,*`ᛍ:cGR/2ȃ!о hpB_$*9ht-Wh{1221 K6QXR¶3Tz A&٨r=7u(?/kk\"\ B@Er2Y 7)E< 'YMbW [#j""{buiCK4 yf}# U neYWo 3R~&+^%VX\:S^`!T`3gd3E&tb ? +HL{Pʒ,utQ́Z"K&b"a˟ T";)R"4d,izp#Lora ҈'~]Սg/xzB \&\#b//N)4$ȽvAccNb*jzO&Bi=ߐӖ"ps]\ TP F_{V*VxFT=WOqp~=(-%= zo.sz؍RjG6-qSDU0xӣ Z7'mNT{">GB-Acbe҆~)YJRNB8X^s_.8[WA#*ނۣx5\pxPQAS7V_.wxw0 ;]XJpPq9ث %No ,'^$0șl{friTsJs qt_F12$njR n2^xw m#B':a&%.{M}aMB'#ͩ:b f"㴅w^R>Nr5d| `^xդ"s-v 6| 8) S>QYG T5AϢHK'GBny|_T@:{xɓDmoֿD`E@wĒ 4[N"^Fp4#Jjg<65ejSKIz30:3,~:`ůMժ]0hFJRMU :ںpO#)x8"1L-m4qIriPkKӡnS}Vkms ;3[9d< ¤jQ~?+YP|C|,P}*JgP cpKD^H4y,gl;jw/<_& )y4TxzxYM4X \czI,jhclZTaTLhJm3I$5x}޲fO ZzD`$p/bǿdsg[ 2u3<5^OTDD#S#Pt BSIS.xJތRA^x褜ksHX6I'+)Y7c~a $v_6\6SU ~/1ӝ~QxS2D= 3$2x\m&Im 8hb}xMŽ&O*䟬Z +z@1Dkm"lDeʧњ! Tڼ(ߌ=>!6;4.eN7&^^e[A$,kM5`R5M(ŐqR>xtko }}EK,bQɪͬbf}vׁ7a T08\1x2g:FL*1RCӢ'lh[{gSB܀Rn@RbƠg1);{1_%!'V Ar#r@r"ǎZ5jLa~_]!o՟{:r^AƒB%j?kQbT+dKSN;*2Q*@ i_ zE^Gy+a_Ni"a䵢.ΝX\ޖuLMPgG%m'\ΪOq`6WChtzkY.gKf,K]2j/ϵ驰lgJ ]Xf!S8Emx,#yi,'6Kt}#0Bgri%n=y*sHA[eBB o =HQ5ߞgS ~fI)5 A(/*.4SӆwEI(`ɀ0 UGNL<ڀ- dTZI$.3- ʂGDw -ybe3ш:3{o h~xFIr0~dw8\rɛ(LI3tdf ;ápa*}p?%F}{zo=O-tqD,U; Hg\,lo ~]KݰvM-T1ER++L"u⻯Ĵ*Q4A{k>0=$;j]u!_O ZtJ^Dx!ƨge:ZH~o'0"VQerfVL6{WF~3 gD躢aV@Eq9 /<q/0Pk|5L\W0 x)PdU)<%Z5m&٭\X犕?_ <=NfY6iJYA+`{a WD©#0[:Ìk-ZͥeX3dQt~'b *<U:  pFoٲ/hBR H8,1Q[FT0]Oi]o~]hb2e2WK$j͉F;;J Oh,a=8Y0ꂴlTվ̄<;MmE 7ګilŅ2*9Dq@TQG^zܐOr})Trݦ ::Z h|i_pdr&Pz6FxlYfRF|g%) b?d@Б/IMQFR#( >p\d XԄy!v:W&753V@V)7`N_Gڌ rw̟Ll"Ri*-WNL$KS/瘝uZ4RN&Wxv崢9RC9q]SCXQS`38y2 Ȗ~[ b XrT|eܟ,=s,#ݜ!4xI2'ú2r(FA2}YtmnNzQ D0^_xJQD .-.O󒃪Ku2)q/C\,ҊfMz<۴2|& =gC V+ qJL!!T[ 'T6nGFay_Do߶+e/ v3؆& 2v5! a\.RHJ2 qS۾%No"ӵ Fۈ~%Eo hi{`)I=ghJM?;?G"9z6_L8x+8l@oɱ}L£ ,jcyN+\BBk6zZ^\J %6`"S >Xg)^!k%eolwqZ Pq#|ʸ!a1.ԳB\;{E\2/`\b[,>qnd)I76jW㦁Zm\ fGmQjFWE-,ګ~2o|8D; Ћ^eRƳ-dB,Dz}ʶoS+!Oh,XuZsM1m~216B, AoG4X!JX}Zof0ki!M~#PE[٥M}rJQt4jS ;X5JHO}k+e4_ $:0]\o—XU7f ([GjBdX>e IU*W*wـTׯ/ʑpZ9Gۥ3I|IPB!