diff --git a/SOURCES/CVE-2016-2125-v4-4.patch b/SOURCES/CVE-2016-2125-v4-4.patch
new file mode 100644
index 0000000..20a98a8
--- /dev/null
+++ b/SOURCES/CVE-2016-2125-v4-4.patch
@@ -0,0 +1,104 @@
+From f775874f1c9e388d51fe04cb9df849c66bc6e8b6 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 23 Nov 2016 11:41:10 +0100
+Subject: [PATCH 1/3] CVE-2016-2125: s4:scripting: don't use GSS_C_DELEG_FLAG
+ in nsupdate-gss
+
+This is just an example script that's not directly used by samba,
+but we should avoid sending delegated credentials to dns servers.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Simo Sorce <idra@samba.org>
+---
+ source4/scripting/bin/nsupdate-gss | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source4/scripting/bin/nsupdate-gss b/source4/scripting/bin/nsupdate-gss
+index dec5916..509220d 100755
+--- a/source4/scripting/bin/nsupdate-gss
++++ b/source4/scripting/bin/nsupdate-gss
+@@ -178,7 +178,7 @@ sub negotiate_tkey($$$$)
+     my $flags = 
+ 	GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | 
+ 	GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG | 
+-	GSS_C_INTEG_FLAG | GSS_C_DELEG_FLAG;
++	GSS_C_INTEG_FLAG;
+ 
+ 
+     $status = GSSAPI::Cred::acquire_cred(undef, 120, undef, GSS_C_INITIATE,
+-- 
+1.9.1
+
+
+From 1bee1eb5d75191e142c503cf9c5dc36df2453307 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 23 Nov 2016 11:42:59 +0100
+Subject: [PATCH 2/3] CVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAG
+
+We should only use GSS_C_DELEG_POLICY_FLAG in order to let
+the KDC decide if we should send delegated credentials to
+a remote server.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Simo Sorce <idra@samba.org>
+---
+ source3/librpc/crypto/gse.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
+index 963c98a..c4c4bbc 100644
+--- a/source3/librpc/crypto/gse.c
++++ b/source3/librpc/crypto/gse.c
+@@ -142,7 +142,6 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
+ 	memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc));
+ 
+ 	gse_ctx->gss_want_flags = GSS_C_MUTUAL_FLAG |
+-				GSS_C_DELEG_FLAG |
+ 				GSS_C_DELEG_POLICY_FLAG |
+ 				GSS_C_REPLAY_FLAG |
+ 				GSS_C_SEQUENCE_FLAG;
+-- 
+1.9.1
+
+
+From 2c9d1648745ddc9facaf5b9cc84ea7f1117d7710 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 23 Nov 2016 11:44:22 +0100
+Subject: [PATCH 3/3] CVE-2016-2125: s4:gensec_gssapi: don't use
+ GSS_C_DELEG_FLAG by default
+
+This disabled the usage of GSS_C_DELEG_FLAG by default, as
+GSS_C_DELEG_POLICY_FLAG is still used by default we let the
+KDC decide if we should send delegated credentials to a remote server.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Simo Sorce <idra@samba.org>
+---
+ source4/auth/gensec/gensec_gssapi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
+index e0b2bf2..e2994f6 100644
+--- a/source4/auth/gensec/gensec_gssapi.c
++++ b/source4/auth/gensec/gensec_gssapi.c
+@@ -115,7 +115,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
+ 	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) {
+ 		gensec_gssapi_state->gss_want_flags |= GSS_C_MUTUAL_FLAG;
+ 	}
+-	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) {
++	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", false)) {
+ 		gensec_gssapi_state->gss_want_flags |= GSS_C_DELEG_FLAG;
+ 	}
+ 	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) {
+-- 
+1.9.1
+
diff --git a/SOURCES/CVE-2016-2126-v4-4.patch b/SOURCES/CVE-2016-2126-v4-4.patch
new file mode 100644
index 0000000..fd854ba
--- /dev/null
+++ b/SOURCES/CVE-2016-2126-v4-4.patch
@@ -0,0 +1,99 @@
+From 77631ca7c747796bf3d4dc347afb3f0cb5e4be78 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 22 Nov 2016 17:08:46 +0100
+Subject: [PATCH] CVE-2016-2126: auth/kerberos: only allow known checksum types
+ in check_pac_checksum()
+
+aes based checksums can only be checked with the
+corresponding aes based keytype.
