diff --git a/SOURCES/samba-CVE-2015-3223.patch b/SOURCES/samba-CVE-2015-3223.patch
new file mode 100644
index 0000000..eebe5e3
--- /dev/null
+++ b/SOURCES/samba-CVE-2015-3223.patch
@@ -0,0 +1,219 @@
+From 7a4129ad1075b54e902af703d2582ffb79b99c49 Mon Sep 17 00:00:00 2001
+From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+Date: Tue, 24 Nov 2015 13:47:16 +1300
+Subject: [PATCH 5/9] CVE-2015-5330: Fix handling of unicode near string
+ endings
+
+Until now next_codepoint_ext() and next_codepoint_handle_ext() were
+using strnlen(str, 5) to determine how much string they should try to
+decode. This ended up looking past the end of the string when it was not
+null terminated and the final character looked like a multi-byte encoding.
+The fix is to let the caller say how long the string can be.
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=11599
+
+Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+---
+ lib/util/charset/charset.h | 9 +++++----
+ lib/util/charset/codepoints.c | 24 ++++++++++++++++--------
+ lib/util/charset/util_str.c | 3 ++-
+ lib/util/charset/util_unistr.c | 3 ++-
+ 4 files changed, 25 insertions(+), 14 deletions(-)
+
+diff --git a/lib/util/charset/charset.h b/lib/util/charset/charset.h
+index e4297e4..060f1cf 100644
+--- a/lib/util/charset/charset.h
++++ b/lib/util/charset/charset.h
+@@ -171,15 +171,16 @@ smb_iconv_t get_conv_handle(struct smb_iconv_handle *ic,
+ charset_t from, charset_t to);
+ const char *charset_name(struct smb_iconv_handle *ic, charset_t ch);
+
+-codepoint_t next_codepoint_ext(const char *str, charset_t src_charset,
+- size_t *size);
++codepoint_t next_codepoint_ext(const char *str, size_t len,
++ charset_t src_charset, size_t *size);
+ codepoint_t next_codepoint(const char *str, size_t *size);
+ ssize_t push_codepoint(char *str, codepoint_t c);
+
+ /* codepoints */
+ codepoint_t next_codepoint_handle_ext(struct smb_iconv_handle *ic,
+- const char *str, charset_t src_charset,
+- size_t *size);
++ const char *str, size_t len,
++ charset_t src_charset,
++ size_t *size);
+ codepoint_t next_codepoint_handle(struct smb_iconv_handle *ic,
+ const char *str, size_t *size);
+ ssize_t push_codepoint_handle(struct smb_iconv_handle *ic,
+diff --git a/lib/util/charset/codepoints.c b/lib/util/charset/codepoints.c
+index 0984164..542eeae 100644
+--- a/lib/util/charset/codepoints.c
++++ b/lib/util/charset/codepoints.c
+@@ -319,7 +319,8 @@ smb_iconv_t get_conv_handle(struct smb_iconv_handle *ic,
+ */
+ _PUBLIC_ codepoint_t next_codepoint_handle_ext(
+ struct smb_iconv_handle *ic,
+- const char *str, charset_t src_charset,
++ const char *str, size_t len,
++ charset_t src_charset,
+ size_t *bytes_consumed)
+ {
+ /* it cannot occupy more than 4 bytes in UTF16 format */
+@@ -339,7 +340,7 @@ _PUBLIC_ codepoint_t next_codepoint_handle_ext(
+ * we assume that no multi-byte character can take more than 5 bytes.
+ * This is OK as we only support codepoints up to 1M (U+100000)
+ */
+- ilen_orig = strnlen(str, 5);
++ ilen_orig = MIN(len, 5);
+ ilen = ilen_orig;
+
+ descriptor = get_conv_handle(ic, src_charset, CH_UTF16);
+@@ -395,9 +396,16 @@ _PUBLIC_ codepoint_t next_codepoint_handle_ext(
+ return INVALID_CODEPOINT if the next character cannot be converted
+ */
+ _PUBLIC_ codepoint_t next_codepoint_handle(struct smb_iconv_handle *ic,
+- const char *str, size_t *size)
++ const char *str, size_t *size)
+ {
+- return next_codepoint_handle_ext(ic, str, CH_UNIX, size);
++ /*
++ * We assume that no multi-byte character can take more than 5 bytes
++ * thus avoiding walking all the way down a long string. This is OK as
++ * Unicode codepoints only go up to (U+10ffff), which can always be
++ * encoded in 4 bytes or less.