/i?Y ( .DWz85 !d-~Jz8 jTƃ0z0-[E^\gLy UV&-l1xCżMHr(DpʕH>%_U3jU^rq{U WMu{ۤq \H*;&kÅZjLZ} -K:'asx=%x2t"-S%017&#K↴;Rw;86ϒ"&c9N.X"dWΓqUF >[2M_cC 7/MxY]:E-e.1[>9F13Ib nV%Z\SdJW@IKg3ʭ[>P_uy=Z_QRNw( ,%->$9lvN\>;jǝ˥6}R˜kjqx@^9MaS C\I4+ K{= Ň{PG ##m|<唹vz- gX|ػoBw .E18,߽D+OK0)' aثgyKrG]` C|LR&Bľ˳Amι ӏטt⻇x46ca{ǧ$FT xPVBkdEb[) !px*I?\c=G4v<{n2~&c&L) k"CXoKe-mMTGYD53|A{N8@'/! :C;WU Cc ̘Q>%3Hy9nGH7@ߙ _zy޵E E.9&vG/=6V Eqxu9Z"&QC$ua()e_4gVI-)8q*VZ ۡd{*6>bfA޿x h7C}K1wW6t^M kEԕ-b 1GBzDQieȈZ2 ij_zHA=-=6 c7x/cR%+.cnoc^ ?@!|jM0CՇS9/[h?",eec1Ea&|ߺgxQ!IV fzED{R[s7z@;$Tm ٤s`f8` %}=A@2ǖ/" kVEE͜'ya^HԈ >M5 gh}rK鰃dX4kIꃲ7,<\0|rn-W -]do-2<~c8$aT o7lդp#PiJI )9뼓-0șE2蓜VG 4MGd04eǪXi{8Oo4^1{"R@ґ`%Z? &GvG 3J*Hg6O>3d9+,HX׳6SIA|skt†J$Y枯@qloa_s{wlxxVEZFᨋY:T(ȚQYHI-V<%/~}%~e.J86]'&:i$Ra-$ݕITVT79O1u.C3J:H\Ty #H6f좖)\ .7M=7a?W3= O"{6UV}548Xb벟Yqʁ197̱ 0~R3 T 2B]yl5[#Ax;r,_gcP}ƫTH1g`2>=תXZ,Y_:l[kG? WC ,qUɲ7;%20!N\d ABxSʡsщܿXѶr+|7;܄U&h>}J!jf =QjkT@_ujqs6{mݛz3BpK㚟1pY c5(FݻFN`pp;/4m4m^l ԎPS>?!:h(?lzM0OgMJ5gE`0ފ `T)`Lhm~P#7GIAk>1s~y-Csiu0asJRQ#hCXE%  WlT] 2fN=)_h[طro*Jwׯ%:ᘽ>s-aqcplD 2U:J|E)R":]i 8mj}&YZjǦEӮċ6(y]aR0ƥ?/}H]Cxu$ ǃw0ƶJu|"J_, 96ИitQhB&C2,v|f9n9rQN(9ۖ&碐f2Wr~.Fp .:U ?TǕMxbhsC9.wǮ F$94"B<:Ȭ~GH(4)\֮ܙELg1]zW)IVEJ3kpi@e Ǎ8:<vkQ`q&06Au|N a$<fnqu\)Q `X"ǾTwR̄Zz"LVP /D4Ǜ-Hy<0#ӗ'z?iw#^ ߔ_Qc:<Ļ['jҷ{|+T馓= ye>S-p ;WdiNS-^?67\J)\YK3\tQRƂo$5GCnܕW'UmA JYx`[pF5.xq׵Zí]%c }OrE\ZCj,ߟE}_gM yD*Yani dY#gSC|׸ j8n`c"Ct;v5 7gNZ3.Jd_ 85J&j D6iDZ^j--K G̮>FMO>QbRMc.i:7F2ySC١_\  6\g{t$F7vX'c]?2%T^,9GOH lE> |&RCYE>ОX~Pw^8kPflf,Pccpv0igNoS4NAmULY= , 9{E ?f Nq+MDf?G ]n`~"h?Q\JD6ب.rS*wv,FJ)9N*7Sll-(h h`(` !i;e³pM$10 ()P̖6Xe*#'z6B`z1R'Hz|84IB, z؝Iox8n&&Rëy4="6]+0.ꄤ5L \ޑ8~WQ'X)/`)y~-9TzOѝᨕ_]X80kj'D2I vJ{C;ƾs数iQT<rjϮrTu 82 Ȅr~ľ5uC"S|$} / g4aCl N M#piU7FS T#euKͯC_9 ڍx Z#7R/֘Jɥ0įLt ڠS7lԓ0X63#:)> sXei$`U%C#|UOZpCs/.Kmwz5S1N̤0Քg Ƙ.+œT;uq/sІ-Z(whZx%NH9,U?L 2%pO@Eϫn< d w>06m8 A &}KayRhobxtR((;DLvǵxYś7E|?`HM |nA[3Klĩq $ ztF=||%(׿)J |Yؤ3} y V6,&&vV~7a:ʛy}pKC3H?rm'J`-hgr(gA V6|1Gc$UC(<uq*CSW1.