+
+Otherwise we may trigger an undefined code path
+deep in the kerberos libraries, which can leed to
+segmentation faults.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12446
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ auth/kerberos/kerberos_pac.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
+index 32d9d7f..7b6efdc 100644
+--- a/auth/kerberos/kerberos_pac.c
++++ b/auth/kerberos/kerberos_pac.c
+@@ -39,6 +39,28 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
+ 	krb5_boolean checksum_valid = false;
+ 	krb5_data input;
+ 
++	switch (sig->type) {
++	case CKSUMTYPE_HMAC_MD5:
++		/* ignores the key type */
++		break;
++	case CKSUMTYPE_HMAC_SHA1_96_AES_256:
++		if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES256_CTS_HMAC_SHA1_96) {
++			return EINVAL;
++		}
++		/* ok */
++		break;
++	case CKSUMTYPE_HMAC_SHA1_96_AES_128:
++		if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES128_CTS_HMAC_SHA1_96) {
++			return EINVAL;
++		}
++		/* ok */
++		break;
++	default:
++		DEBUG(2,("check_pac_checksum: Checksum Type %d is not supported\n",
++			(int)sig->type));
++		return EINVAL;
++	}
++
+ #ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM /* Heimdal */
+ 	cksum.cksumtype	= (krb5_cksumtype)sig->type;
+ 	cksum.checksum.length	= sig->signature.length;
+-- 
+1.9.1
+
+From b6da00dee93b832e271040d80d4f6b6165b51f08 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 19 Jul 2016 16:31:01 +0200
+Subject: [PATCH] krb5_wrap: provide CKSUMTYPE_HMAC_SHA1_96_AES_*
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+MIT only defined this as CKSUMTYPE_HMAC_SHA1_96_AES128,
+while Heimdal has CKSUMTYPE_HMAC_SHA1_96_AES_128.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Günther Deschner <gd@samba.org>
+(cherry picked from commit bb64c550ae19b08ad4e6d8d26f68c2474cb251e6)
+---
+ lib/krb5_wrap/krb5_samba.h | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
+index cef9144..20ef6a3 100644
+--- a/lib/krb5_wrap/krb5_samba.h
++++ b/lib/krb5_wrap/krb5_samba.h
+@@ -74,6 +74,17 @@
+ #define CKSUMTYPE_HMAC_MD5 CKSUMTYPE_HMAC_MD5_ARCFOUR
+ #endif
+ 
++/*
++ * CKSUMTYPE_HMAC_SHA1_96_AES_* in Heimdal
++ * CKSUMTYPE_HMAC_SHA1_96_AES* in MIT
++ */
++#if defined(CKSUMTYPE_HMAC_SHA1_96_AES128) && !defined(CKSUMTYPE_HMAC_SHA1_96_AES_128)
++#define CKSUMTYPE_HMAC_SHA1_96_AES_128 CKSUMTYPE_HMAC_SHA1_96_AES128
++#endif
++#if defined(CKSUMTYPE_HMAC_SHA1_96_AES256) && !defined(CKSUMTYPE_HMAC_SHA1_96_AES_256)
++#define CKSUMTYPE_HMAC_SHA1_96_AES_256 CKSUMTYPE_HMAC_SHA1_96_AES256
++#endif
++
+ typedef struct {
+ #if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
+ 	krb5_address **addrs;
+-- 
+1.9.1
+
diff --git a/SOURCES/CVE-2017-2619-v4-4.patch b/SOURCES/CVE-2017-2619-v4-4.patch
new file mode 100644
index 0000000..9d07941
--- /dev/null
+++ b/SOURCES/CVE-2017-2619-v4-4.patch
@@ -0,0 +1,986 @@
+From 72e7e7b7d378e7ba3afe18ea41802aac5366b094 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Sun, 19 Mar 2017 15:58:17 +0100
+Subject: [PATCH 01/13] CVE-2017-2619: s3/smbd: re-open directory after
+ dptr_CloseDir()
+
+dptr_CloseDir() will close and invalidate the fsp's file descriptor, we
+have to reopen it.
