docs/manpages/lmhosts.5 | 6 2 + 4 - 0 !
docs/manpages/nmbd.8 | 18 5 + 13 - 0 !
docs/manpages/ntlm_auth.1 | 6 3 + 3 - 0 !
docs/manpages/smbd.8 | 7 2 + 5 - 0 !
docs/manpages/swat.8 | 86 2 + 84 - 0 !
docs/manpages/tdbbackup.8 | 6 3 + 3 - 0 !
docs/manpages/winbindd.8 | 17 7 + 10 - 0 !
7 files changed, 24 insertions(+), 122 deletions(-)

 remove documentation parts that do not apply to debian

source3/passdb/machine_sid.c | 2 1 + 1 - 0 !
source3/passdb/pdb_tdb.c | 2 1 + 1 - 0 !
source3/passdb/secrets.c | 2 1 + 1 - 0 !
source3/passdb/secrets_schannel.c | 2 1 + 1 - 0 !
source3/winbindd/idmap_tdb2.c | 2 1 + 1 - 0 !
5 files changed, 5 insertions(+), 5 deletions(-)

 prepare the sources to better respect fhs
 This patch was historically very long but most parts have
 been integrated upstream.
 .
 The last remaining bit is the location of "private files
 We historically have them in /var/lib/samba while upstream
 has them in /etc/samba
 .
 We need to provide a migraiton path and go back to the "normal"
 file layout

source3/script/installswat.sh | 6 5 + 1 - 0 !
1 file changed, 5 insertions(+), 1 deletion(-)

 do not install the using samba book when installing swat
 Using Samba is packaged in samba-doc, however upstream also
 installs it in SWAT install dirs

source3/pam_smbpass/README | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fix examples directory location  in pam_smbpass readme

examples/LDAP/README | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 mention smbldap-tools package in examples/ldap/readme

source3/include/local.h | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 use the pager alternative as pager is pager is undefined

source3/Makefile.in | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fix missing symbols
 Fix missing symbols in libsmbclient (and libnss_wins), and add
 -Wl,-z,defs to the libsmbclient link options to prevent future
 instances of undefined symbols.
 .
 This should be forwarded upstream once there's a configure test
 for it.

source3/VERSION | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 add "debian" as vendor suffix

docs/manpages/smb.conf.5 | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 adapt example script to debian

docs/manpages/net.8 | 4 2 + 2 - 0 !
source3/param/loadparm.c | 2 1 + 1 - 0 !
2 files changed, 3 insertions(+), 3 deletions(-)

 enable net usershares by default at build time
 Enable net usershares by default at build time, with a limit of
 100, and update the corresponding documentation.

source3/script/smbtar | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 avoid using bashism in smbtar

source3/smbd/server.c | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 drop unneeded calls to cups server
 Don't try to contact the CUPS server when we can reliably
 determine that no printers are needed

source3/configure | 89538 15378 + 74160 - 0 !
1 file changed, 15378 insertions(+), 74160 deletions(-)

---

source3/libsmb/clireadwrite.c | 7 2 + 5 - 0 !
1 file changed, 2 insertions(+), 5 deletions(-)

 [patch] fix bug #7791 - gvfsd-smb (gnome vfs) fails to copy files from a smb share using smb signing.

The underlying problem is that the old code invoked by cli_write() increments
cli->mid directly when issuing outstanding writes. This should now be done only
in libsmb/clientgen.c to make metze's new signing engine works correctly. Just
deleting this code fixes the problem.

Jeremy.