Ӥ4܂2 %^^ymҰ絍gWiXS#$^ bb%|)>_'i$~i'$+T$2{~EB֢umZbR7~*y9q(oCILĔ ̈L-%9UĮ !YJãSꙵW-; frhG亘[Cؽ9#. āp`Zʝϸ70lEBI Q2#! ¨Δ+*|vӰ77=ryǙ,e`.Ek @/%@]#HNvB3qi0JM7Y)nb&˖,9$j!-৯vO }Q:)~  \bXo DOlx6kiz"V~Z"CpR"<7 F`R~bDHΏ|:w1B&rYdWEi9:#{Zu,[S13[x_U`wu xPrɏpDј†6)QU y.LYD4jq HD(qǛD[ūf*̋n#`&>,ڊ4̩$iB{ +vLtu1V>O!\W:1UxYjXbǐFe݈ͮE٠(S_@Ѱ?4#zuq FIJ8r&*+:w(#5L:brcxiI 4DAX~h1?.O=}n_e5Fxן[5"!G$[x(DBřA[~rti!˓^5Gǂg_9`9ڭw}|^8#7:ׁʟi( Tr].YzVz\ʗ/5Y/'{9YQY֍pu1b#.yrn-=ZSW-[da.2';#7z@ʤめo/ɅpR*Xm`}gWž!z0}Ś&q]pJ[9)BHSX%r"t@EMP4%5t}>g/ͺevv/'/+TI'+]c˵XV@ۥC{+2MV*P J2@uIl=u2Aۃ`4#o]6\S!bNj,FF~3`M,r7xl H)T?bk۟{b~9kmG|k! <Ə!1f6.eYVUaI|j!3@Cg!7n C3%6rQbĥiCxN^ÀFZd_SpiDC 5WY5.  VPzմp͠W?m;.֟U;Iy,se,5CMXnvs`w#L3A^0ősSPEx\dûR榶R&<6ͷ{UmaZk*3= Pp9*̄a(uŝ2وXHgfyߞau.i9 g۷W:ԌvBXHMr-2Iݴ('^=~lvܸbcGӉ-\!EK>3,vI]zvOt3r?kc ?$1):~9O3=0.qY!$3tFD.޹5fF5?j~וE.DwFYF Gs<ݙ#F Og xCEm"n#ڌY~#aI&סv61TQU(zHfWYI8c-@8`!J/Y'c($YtHk|BOY%OeRlt'!-$;Oc!*ԝش&mzK_4۸sUZiw LH̦ l(lkfgV1.T\$eFf:tXSł7FoyGunX1 R?cmagZ+d$~MAT kYbG;hU ~n7.>B"5=cf>]aTV5&?J ! $"#dh :Ѹy4 {P t(Il)\0HoNȓF$r%$zK 0 ~%+Zz}] eB'Z*u/'U~1&3n&|ѹ6Qu3.2+‹>$SrdّrՇ|JQ2 :˙-l$>?6l/mͨD$2f,s%*Ct O?t+#t\Qϔ ?InlerϚqAChD=}mڭaB~a >FٷeIz[Q'؇\S`OF^\8'F20Du XpC&͡nZ=_,2KuEd0J fHqSe,j #JG(G \S7 HL,b@/zB#Xl?P~9=[:7l YdIN s G&]g`b Υu%3_[chiH){]G F_*]Dn Բi$7zl9gNL"۰E%\Va܌6 (V5NP!Xco!S)JzM|RDi^<D]F ~pǼd Bcwܯ} Jmɒ̄ծ̭i5 ßIIU)A}mA^C'Π\,~"N~v忪4Q8S@nԜofkĖpaKdzrEc[1__%0#F"IZq 1̝dW(61\SҢ5"R9h.*xRG{q TׄJ ?+4Ja pp5<6_ΰ2TNuΑp<[WCA)-PiiFo = WH`7hYzOSb&k|oZ};x5,-]`RΦ0Vv nv5- qrSt4x1ɸ!\V[p6Kt<^ S;uCy D@>*i!N%:JҺG=/^7 HIֿO/#ưܢ׍6blj͊dUHM2!Q8?>dFXk¾dcinU -r(868g-τ*t`.3~8`%M&09 c'ȏq/m((AGalPd'7+64'L.Mwf{y%Gk*SLDGL-5gӟBdDn<^GK{_:9'P1_& P5r#GCPeeTxm`uM9uyHpAyw?CSDiL`/ODeCܵ/0GJ8yNKWc.bxz#*2DFī64C'drzKi15.Qw[HPݦX4'WIsȍ zSHzGLyXZz^ύJ״5VD9f/ơ-yAI`qn)qzr+,}}S+'3Q`;>:F)g򰛰QQKx6[?$Wq:j!XG+]#; itX?_1%ߺ:F HەiHhkbOiEzZ0qUeԃJiE-r=$5Rdw{%?@ 4Uڷ5 p7is;fE'r"*:0=YKqojnH?Y[QljB1;_C7J έμxFGc6V