++ */
++ return next_codepoint_handle_ext(ic, str, strnlen(str, 5), CH_UNIX,
++ size);
+ }
+
+ /*
+@@ -459,11 +467,11 @@ _PUBLIC_ ssize_t push_codepoint_handle(struct smb_iconv_handle *ic,
+ return 5 - olen;
+ }
+
+-_PUBLIC_ codepoint_t next_codepoint_ext(const char *str, charset_t src_charset,
+- size_t *size)
++_PUBLIC_ codepoint_t next_codepoint_ext(const char *str, size_t len,
++ charset_t src_charset, size_t *size)
+ {
+- return next_codepoint_handle_ext(get_iconv_handle(), str,
+- src_charset, size);
++ return next_codepoint_handle_ext(get_iconv_handle(), str, len,
++ src_charset, size);
+ }
+
+ _PUBLIC_ codepoint_t next_codepoint(const char *str, size_t *size)
+diff --git a/lib/util/charset/util_str.c b/lib/util/charset/util_str.c
+index d2e6cbb..2653bfc 100644
+--- a/lib/util/charset/util_str.c
++++ b/lib/util/charset/util_str.c
+@@ -210,7 +210,8 @@ _PUBLIC_ size_t strlen_m_ext_handle(struct smb_iconv_handle *ic,
+
+ while (*s) {
+ size_t c_size;
+- codepoint_t c = next_codepoint_handle_ext(ic, s, src_charset, &c_size);
++ codepoint_t c = next_codepoint_handle_ext(ic, s, strnlen(s, 5),
++ src_charset, &c_size);
+ s += c_size;
+
+ switch (dst_charset) {
+diff --git a/lib/util/charset/util_unistr.c b/lib/util/charset/util_unistr.c
+index e4ae650..f299269 100644
+--- a/lib/util/charset/util_unistr.c
++++ b/lib/util/charset/util_unistr.c
+@@ -112,7 +112,8 @@ _PUBLIC_ char *strupper_talloc_n_handle(struct smb_iconv_handle *iconv_handle,
+
+ while (n-- && *src) {
+ size_t c_size;
+- codepoint_t c = next_codepoint_handle(iconv_handle, src, &c_size);
++ codepoint_t c = next_codepoint_handle_ext(iconv_handle, src, n,
++ CH_UNIX, &c_size);
+ src += c_size;
+
+ c = toupper_m(c);
+--
+2.5.0
+
+
+From 382a9146a88b7aac7db4c64519b3da5611c817ef Mon Sep 17 00:00:00 2001
+From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+Date: Tue, 24 Nov 2015 13:49:09 +1300
+Subject: [PATCH 6/9] CVE-2015-5330: strupper_talloc_n_handle(): properly count
+ characters
+
+When a codepoint eats more than one byte we really want to know,
+especially if the string is not NUL terminated.
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=11599
+
+Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+---
+ lib/util/charset/util_unistr.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/util/charset/util_unistr.c b/lib/util/charset/util_unistr.c
+index f299269..2cc8718 100644
+--- a/lib/util/charset/util_unistr.c
++++ b/lib/util/charset/util_unistr.c
+@@ -110,11 +110,12 @@ _PUBLIC_ char *strupper_talloc_n_handle(struct smb_iconv_handle *iconv_handle,
+ return NULL;
+ }
+
+- while (n-- && *src) {
++ while (n && *src) {
+ size_t c_size;
+ codepoint_t c = next_codepoint_handle_ext(iconv_handle, src, n,
+ CH_UNIX, &c_size);
+ src += c_size;
++ n -= c_size;
+
+ c = toupper_m(c);
+
+--
+2.5.0
+
+
+From f317c31922a9ee8ae5ee9c0895a72ee6828d2c81 Mon Sep 17 00:00:00 2001
+From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+Date: Tue, 24 Nov 2015 13:54:09 +1300
+Subject: [PATCH 7/9] CVE-2015-5330: next_codepoint_handle_ext: don't
+ short-circuit UTF16 low bytes
+
+UTF16 contains zero bytes when it is encoding ASCII (for example), so we
+can't assume the absense of the 0x80 bit means a one byte encoding. No
+current callers use UTF16.