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=12496
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Uri Simchoni <uri@samba.org>
+---
+ source3/smbd/smb2_query_directory.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/source3/smbd/smb2_query_directory.c b/source3/smbd/smb2_query_directory.c
+index 4b6ca1b..1703310 100644
+--- a/source3/smbd/smb2_query_directory.c
++++ b/source3/smbd/smb2_query_directory.c
+@@ -24,6 +24,7 @@
+ #include "../libcli/smb/smb_common.h"
+ #include "trans2.h"
+ #include "../lib/util/tevent_ntstatus.h"
++#include "system/filesys.h"
+ 
+ static struct tevent_req *smbd_smb2_query_directory_send(TALLOC_CTX *mem_ctx,
+ 					      struct tevent_context *ev,
+@@ -322,7 +323,23 @@ static struct tevent_req *smbd_smb2_query_directory_send(TALLOC_CTX *mem_ctx,
+ 	}
+ 
+ 	if (in_flags & SMB2_CONTINUE_FLAG_REOPEN) {
++		int flags;
++
+ 		dptr_CloseDir(fsp);
++
++		/*
++		 * dptr_CloseDir() will close and invalidate the fsp's file
++		 * descriptor, we have to reopen it.
++		 */
++
++		flags = O_RDONLY;
++#ifdef O_DIRECTORY
++		flags |= O_DIRECTORY;
++#endif
++		status = fd_open(conn, fsp, flags, 0);
++		if (tevent_req_nterror(req, status)) {
++			return tevent_req_post(req, ev);
++		}
+ 	}
+ 
+ 	if (!smbreq->posix_pathnames) {
+-- 
+2.9.3
+
+
+From f9a9e7ed2f11c8eb9f8f9f40ec054e9735614e91 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Sun, 19 Mar 2017 18:52:10 +0100
+Subject: [PATCH 02/13] CVE-2017-2619: s4/torture: add SMB2_FIND tests with
+ SMB2_CONTINUE_FLAG_REOPEN flag
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=12496
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Uri Simchoni <uri@samba.org>
+---
+ source4/torture/smb2/dir.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/source4/torture/smb2/dir.c b/source4/torture/smb2/dir.c
+index 98844b4..db8e456 100644
+--- a/source4/torture/smb2/dir.c
++++ b/source4/torture/smb2/dir.c
+@@ -674,7 +674,7 @@ bool fill_result(void *private_data,
+ 	return true;
+ }
+ 
+-enum continue_type {CONT_SINGLE, CONT_INDEX, CONT_RESTART};
++enum continue_type {CONT_SINGLE, CONT_INDEX, CONT_RESTART, CONT_REOPEN};
+ 
+ static NTSTATUS multiple_smb2_search(struct smb2_tree *tree,
+ 				     TALLOC_CTX *tctx,
+@@ -700,6 +700,9 @@ static NTSTATUS multiple_smb2_search(struct smb2_tree *tree,
+ 
+ 	/* The search should start from the beginning everytime */
+ 	f.in.continue_flags = SMB2_CONTINUE_FLAG_RESTART;
++	if (cont_type == CONT_REOPEN) {
++		f.in.continue_flags = SMB2_CONTINUE_FLAG_REOPEN;
++	}
+ 
+ 	do {
+ 		status = smb2_find_level(tree, tree, &f, &count, &d);
+@@ -803,18 +806,23 @@ static bool test_many_files(struct torture_context *tctx,
+ 		{"SMB2_FIND_BOTH_DIRECTORY_INFO",    "SINGLE",  SMB2_FIND_BOTH_DIRECTORY_INFO,    RAW_SEARCH_DATA_BOTH_DIRECTORY_INFO,    CONT_SINGLE},
+ 		{"SMB2_FIND_BOTH_DIRECTORY_INFO",    "INDEX",   SMB2_FIND_BOTH_DIRECTORY_INFO,    RAW_SEARCH_DATA_BOTH_DIRECTORY_INFO,    CONT_INDEX},
+ 		{"SMB2_FIND_BOTH_DIRECTORY_INFO",    "RESTART", SMB2_FIND_BOTH_DIRECTORY_INFO,    RAW_SEARCH_DATA_BOTH_DIRECTORY_INFO,    CONT_RESTART},
++		{"SMB2_FIND_BOTH_DIRECTORY_INFO",    "REOPEN",  SMB2_FIND_BOTH_DIRECTORY_INFO,    RAW_SEARCH_DATA_BOTH_DIRECTORY_INFO,    CONT_REOPEN},