nsswitch/winbind_client.h | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

---

lib/tevent/tevent_select.c | 10 10 + 0 - 0 !
lib/tevent/tevent_standard.c | 5 5 + 0 - 0 !
nsswitch/libwbclient/wbc_async.c | 2 1 + 1 - 0 !
nsswitch/wb_common.c | 14 14 + 0 - 0 !
source3/client/client.c | 4 3 + 1 - 0 !
source3/client/dnsbrowse.c | 11 11 + 0 - 0 !
source3/lib/events.c | 8 8 + 0 - 0 !
source3/lib/g_lock.c | 4 3 + 1 - 0 !
source3/lib/packet.c | 5 5 + 0 - 0 !
source3/lib/readline.c | 5 5 + 0 - 0 !
source3/lib/select.c | 12 12 + 0 - 0 !
source3/lib/util_sock.c | 15 12 + 3 - 0 !
source3/libaddns/dnssock.c | 5 5 + 0 - 0 !
source3/libsmb/nmblib.c | 5 5 + 0 - 0 !
source3/nmbd/nmbd_packets.c | 37 31 + 6 - 0 !
source3/utils/smbfilter.c | 7 5 + 2 - 0 !
source3/winbindd/winbindd_dual.c | 7 7 + 0 - 0 !
17 files changed, 142 insertions(+), 14 deletions(-)

---

librpc/gen_ndr/drsblobs.h | 4 2 + 2 - 0 !
librpc/gen_ndr/eventlog.h | 12 6 + 6 - 0 !
librpc/gen_ndr/misc.h | 4 2 + 2 - 0 !
librpc/gen_ndr/nbt.h | 26 13 + 13 - 0 !
librpc/gen_ndr/ndr_drsblobs.c | 16 8 + 8 - 0 !
librpc/gen_ndr/ndr_eventlog.c | 24 12 + 12 - 0 !
librpc/gen_ndr/ndr_misc.c | 12 6 + 6 - 0 !
librpc/gen_ndr/ndr_nbt.c | 44 22 + 22 - 0 !
librpc/gen_ndr/ndr_netlogon.c | 8 4 + 4 - 0 !
librpc/gen_ndr/ndr_spoolss.c | 1056 528 + 528 - 0 !
librpc/gen_ndr/ndr_svcctl.c | 40 20 + 20 - 0 !
librpc/gen_ndr/netlogon.h | 4 2 + 2 - 0 !
librpc/gen_ndr/spoolss.h | 304 152 + 152 - 0 !
librpc/gen_ndr/svcctl.h | 10 5 + 5 - 0 !
14 files changed, 782 insertions(+), 782 deletions(-)

 [patch 1/9] rerun 'make samba3-idl'

metze

The last 10 patches address bug #7567 (printing from Windows 7 fails with
0x000003e6 (in AD w2k8r2 controlled domain)).
(cherry picked from commit c81256b04ead01f0d44c8a235d2ac793b7a51364)
(cherry picked from commit cbfda3a086e27b6efa7db6ab1d41ef96fe04d171)

librpc/idl/spoolss.idl | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 2/9] spoolss: fix potential crash bug in spoolss_printerenumvalues push path.

Guenther
(cherry picked from commit 45952b56797982d27731b20d97f5648c9414814a)
(cherry picked from commit ad68e45b505331683a2510de20f113a7c20e68e1)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 5a660f3f15e1e04d556b34b9e49e7177193df026)
(cherry picked from commit cdcc2ba83c2e4a1f5ca5da870dc673e7e2507d23)

librpc/gen_ndr/ndr_spoolss.c | 15 0 + 15 - 0 !
librpc/gen_ndr/spoolss.h | 2 1 + 1 - 0 !
librpc/idl/spoolss.idl | 2 1 + 1 - 0 !
librpc/ndr/ndr_spoolss_buf.c | 27 27 + 0 - 0 !
librpc/ndr/ndr_spoolss_buf.h | 1 1 + 0 - 0 !
5 files changed, 30 insertions(+), 17 deletions(-)

 [patch 3/9] spoolss: pretty-print a struct spoolss_time.

Guenther
(cherry picked from commit 440075247d11a7852d8567753f426fa67f41d875)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 0396087c36652b6c3d2bf4206212c2823352f9e0)
(cherry picked from commit 2fd1b7cb9d7908dcb02e7405a8e532fd9a9738b0)

librpc/ndr/ndr_basic.c | 9 5 + 4 - 0 !
1 file changed, 5 insertions(+), 4 deletions(-)