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=11599
+
+Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+---
+ lib/util/charset/codepoints.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/lib/util/charset/codepoints.c b/lib/util/charset/codepoints.c
+index 542eeae..19d084f 100644
+--- a/lib/util/charset/codepoints.c
++++ b/lib/util/charset/codepoints.c
+@@ -331,7 +331,10 @@ _PUBLIC_ codepoint_t next_codepoint_handle_ext(
+ size_t olen;
+ char *outbuf;
+
+- if ((str[0] & 0x80) == 0) {
++
++ if (((str[0] & 0x80) == 0) && (src_charset == CH_DOS ||
++ src_charset == CH_UNIX ||
++ src_charset == CH_UTF8)) {
+ *bytes_consumed = 1;
+ return (codepoint_t)str[0];
+ }
+--
+2.5.0
+
+
+
diff --git a/SOURCES/samba-CVE-2015-5252.patch b/SOURCES/samba-CVE-2015-5252.patch
new file mode 100644
index 0000000..d33a3c6
--- /dev/null
+++ b/SOURCES/samba-CVE-2015-5252.patch
@@ -0,0 +1,64 @@
+From 5801fe1f6ca8ea03af5b485872097e5c9a1689b4 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Thu, 9 Jul 2015 10:58:11 -0700
+Subject: [PATCH] CVE-2015-5252: s3: smbd: Fix symlink verification (file
+ access outside the share).
+
+Ensure matching component ends in '/' or '\0'.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11395
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Volker Lendecke <vl@samba.org>
+---
+ source3/smbd/vfs.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/source3/smbd/vfs.c b/source3/smbd/vfs.c
+index 1281322..7138759 100644
+--- a/source3/smbd/vfs.c
++++ b/source3/smbd/vfs.c
+@@ -996,6 +996,7 @@ NTSTATUS check_reduced_name_with_privilege(connection_struct *conn,
+ struct smb_filename *smb_fname_cwd = NULL;
+ struct privilege_paths *priv_paths = NULL;
+ int ret;
++ bool matched;
+
+ DEBUG(3,("check_reduced_name_with_privilege [%s] [%s]\n",
+ fname,
+@@ -1090,7 +1091,10 @@ NTSTATUS check_reduced_name_with_privilege(connection_struct *conn,
+ }
+
+ rootdir_len = strlen(conn_rootdir);
+- if (strncmp(conn_rootdir, resolved_name, rootdir_len) != 0) {
++ matched = (strncmp(conn_rootdir, resolved_name, rootdir_len) == 0);
++
++ if (!matched || (resolved_name[rootdir_len] != '/' &&
++ resolved_name[rootdir_len] != '\0')) {
+ DEBUG(2, ("check_reduced_name_with_privilege: Bad access "
+ "attempt: %s is a symlink outside the "
+ "share path\n",
+@@ -1230,6 +1234,7 @@ NTSTATUS check_reduced_name(connection_struct *conn, const char *fname)
+ if (!allow_widelinks || !allow_symlinks) {
+ const char *conn_rootdir;
+ size_t rootdir_len;
++ bool matched;
+
+ conn_rootdir = SMB_VFS_CONNECTPATH(conn, fname);
+ if (conn_rootdir == NULL) {
+@@ -1240,8 +1245,10 @@ NTSTATUS check_reduced_name(connection_struct *conn, const char *fname)
+ }
+
+ rootdir_len = strlen(conn_rootdir);
+- if (strncmp(conn_rootdir, resolved_name,
+- rootdir_len) != 0) {
++ matched = (strncmp(conn_rootdir, resolved_name,
++ rootdir_len) == 0);
++ if (!matched || (resolved_name[rootdir_len] != '/' &&
++ resolved_name[rootdir_len] != '\0')) {
+ DEBUG(2, ("check_reduced_name: Bad access "
+ "attempt: %s is a symlink outside the "
+ "share path\n", fname));
+--
+2.5.0
+
diff --git a/SOURCES/samba-CVE-2015-5296.patch b/SOURCES/samba-CVE-2015-5296.patch
new file mode 100644
index 0000000..8196104
--- /dev/null
+++ b/SOURCES/samba-CVE-2015-5296.patch
@@ -0,0 +1,175 @@
+From 02c216582331ee4bafc6f558c3c7de65d08c655f Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 30 Sep 2015 21:17:02 +0200
+Subject: [PATCH 1/3] CVE-2015-5296: s3:libsmb: force signing when requiring