+ 		{"SMB2_FIND_DIRECTORY_INFO",         "SINGLE",  SMB2_FIND_DIRECTORY_INFO,         RAW_SEARCH_DATA_DIRECTORY_INFO,         CONT_SINGLE},
+ 		{"SMB2_FIND_DIRECTORY_INFO",         "INDEX",   SMB2_FIND_DIRECTORY_INFO,         RAW_SEARCH_DATA_DIRECTORY_INFO,         CONT_INDEX},
+ 		{"SMB2_FIND_DIRECTORY_INFO",         "RESTART", SMB2_FIND_DIRECTORY_INFO,         RAW_SEARCH_DATA_DIRECTORY_INFO,         CONT_RESTART},
++		{"SMB2_FIND_DIRECTORY_INFO",         "REOPEN",  SMB2_FIND_DIRECTORY_INFO,         RAW_SEARCH_DATA_DIRECTORY_INFO,         CONT_REOPEN},
+ 		{"SMB2_FIND_FULL_DIRECTORY_INFO",    "SINGLE",  SMB2_FIND_FULL_DIRECTORY_INFO,    RAW_SEARCH_DATA_FULL_DIRECTORY_INFO,    CONT_SINGLE},
+ 		{"SMB2_FIND_FULL_DIRECTORY_INFO",    "INDEX",   SMB2_FIND_FULL_DIRECTORY_INFO,    RAW_SEARCH_DATA_FULL_DIRECTORY_INFO,    CONT_INDEX},
+ 		{"SMB2_FIND_FULL_DIRECTORY_INFO",    "RESTART", SMB2_FIND_FULL_DIRECTORY_INFO,    RAW_SEARCH_DATA_FULL_DIRECTORY_INFO,    CONT_RESTART},
++		{"SMB2_FIND_FULL_DIRECTORY_INFO",    "REOPEN",  SMB2_FIND_FULL_DIRECTORY_INFO,    RAW_SEARCH_DATA_FULL_DIRECTORY_INFO,    CONT_REOPEN},
+ 		{"SMB2_FIND_ID_FULL_DIRECTORY_INFO", "SINGLE",  SMB2_FIND_ID_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_FULL_DIRECTORY_INFO, CONT_SINGLE},
+ 		{"SMB2_FIND_ID_FULL_DIRECTORY_INFO", "INDEX",   SMB2_FIND_ID_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_FULL_DIRECTORY_INFO, CONT_INDEX},
+ 		{"SMB2_FIND_ID_FULL_DIRECTORY_INFO", "RESTART", SMB2_FIND_ID_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_FULL_DIRECTORY_INFO, CONT_RESTART},
++		{"SMB2_FIND_ID_FULL_DIRECTORY_INFO", "REOPEN",  SMB2_FIND_ID_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_FULL_DIRECTORY_INFO, CONT_REOPEN},
+ 		{"SMB2_FIND_ID_BOTH_DIRECTORY_INFO", "SINGLE",  SMB2_FIND_ID_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_BOTH_DIRECTORY_INFO, CONT_SINGLE},
+ 		{"SMB2_FIND_ID_BOTH_DIRECTORY_INFO", "INDEX",   SMB2_FIND_ID_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_BOTH_DIRECTORY_INFO, CONT_INDEX},
+-		{"SMB2_FIND_ID_BOTH_DIRECTORY_INFO", "RESTART", SMB2_FIND_ID_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_BOTH_DIRECTORY_INFO, CONT_RESTART}
++		{"SMB2_FIND_ID_BOTH_DIRECTORY_INFO", "RESTART", SMB2_FIND_ID_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_BOTH_DIRECTORY_INFO, CONT_RESTART},
++		{"SMB2_FIND_ID_BOTH_DIRECTORY_INFO", "REOPEN",  SMB2_FIND_ID_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_BOTH_DIRECTORY_INFO, CONT_REOPEN},
+ 	};
+ 
+ 	smb2_deltree(tree, DNAME);
+-- 
+2.9.3
+
+
+From d329035b5bda87ab95a33b8d4af1936079db6fd1 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Mon, 19 Dec 2016 11:55:56 -0800
+Subject: [PATCH 03/13] CVE-2017-2619: s3: smbd: Create wrapper function for
+ OpenDir in preparation for making robust.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Uri Simchoni <uri@samba.org>
+---
+ source3/smbd/dir.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
+index 3805915..cbd32e3 100644
+--- a/source3/smbd/dir.c
++++ b/source3/smbd/dir.c
+@@ -1588,7 +1588,8 @@ static int smb_Dir_destructor(struct smb_Dir *dirp)
+  Open a directory.