 [patch 4/9] librpc/ndr: let ndr_push/pull_data_blob() look at libndr_flag_remaining before libndr_align_flags

metze
(cherry picked from commit 6c3a49ced333988b21d86e47b2b1dd1a5957e15c)
(cherry picked from commit 5f8b7f95e9ce5946f048b242dbbaa14897aea919)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit eab30c15b2528d92e09b774be453e657020e5aa7)
(cherry picked from commit 3047e20d3b0ac89afdad3fda741f948b03e2ffdc)

librpc/ndr/ndr.c | 26 26 + 0 - 0 !
1 file changed, 26 insertions(+)

 [patch 5/9] librpc/ndr: ndr align relative pointers based on the given flags

We used to do this only for the reverse relative pointers
and now we always do it.

metze
(cherry picked from commit 84b884eb4bec38b721d6c38704f12d1d2c601bcb)
(cherry picked from commit 6648ce8990a97da739d4be69657e9ace6198068c)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 490d1553714ffc5afe0e49c3473e19697bdfbd53)
(cherry picked from commit 8c61ff6c55fef5f5b2c256503bbde07c6365a805)

librpc/idl/idl_types.h | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch 6/9] librpc: align nstring and nstring_array to 2 byte

metze
(cherry picked from commit 712ef2590d0ee59a4a659926cdf8aac6e968dfa8)
(cherry picked from commit 0fb64a26b3b35b75f2f548d882bed41aa0386c6b)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit c26be77576e13582c7d51fe84f4c69f1c1abf28d)
(cherry picked from commit c13d11b336141800db85667e53877ae689583417)

librpc/ndr/ndr.c | 6 1 + 5 - 0 !
1 file changed, 1 insertion(+), 5 deletions(-)

 [patch 7/9] librpc/ndr: remove align2 hack for relative pointers

metze
(cherry picked from commit 23f6f449792d889538e0d0028bb8fbd5c807b0da)
(cherry picked from commit 9313b5d1da24406dd7d26afb2488fee0cbea44a9)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 1757dee05942add03edb51163bead807d839fcf6)
(cherry picked from commit 50f639635ceda021efd129d8ea1ecaba4c985f4c)

librpc/idl/spoolss.idl | 2 1 + 1 - 0 !
librpc/ndr/ndr_spoolss_buf.c | 32 32 + 0 - 0 !
librpc/ndr/ndr_spoolss_buf.h | 1 1 + 0 - 0 !
3 files changed, 34 insertions(+), 1 deletion(-)

 [patch 8/9] spoolss.idl: align spoolss_printerenumvalues 'data' based on the type

metze
(cherry picked from commit 341330600aebcec92fba64ea343888c15a0c3d44)
(cherry picked from commit 757471a5fcd4f95da28402bae6c9ceccff7d6548)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 3cb71012a2cf26037323cded8cfd9ec5d12223c6)
(cherry picked from commit 380c40986d029d21e9965f582a0ba3085262466c)

librpc/idl/spoolss.idl | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 9/9] spoolss.idl: align spoolss_driverfileinfo relative pointer to 4 byte

metze
(cherry picked from commit b6ece01c7922adeb3c9e718bc8cc610cae7c543c)
(cherry picked from commit ba1a72cb153892e491af91a6bb61e1820135fa12)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 25f93fe17a396f9c0372dd5d1f4210ecfce7ded9)
(cherry picked from commit b8fbc4eff64d4ec5dec0bbfd055f8b3a6851b9f0)

librpc/ndr/ndr.c | 8 6 + 2 - 0 !
librpc/ndr/ndr_basic.c | 11 8 + 3 - 0 !
2 files changed, 14 insertions(+), 5 deletions(-)

 [patch 12/12] librpc/ndr: handle noalign flag for relative pointers and alignment data_blobs

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Tue Mar  1 17:11:03 CET 2011 on sn-devel-104
(cherry picked from commit ef224aa004d5f1726d8dca020e0ef96d8c58565e)
(cherry picked from commit 1ea17bacdb09d28a12a8b6ddeba3ac285cd9f905)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 7c6bc031b3af3643027865e444fb16f7bb7c7152)

source3/winbindd/idmap.c | 10 10 + 0 - 0 !
1 file changed, 10 insertions(+)

 [patch 1/2] first part of fix for bug #7777 - when requesting lookups for builtin sids, winbindd allocates new uids/gids in error.

Ensure idmap_init_passdb_domain() correctly initialized the default
domain first.