+ encryption in do_connect()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11536
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+---
+ source3/libsmb/clidfs.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
+index b823370..5dfddee 100644
+--- a/source3/libsmb/clidfs.c
++++ b/source3/libsmb/clidfs.c
+@@ -114,6 +114,11 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
+ const char *domain;
+ NTSTATUS status;
+ int flags = 0;
++ int signing_state = get_cmdline_auth_info_signing_state(auth_info);
++
++ if (force_encrypt) {
++ signing_state = SMB_SIGNING_REQUIRED;
++ }
+
+ /* make a copy so we don't modify the global string 'service' */
+ servicename = talloc_strdup(ctx,share);
+@@ -152,7 +157,7 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
+
+ status = cli_connect_nb(
+ server, NULL, port, name_type, NULL,
+- get_cmdline_auth_info_signing_state(auth_info),
++ signing_state,
+ flags, &c);
+
+ if (!NT_STATUS_IS_OK(status)) {
+--
+2.5.0
+
+
+From 9e607c8fd3dfb6091477a34b1bbdfa18526c9f98 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 30 Sep 2015 21:17:02 +0200
+Subject: [PATCH 2/3] CVE-2015-5296: s3:libsmb: force signing when requiring
+ encryption in SMBC_server_internal()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11536
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+---
+ source3/libsmb/libsmb_server.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
+index 5410099..0a58d8c 100644
+--- a/source3/libsmb/libsmb_server.c
++++ b/source3/libsmb/libsmb_server.c
+@@ -273,6 +273,7 @@ SMBC_server_internal(TALLOC_CTX *ctx,
+ char *newserver, *newshare;
+ int flags = 0;
+ struct smbXcli_tcon *tcon = NULL;
++ int signing_state = SMB_SIGNING_DEFAULT;
+
+ ZERO_STRUCT(c);
+ *in_cache = false;
+@@ -439,6 +440,10 @@ SMBC_server_internal(TALLOC_CTX *ctx,
+ flags |= CLI_FULL_CONNECTION_USE_NT_HASH;
+ }
+
++ if (context->internal->smb_encryption_level != SMBC_ENCRYPTLEVEL_NONE) {
++ signing_state = SMB_SIGNING_REQUIRED;
++ }
++
+ if (port == 0) {
+ if (share == NULL || *share == '\0' || is_ipc) {
+ /*
+@@ -446,7 +451,7 @@ SMBC_server_internal(TALLOC_CTX *ctx,
+ */
+ status = cli_connect_nb(server_n, NULL, NBT_SMB_PORT, 0x20,
+ smbc_getNetbiosName(context),
+- SMB_SIGNING_DEFAULT, flags, &c);
++ signing_state, flags, &c);
+ }
+ }
+
+@@ -456,7 +461,7 @@ SMBC_server_internal(TALLOC_CTX *ctx,
+ */
+ status = cli_connect_nb(server_n, NULL, port, 0x20,
+ smbc_getNetbiosName(context),
+- SMB_SIGNING_DEFAULT, flags, &c);
++ signing_state, flags, &c);
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+@@ -745,6 +750,7 @@ SMBC_attr_server(TALLOC_CTX *ctx,
+ ipc_srv = SMBC_find_server(ctx, context, server, "*IPC$",
+ pp_workgroup, pp_username, pp_password);
+ if (!ipc_srv) {
++ int signing_state = SMB_SIGNING_DEFAULT;
+
+ /* We didn't find a cached connection. Get the password */
+ if (!*pp_password || (*pp_password)[0] == '\0') {
+@@ -766,6 +772,9 @@ SMBC_attr_server(TALLOC_CTX *ctx,
+ if (smbc_getOptionUseCCache(context)) {
+ flags |= CLI_FULL_CONNECTION_USE_CCACHE;
+ }
++ if (context->internal->smb_encryption_level != SMBC_ENCRYPTLEVEL_NONE) {
++ signing_state = SMB_SIGNING_REQUIRED;
++ }
+
+ nt_status = cli_full_connection(&ipc_cli,
+ lp_netbios_name(), server,
+@@ -774,7 +783,7 @@ SMBC_attr_server(TALLOC_CTX *ctx,
+ *pp_workgroup,
+ *pp_password,
+ flags,
+- SMB_SIGNING_DEFAULT);
++ signing_state);
+ if (! NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(1,("cli_full_connection failed! (%s)\n",