+ ********************************************************************/
+ 
+-struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn,
++static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx,
++			connection_struct *conn,
+ 			const char *name,
+ 			const char *mask,
+ 			uint32_t attr)
+@@ -1628,6 +1629,18 @@ struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn,
+ 	return NULL;
+ }
+ 
++struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn,
++			const char *name,
++			const char *mask,
++			uint32_t attr)
++{
++	return OpenDir_internal(mem_ctx,
++				conn,
++				name,
++				mask,
++				attr);
++}
++
+ /*******************************************************************
+  Open a directory from an fsp.
+ ********************************************************************/
+-- 
+2.9.3
+
+
+From 484dda03a69f5c687b6ec6db1332bcc51e72e0c2 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Mon, 19 Dec 2016 16:25:26 -0800
+Subject: [PATCH 04/13] CVE-2017-2619: s3: smbd: Opendir_internal() early
+ return if SMB_VFS_OPENDIR failed.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Uri Simchoni <uri@samba.org>
+---
+ source3/smbd/dir.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
+index cbd32e3..ea4b301 100644
+--- a/source3/smbd/dir.c
++++ b/source3/smbd/dir.c
+@@ -1601,20 +1601,12 @@ static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx,
+ 		return NULL;
+ 	}
+ 
+-	dirp->conn = conn;
+-	dirp->name_cache_size = lp_directory_name_cache_size(SNUM(conn));
+-
+ 	dirp->dir_path = talloc_strdup(dirp, name);
+ 	if (!dirp->dir_path) {
+ 		errno = ENOMEM;
+ 		goto fail;
+ 	}
+ 
+-	if (sconn && !sconn->using_smb2) {
+-		sconn->searches.dirhandles_open++;
+-	}
+-	talloc_set_destructor(dirp, smb_Dir_destructor);
+-
+ 	dirp->dir = SMB_VFS_OPENDIR(conn, dirp->dir_path, mask, attr);
+ 	if (!dirp->dir) {
+ 		DEBUG(5,("OpenDir: Can't open %s. %s\n", dirp->dir_path,
+@@ -1622,6 +1614,14 @@ static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx,
+ 		goto fail;
+ 	}
+ 
++	dirp->conn = conn;
++	dirp->name_cache_size = lp_directory_name_cache_size(SNUM(conn));
++
++	if (sconn && !sconn->using_smb2) {
++		sconn->searches.dirhandles_open++;
++	}
++	talloc_set_destructor(dirp, smb_Dir_destructor);
++
+ 	return dirp;
+ 
+   fail:
+-- 
+2.9.3
+
+
+From 84d4bbde7c1682e4c8daf680f930a14e3444f659 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Mon, 19 Dec 2016 16:35:00 -0800
+Subject: [PATCH 05/13] CVE-2017-2619: s3: smbd: Create and use
+ open_dir_safely(). Use from OpenDir().
+
+Hardens OpenDir against TOC/TOU races.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Uri Simchoni <uri@samba.org>
+---
+ source3/smbd/dir.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 61 insertions(+), 9 deletions(-)
+
+diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
+index ea4b301..39a6e67 100644
+--- a/source3/smbd/dir.c
++++ b/source3/smbd/dir.c
+@@ -1601,15 +1601,9 @@ static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx,
+ 		return NULL;
+ 	}
+ 
+-	dirp->dir_path = talloc_strdup(dirp, name);
+-	if (!dirp->dir_path) {
+-		errno = ENOMEM;
+-		goto fail;
+-	}
+-
+-	dirp->dir = SMB_VFS_OPENDIR(conn, dirp->dir_path, mask, attr);
++	dirp->dir = SMB_VFS_OPENDIR(conn, name, mask, attr);
+ 	if (!dirp->dir) {
+-		DEBUG(5,("OpenDir: Can't open %s. %s\n", dirp->dir_path,
++		DEBUG(5,("OpenDir: Can't open %s. %s\n", name,
+ 			 strerror(errno) ));
+ 		goto fail;
+ 	}
+@@ -1629,12 +1623,70 @@ static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx,
+ 	return NULL;
+ }
+ 
++/****************************************************************************
++ Open a directory handle by pathname, ensuring it's under the share path.