Jeremy.
(cherry picked from commit 32a5aa62cb54e90947bd027e72871ffc07c3dbcf)
(cherry picked from commit 5cbd0958eaf25952055c08e3fdc065b815634a3e)

source3/winbindd/idmap_util.c | 31 25 + 6 - 0 !
1 file changed, 25 insertions(+), 6 deletions(-)

 [patch 2/2] second part of fix for bug #7777 - when requesting lookups for builtin sids, winbindd allocates new uids/gids in error.

Ensure we return after calling passdb for SID lookups for which we are
authoritative.

Jeremy.
(cherry picked from commit b5c8b1bbb53caa0ceabb4a5180ff7deb1e58b538)
(cherry picked from commit 8af876432a83292db672c5f7a1fb7e0ec9c1cf65)

source3/rpcclient/cmd_spoolss.c | 6 5 + 1 - 0 !
1 file changed, 5 insertions(+), 1 deletion(-)

 [patch 13/13] s3-rpcclient: fix bug #7880: cmd_spoolss_deletedriver() returned without checking all architectures.

Continues now with next architecture if no driver is available.

Because of the broken behavior of the rpccli_*() functions,
we need special error code handling.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit f5af66e67d7c6d62315671c0cf57f47973316226)
(cherry picked from commit dc63f45b523deb5c3d0c4be4239507e5fc4f6a40)

source3/web/swat.c | 14 2 + 12 - 0 !
1 file changed, 2 insertions(+), 12 deletions(-)

---

source3/web/cgi.c | 29 28 + 1 - 0 !
source3/web/statuspage.c | 7 7 + 0 - 0 !
source3/web/swat.c | 124 118 + 6 - 0 !
source3/web/swat_proto.h | 6 6 + 0 - 0 !
4 files changed, 159 insertions(+), 7 deletions(-)

---

source3/smbd/negprot.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 [patch] s3: fix bug 8238 -- kb2536276 prevents access to shares

Without this we were not sending the workgroup name in the negprot reply if
plain text passwords are used.

pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 131 100 + 31 - 0 !
1 file changed, 100 insertions(+), 31 deletions(-)

 fix cve-2012-1182: pidl based autogenerated code allows overwriting beyond of allocated array

source3/rpc_server/srv_lsa_nt.c | 20 14 + 6 - 0 !
1 file changed, 14 insertions(+), 6 deletions(-)

 [patch] fix bug #8873 - self granting privileges in security=ads.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=8873

librpc/gen_ndr/ndr_dcerpc.c | 42 29 + 13 - 0 !
librpc/gen_ndr/ndr_dfs.c | 840 548 + 292 - 0 !
librpc/gen_ndr/ndr_drsuapi.c | 1031 678 + 353 - 0 !
librpc/gen_ndr/ndr_dssetup.c | 36 24 + 12 - 0 !
librpc/gen_ndr/ndr_echo.c | 54 36 + 18 - 0 !
librpc/gen_ndr/ndr_epmapper.c | 54 35 + 19 - 0 !
librpc/gen_ndr/ndr_krb5pac.c | 22 15 + 7 - 0 !
librpc/gen_ndr/ndr_lsa.c | 276 180 + 96 - 0 !
librpc/gen_ndr/ndr_named_pipe_auth.c | 122 82 + 40 - 0 !
librpc/gen_ndr/ndr_ntlmssp.c | 60 45 + 15 - 0 !
librpc/gen_ndr/ndr_ntsvcs.c | 112 75 + 37 - 0 !
librpc/gen_ndr/ndr_samr.c | 182 120 + 62 - 0 !
librpc/gen_ndr/ndr_schannel.c | 52 37 + 15 - 0 !
librpc/gen_ndr/ndr_security.c | 18 12 + 6 - 0 !
librpc/gen_ndr/ndr_srvsvc.c | 2178 1411 + 767 - 0 !
librpc/gen_ndr/ndr_winreg.c | 158 106 + 52 - 0 !
librpc/gen_ndr/ndr_wkssvc.c | 1378 899 + 479 - 0 !
librpc/gen_ndr/ndr_xattr.c | 32 21 + 11 - 0 !
18 files changed, 4353 insertions(+), 2294 deletions(-)

 upstream changes introduced in version 2:3.5.6~dfsg-3squeeze8
 This patch has been created by dpkg-source during the package build.
 Here's the last changelog entry, hopefully it gives details on why
 those changes were made:
 .
 samba (2:3.5.6~dfsg-3squeeze8) stable-security; urgency=high
 .
   * Security update, fixing CVE-2012-2111: security=ads allows users to
     grant themselves additional privileges on the server.
 .
 The person named in the Author field signed this changelog entry.