+ nt_errstr(nt_status)));
+--
+2.5.0
+
+
+From 289cbf6636e02c1e5125de990e0b22bbb30a0504 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 30 Sep 2015 21:23:25 +0200
+Subject: [PATCH 3/3] CVE-2015-5296: libcli/smb: make sure we require signing
+ when we demand encryption on a session
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11536
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+---
+ libcli/smb/smbXcli_base.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
+index 69599bd..b00afbc 100644
+--- a/libcli/smb/smbXcli_base.c
++++ b/libcli/smb/smbXcli_base.c
+@@ -5085,6 +5085,9 @@ uint8_t smb2cli_session_security_mode(struct smbXcli_session *session)
+ if (conn->mandatory_signing) {
+ security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
+ }
++ if (session->smb2->should_sign) {
++ security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
++ }
+
+ return security_mode;
+ }
+@@ -5383,6 +5386,14 @@ NTSTATUS smb2cli_session_set_channel_key(struct smbXcli_session *session,
+
+ NTSTATUS smb2cli_session_encryption_on(struct smbXcli_session *session)
+ {
++ if (!session->smb2->should_sign) {
++ /*
++ * We need required signing on the session
++ * in order to prevent man in the middle attacks.
++ */
++ return NT_STATUS_INVALID_PARAMETER_MIX;
++ }
++
+ if (session->smb2->should_encrypt) {
+ return NT_STATUS_OK;
+ }
+--
+2.5.0
+
diff --git a/SOURCES/samba-CVE-2015-5299.patch b/SOURCES/samba-CVE-2015-5299.patch
new file mode 100644
index 0000000..2d9a956
--- /dev/null
+++ b/SOURCES/samba-CVE-2015-5299.patch
@@ -0,0 +1,96 @@
+From 9588c4950c9b3dd6c16b899156e6d985c7b43187 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Fri, 23 Oct 2015 14:54:31 -0700
+Subject: [PATCH] CVE-2015-5299: s3-shadow-copy2: fix missing access check on
+ snapdir
+
+Fix originally from <partha@exablox.com>
+
+https://bugzilla.samba.org/show_bug.cgi?id=11529
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: David Disseldorp <ddiss@samba.org>
+---
+ source3/modules/vfs_shadow_copy2.c | 45 ++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 45 insertions(+)
+
+diff --git a/source3/modules/vfs_shadow_copy2.c b/source3/modules/vfs_shadow_copy2.c
+index 439df5d..c5c2015 100644
+--- a/source3/modules/vfs_shadow_copy2.c
++++ b/source3/modules/vfs_shadow_copy2.c
+@@ -30,6 +30,7 @@
+ */
+
+ #include "includes.h"
++#include "smbd/smbd.h"
+ #include "system/filesys.h"
+ #include "include/ntioctl.h"
+ #include <ccan/hash/hash.h>
+@@ -1179,6 +1180,42 @@ static char *have_snapdir(struct vfs_handle_struct *handle,
+ return NULL;
+ }
+
++static bool check_access_snapdir(struct vfs_handle_struct *handle,
++ const char *path)
++{
++ struct smb_filename smb_fname;
++ int ret;
++ NTSTATUS status;
++
++ ZERO_STRUCT(smb_fname);
++ smb_fname.base_name = talloc_asprintf(talloc_tos(),
++ "%s",
++ path);
++ if (smb_fname.base_name == NULL) {
++ return false;
++ }
++
++ ret = SMB_VFS_NEXT_STAT(handle, &smb_fname);
++ if (ret != 0 || !S_ISDIR(smb_fname.st.st_ex_mode)) {
++ TALLOC_FREE(smb_fname.base_name);
++ return false;
++ }
++
++ status = smbd_check_access_rights(handle->conn,
++ &smb_fname,
++ false,
++ SEC_DIR_LIST);
++ if (!NT_STATUS_IS_OK(status)) {
++ DEBUG(0,("user does not have list permission "
++ "on snapdir %s\n",
++ smb_fname.base_name));
++ TALLOC_FREE(smb_fname.base_name);
++ return false;
++ }
++ TALLOC_FREE(smb_fname.base_name);
++ return true;
++}
++
+ /**
+ * Find the snapshot directory (if any) for the given
+ * filename (which is relative to the share).