++****************************************************************************/
++
++static struct smb_Dir *open_dir_safely(TALLOC_CTX *ctx,
++					connection_struct *conn,
++					const char *name,
++					const char *wcard,
++					uint32_t attr)
++{
++	struct smb_Dir *dir_hnd = NULL;
++	char *saved_dir = vfs_GetWd(ctx, conn);
++	NTSTATUS status;
++
++	if (saved_dir == NULL) {
++		return NULL;
++	}
++
++	if (vfs_ChDir(conn, name) == -1) {
++		goto out;
++	}
++
++	/*
++	 * Now the directory is pinned, use
++	 * REALPATH to ensure we can access it.
++	 */
++	status = check_name(conn, ".");
++	if (!NT_STATUS_IS_OK(status)) {
++		goto out;
++	}
++
++	dir_hnd = OpenDir_internal(ctx,
++				conn,
++				".",
++				wcard,
++				attr);
++
++	if (dir_hnd == NULL) {
++		goto out;
++	}
++
++	/*
++	 * OpenDir_internal only gets "." as the dir name.
++	 * Store the real dir name here.
++	 */
++
++	dir_hnd->dir_path = talloc_strdup(dir_hnd, name);
++	if (!dir_hnd->dir_path) {
++		errno = ENOMEM;
++	}
++
++  out:
++
++	vfs_ChDir(conn, saved_dir);
++	TALLOC_FREE(saved_dir);
++	return dir_hnd;
++}
++
+ struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn,
+ 			const char *name,
+ 			const char *mask,
+ 			uint32_t attr)
+ {
+-	return OpenDir_internal(mem_ctx,
++	return open_dir_safely(mem_ctx,
+ 				conn,
+ 				name,
+ 				mask,
+-- 
+2.9.3
+
+
+From 8aece1e0d15bf059daf70259142e8ad35a7658ed Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Mon, 19 Dec 2016 12:13:20 -0800
+Subject: [PATCH 06/13] CVE-2017-2619: s3: smbd: OpenDir_fsp() use early
+ returns.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Uri Simchoni <uri@samba.org>
+---
+ source3/smbd/dir.c | 34 +++++++++++++++++++++-------------
+ 1 file changed, 21 insertions(+), 13 deletions(-)
+
+diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
+index 39a6e67..ea4f1ab 100644
+--- a/source3/smbd/dir.c
++++ b/source3/smbd/dir.c
+@@ -1706,7 +1706,17 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
+ 	struct smbd_server_connection *sconn = conn->sconn;
+ 
+ 	if (!dirp) {
+-		return NULL;
++		goto fail;
++	}
++
++	if (!fsp->is_directory) {
++		errno = EBADF;
++		goto fail;
++	}
++
++	if (fsp->fh->fd == -1) {
++		errno = EBADF;
++		goto fail;
+ 	}
+ 
+ 	dirp->conn = conn;
+@@ -1723,18 +1733,16 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
+ 	}
+ 	talloc_set_destructor(dirp, smb_Dir_destructor);
+ 
+-	if (fsp->is_directory && fsp->fh->fd != -1) {
+-		dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr);
+-		if (dirp->dir != NULL) {
+-			dirp->fsp = fsp;
+-		} else {
+-			DEBUG(10,("OpenDir_fsp: SMB_VFS_FDOPENDIR on %s returned "
+-				"NULL (%s)\n",
+-				dirp->dir_path,
+-				strerror(errno)));
+-			if (errno != ENOSYS) {
+-				return NULL;
+-			}
++	dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr);
++	if (dirp->dir != NULL) {
++		dirp->fsp = fsp;
++	} else {
++		DEBUG(10,("OpenDir_fsp: SMB_VFS_FDOPENDIR on %s returned "
++			"NULL (%s)\n",
++			dirp->dir_path,
++			strerror(errno)));
++		if (errno != ENOSYS) {
++			return NULL;
+ 		}
+ 	}
+ 
+-- 
+2.9.3
+
+
+From 16fa5af1a491c410d4579434b7e9f6e388ea319b Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Mon, 19 Dec 2016 12:15:59 -0800
+Subject: [PATCH 07/13] CVE-2017-2619: s3: smbd: OpenDir_fsp() - Fix memory
+ leak on error.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Uri Simchoni <uri@samba.org>
+---