source3/web/swat.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 [patch] swat: use x-frame-options header to avoid clickjacking

Jann Horn reported a potential clickjacking vulnerability in SWAT where
the SWAT page could be embedded into an attacker's page using a frame or
iframe and then used to trick the user to change Samba settings.

Avoid this by telling the browser to refuse the frame embedding via the
X-Frame-Options: DENY header.

Signed-off-by: Kai Blin <kai@samba.org>

source3/web/cgi.c | 39 26 + 13 - 0 !
source3/web/swat.c | 2 2 + 0 - 0 !
source3/web/swat_proto.h | 1 1 + 0 - 0 !
3 files changed, 29 insertions(+), 13 deletions(-)

 [patch] swat: use additional nonce on xsrf protection

If the user had a weak password on the root account of a machine running
SWAT, there still was a chance of being targetted by an XSRF on a
malicious web site targetting the SWAT setup.

Use a random nonce stored in secrets.tdb to close this possible attack
window. Thanks to Jann Horn for reporting this issue.

Signed-off-by: Kai Blin <kai@samba.org>

source3/smbd/nttrans.c | 12 12 + 0 - 0 !
1 file changed, 12 insertions(+)

---

lib/async_req/async_sock.c | 5 5 + 0 - 0 !
libcli/util/ntstatus.h | 15 11 + 4 - 0 !
source3/lib/netapi/group.c | 100 100 + 0 - 0 !
source3/lib/netapi/localgroup.c | 9 8 + 1 - 0 !
source3/lib/netapi/user.c | 72 72 + 0 - 0 !
source3/lib/util_tsock.c | 5 5 + 0 - 0 !
source3/libnet/libnet_join.c | 16 16 + 0 - 0 !
source3/libsmb/nterr.c | 13 9 + 4 - 0 !
source3/rpc_client/cli_lsarpc.c | 31 31 + 0 - 0 !
source3/rpc_client/cli_pipe.c | 62 54 + 8 - 0 !
source3/rpc_server/srv_pipe.c | 3 2 + 1 - 0 !
source3/rpc_server/srv_pipe_hnd.c | 22 20 + 2 - 0 !
source3/rpcclient/cmd_lsarpc.c | 15 12 + 3 - 0 !
source3/rpcclient/cmd_samr.c | 70 70 + 0 - 0 !
source3/smbd/lanman.c | 8 8 + 0 - 0 !
source3/utils/net_rpc.c | 48 47 + 1 - 0 !
source3/utils/net_rpc_join.c | 9 9 + 0 - 0 !
source3/winbindd/winbindd_rpc.c | 8 5 + 3 - 0 !
source4/libcli/util/clilsa.c | 22 20 + 2 - 0 !
source4/libcli/util/nterr.c | 8 8 + 0 - 0 !
source4/libnet/groupinfo.c | 10 7 + 3 - 0 !
source4/libnet/groupman.c | 10 5 + 5 - 0 !
source4/libnet/libnet_join.c | 12 10 + 2 - 0 !
source4/libnet/libnet_lookup.c | 5 5 + 0 - 0 !
source4/libnet/libnet_passwd.c | 10 9 + 1 - 0 !
source4/libnet/userinfo.c | 9 7 + 2 - 0 !
source4/libnet/userman.c | 24 10 + 14 - 0 !
source4/librpc/rpc/dcerpc.c | 4 4 + 0 - 0 !
source4/librpc/rpc/dcerpc_smb.c | 6 6 + 0 - 0 !
source4/librpc/rpc/dcerpc_smb2.c | 6 6 + 0 - 0 !
source4/librpc/rpc/dcerpc_sock.c | 6 6 + 0 - 0 !
source4/rpc_server/service_rpc.c | 14 14 + 0 - 0 !
source4/winbind/wb_async_helpers.c | 26 24 + 2 - 0 !
33 files changed, 625 insertions(+), 58 deletions(-)