+@@ -1328,6 +1365,7 @@ static int shadow_copy2_get_shadow_copy_data(
+ const char *snapdir;
+ struct dirent *d;
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
++ bool ret;
+
+ snapdir = shadow_copy2_find_snapdir(tmp_ctx, handle, fsp->fsp_name);
+ if (snapdir == NULL) {
+@@ -1337,6 +1375,13 @@ static int shadow_copy2_get_shadow_copy_data(
+ talloc_free(tmp_ctx);
+ return -1;
+ }
++ ret = check_access_snapdir(handle, snapdir);
++ if (!ret) {
++ DEBUG(0,("access denied on listing snapdir %s\n", snapdir));
++ errno = EACCES;
++ talloc_free(tmp_ctx);
++ return -1;
++ }
+
+ p = SMB_VFS_NEXT_OPENDIR(handle, snapdir, NULL, 0);
+
+--
+2.5.0
+
diff --git a/SPECS/samba.spec b/SPECS/samba.spec
index a64de2b..bd88734 100644
--- a/SPECS/samba.spec
+++ b/SPECS/samba.spec
@@ -6,7 +6,7 @@
# ctdb is enabled by default, you can disable it with: --without clustering
%bcond_without clustering
-%define main_release 10
+%define main_release 11
%define samba_version 4.2.3
%define talloc_version 2.1.2
@@ -117,6 +117,10 @@ Patch4: samba-4.2.3-fix_net_ads_keytab_segfault.patch
Patch5: samba-4.2.3-fix_force_group.patch
Patch6: samba-4.2.3-fix_map_to_guest_bad_uid.patch
Patch7: samba-4.2.3-fix_nss_wins.patch
+Patch8: samba-CVE-2015-3223.patch
+Patch9: samba-CVE-2015-5299.patch
+Patch10: samba-CVE-2015-5252.patch
+Patch11: samba-CVE-2015-5296.patch
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
@@ -697,6 +701,10 @@ and use CTDB instead.
%patch5 -p1 -b .samba-4.2.3-fix_force_group.patch
%patch6 -p1 -b .samba-4.2.3-fix_map_to_guest_bad_uid.patch
%patch7 -p1 -b .samba-4.2.3-fix_nss_wins.patch
+%patch8 -p1 -b .samba-CVE-2015-3223.patch
+%patch9 -p1 -b .samba-CVE-2015-5299.patch
+%patch10 -p1 -b .samba-CVE-2015-5252.patch
+%patch11 -p1 -b .samba-CVE-2015-5296.patch
%build
%global _talloc_lib ,talloc,pytalloc,pytalloc-util
@@ -1993,6 +2001,14 @@ rm -rf %{buildroot}
%endif # with_clustering_support
%changelog
+* Fri Dec 11 2015 Guenther Deschner <gdeschner@redhat.com> - 4.2.3-11
+- resolves: #1290710
+- CVE-2015-3223 Remote DoS in Samba (AD) LDAP server
+- CVE-2015-5299 Missing access control check in shadow copy code
+- CVE-2015-5252 Insufficient symlink verification in smbd
+- CVE-2015-5296 Samba client requesting encryption vulnerable to
+ downgrade attack
+
* Tue Oct 27 2015 Andreas Schneider <asn@redhat.com> - 4.2.3-10
- related: #1273393 - Fix use after free with nss_wins module loaded