+ source3/smbd/dir.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
+index ea4f1ab..b8034be 100644
+--- a/source3/smbd/dir.c
++++ b/source3/smbd/dir.c
+@@ -1742,7 +1742,7 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
+ 			dirp->dir_path,
+ 			strerror(errno)));
+ 		if (errno != ENOSYS) {
+-			return NULL;
++			goto fail;
+ 		}
+ 	}
+ 
+-- 
+2.9.3
+
+
+From 2c1830915b0b59646503ee4d043fd9176090627f Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Mon, 19 Dec 2016 12:32:07 -0800
+Subject: [PATCH 08/13] CVE-2017-2619: s3: smbd: Move the reference counting
+ and destructor setup to just before retuning success.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Uri Simchoni <uri@samba.org>
+---
+ source3/smbd/dir.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
+index b8034be..6b62f14 100644
+--- a/source3/smbd/dir.c
++++ b/source3/smbd/dir.c
+@@ -1728,11 +1728,6 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
+ 		goto fail;
+ 	}
+ 
+-	if (sconn && !sconn->using_smb2) {
+-		sconn->searches.dirhandles_open++;
+-	}
+-	talloc_set_destructor(dirp, smb_Dir_destructor);
+-
+ 	dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr);
+ 	if (dirp->dir != NULL) {
+ 		dirp->fsp = fsp;
+@@ -1757,6 +1752,11 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
+ 		goto fail;
+ 	}
+ 
++	if (sconn && !sconn->using_smb2) {
++		sconn->searches.dirhandles_open++;
++	}
++	talloc_set_destructor(dirp, smb_Dir_destructor);
++
+ 	return dirp;
+ 
+   fail:
+-- 
+2.9.3
+
+
+From 72bf8c2c2b2c4aff1ac4da52aa087c060ea5eef1 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Mon, 19 Dec 2016 12:35:32 -0800
+Subject: [PATCH 09/13] CVE-2017-2619: s3: smbd: Correctly fallback to
+ open_dir_safely if FDOPENDIR not supported on system.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Uri Simchoni <uri@samba.org>
+---
+ source3/smbd/dir.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
+index 6b62f14..3432788 100644
+--- a/source3/smbd/dir.c
++++ b/source3/smbd/dir.c
+@@ -1742,14 +1742,13 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
+ 	}
+ 
+ 	if (dirp->dir == NULL) {
+-		/* FDOPENDIR didn't work. Use OPENDIR instead. */
+-		dirp->dir = SMB_VFS_OPENDIR(conn, dirp->dir_path, mask, attr);
+-	}
+-
+-	if (!dirp->dir) {
+-		DEBUG(5,("OpenDir_fsp: Can't open %s. %s\n", dirp->dir_path,
+-			 strerror(errno) ));
+-		goto fail;
++		/* FDOPENDIR is not supported. Use OPENDIR instead. */
++		TALLOC_FREE(dirp);
++		return open_dir_safely(mem_ctx,
++					conn,
++					fsp->fsp_name->base_name,
++					mask,
++					attr);
+ 	}
+ 
+ 	if (sconn && !sconn->using_smb2) {
+-- 
+2.9.3
+
+
+From 015e488ce39e097944acdad7a88a801386d9935b Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Thu, 15 Dec 2016 12:52:13 -0800
+Subject: [PATCH 10/13] CVE-2017-2619: s3: smbd: Remove O_NOFOLLOW guards. We
+ insist on O_NOFOLLOW existing.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Uri Simchoni <uri@samba.org>
+---
+ source3/smbd/open.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/source3/smbd/open.c b/source3/smbd/open.c
+index 1c67684..a014b5e 100644
+--- a/source3/smbd/open.c
++++ b/source3/smbd/open.c
+@@ -363,8 +363,7 @@ NTSTATUS fd_open(struct connection_struct *conn,
+ 	struct smb_filename *smb_fname = fsp->fsp_name;
+ 	NTSTATUS status = NT_STATUS_OK;
+ 
+-#ifdef O_NOFOLLOW
+-	/* 
++	/*
+ 	 * Never follow symlinks on a POSIX client. The
+ 	 * client should be doing this.