     dce-rpc fragment length field is incorrectly checked.
==
== CVE ID#:     CVE-2013-4408
==
== Versions:    All versions of Samba later than 3.4.0
==
== Summary:     Incorrect length checks on DCE-RPC fragment lengths
==              cause Samba client utilities including winbindd to
==              be vulnerable to buffer overrun exploits.
==
===========================================================

===========
Description
===========

Samba versions 3.4.0 and above (versions 3.4.0 - 3.4.17, 3.5.0 -
3.5.22, 3.6.0 - 3.6.21, 4.0.0 - 4.0.12 and including 4.1.2) are
vulnerable to buffer overrun exploits in the client processing of
DCE-RPC packets. This is due to incorrect checking of the DCE-RPC
fragment length in the client code.

This is a critical vulnerability as the DCE-RPC client code is part of
the winbindd authentication and identity mapping daemon, which is
commonly configured as part of many server installations (when joined
to an Active Directory Domain). A malicious Active Directory Domain
Controller or man-in-the-middle attacker impersonating an Active
Directory Domain Controller could achieve root-level access by
compromising the winbindd process.

Samba server versions 3.4.0 - 3.4.17 and versions 3.5.0 - 3.5.22 are
also vulnerable to a denial of service attack (server crash) due to a
similar error in the server code of those versions.

Samba server versions 3.6.0 and above (including all 3.6.x versions,
all 4.0.x versions and 4.1.x) are not vulnerable to this problem.

In addition range checks were missing on arguments returned from calls
to the DCE-RPC functions LookupSids (lsa and samr), LookupNames (lsa and samr)
and LookupRids (samr) which could also cause similar problems.

As this was found during an internal audit of the Samba code there are
no currently known exploits for this problem (as of December 9th 2013).

source3/rpc_server/srv_netlog_nt.c | 26 22 + 4 - 0 !
1 file changed, 22 insertions(+), 4 deletions(-)

     unexpected code execution in smbd.
==
== CVE ID#:     CVE-2015-0240
==
== Versions:    Samba 3.5.0 to 4.2.0rc4
==
== Summary:     Unauthenticated code execution attack on
==		smbd file services.
==
===========================================================

===========
Description
===========

All versions of Samba from 3.5.0 to 4.2.0rc4 are vulnerable to an
unexpected code execution vulnerability in the smbd file server
daemon.

A malicious client could send packets that may set up the stack in
such a way that the freeing of memory in a subsequent anonymous
netlogon packet could allow execution of arbitrary code. This code
would execute with root privileges.

=======
Credits
=======

This problem was found by Richard van Eeden of Microsoft Vulnerability
Research, who also provided the fix.

source3/smbd/vfs.c | 9 7 + 2 - 0 !
1 file changed, 7 insertions(+), 2 deletions(-)

 [patch] cve-2015-5252: s3: smbd: fix symlink verification (file
 access outside the share).

Ensure matching component ends in '/' or '\0'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11395

Signed-off-by: Jeremy Allison <jra@samba.org>

source3/libsmb/clidfs.c | 7 6 + 1 - 0 !
source3/libsmb/libsmb_server.c | 13 11 + 2 - 0 !
2 files changed, 17 insertions(+), 3 deletions(-)

 [patch 1/2] cve-2015-5296: s3:libsmb: force signing when requiring
 encryption in do_connect()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11536

Signed-off-by: Stefan Metzmacher <metze@samba.org>

source3/modules/vfs_shadow_copy2.c | 47 47 + 0 - 0 !
source4/libcli/security/security.h | 3 3 + 0 - 0 !
2 files changed, 50 insertions(+)

 [patch] cve-2015-5299: s3-shadow-copy2: fix missing access check on
 snapdir

Fix originally from <partha@exablox.com>

https://bugzilla.samba.org/show_bug.cgi?id=11529

Signed-off-by: Jeremy Allison <jra@samba.org>