+ 	 */
+@@ -372,12 +371,10 @@ NTSTATUS fd_open(struct connection_struct *conn,
+ 	if ((fsp->posix_flags & FSP_POSIX_FLAGS_OPEN) || !lp_follow_symlinks(SNUM(conn))) {
+ 		flags |= O_NOFOLLOW;
+ 	}
+-#endif
+ 
+ 	fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, mode);
+ 	if (fsp->fh->fd == -1) {
+ 		int posix_errno = errno;
+-#ifdef O_NOFOLLOW
+ #if defined(ENOTSUP) && defined(OSF1)
+ 		/* handle special Tru64 errno */
+ 		if (errno == ENOTSUP) {
+@@ -394,7 +391,6 @@ NTSTATUS fd_open(struct connection_struct *conn,
+ 		if (errno == EMLINK) {
+ 			posix_errno = ELOOP;
+ 		}
+-#endif /* O_NOFOLLOW */
+ 		status = map_nt_error_from_unix(posix_errno);
+ 		if (errno == EMFILE) {
+ 			static time_t last_warned = 0L;
+-- 
+2.9.3
+
+
+From b7199aaa0a4d10dd6b3d2a040e345a209ec0c42f Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Thu, 15 Dec 2016 12:56:08 -0800
+Subject: [PATCH 11/13] CVE-2017-2619: s3: smbd: Move special handling of
+ symlink errno's into a utility function.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Uri Simchoni <uri@samba.org>
+---
+ source3/smbd/open.c | 43 ++++++++++++++++++++++++++-----------------
+ 1 file changed, 26 insertions(+), 17 deletions(-)
+
+diff --git a/source3/smbd/open.c b/source3/smbd/open.c
+index a014b5e..b4b77cd 100644
+--- a/source3/smbd/open.c
++++ b/source3/smbd/open.c
+@@ -352,6 +352,31 @@ static NTSTATUS check_base_file_access(struct connection_struct *conn,
+ }
+ 
+ /****************************************************************************
++ Handle differing symlink errno's
++****************************************************************************/
++
++static int link_errno_convert(int err)
++{
++#if defined(ENOTSUP) && defined(OSF1)
++	/* handle special Tru64 errno */
++	if (err == ENOTSUP) {
++		err = ELOOP;
++	}
++#endif /* ENOTSUP */
++#ifdef EFTYPE
++	/* fix broken NetBSD errno */
++	if (err == EFTYPE) {
++		err = ELOOP;
++	}
++#endif /* EFTYPE */
++	/* fix broken FreeBSD errno */
++	if (err == EMLINK) {
++		err = ELOOP;
++	}
++	return err;
++}
++
++/****************************************************************************
+  fd support routines - attempt to do a dos_open.
+ ****************************************************************************/
+ 
+@@ -374,23 +399,7 @@ NTSTATUS fd_open(struct connection_struct *conn,
+ 
+ 	fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, mode);
+ 	if (fsp->fh->fd == -1) {
+-		int posix_errno = errno;
+-#if defined(ENOTSUP) && defined(OSF1)
+-		/* handle special Tru64 errno */
+-		if (errno == ENOTSUP) {
+-			posix_errno = ELOOP;
+-		}
+-#endif /* ENOTSUP */
+-#ifdef EFTYPE
+-		/* fix broken NetBSD errno */
+-		if (errno == EFTYPE) {
+-			posix_errno = ELOOP;
+-		}
+-#endif /* EFTYPE */
+-		/* fix broken FreeBSD errno */
+-		if (errno == EMLINK) {
+-			posix_errno = ELOOP;
+-		}
++		int posix_errno = link_errno_convert(errno);
+ 		status = map_nt_error_from_unix(posix_errno);
+ 		if (errno == EMFILE) {
+ 			static time_t last_warned = 0L;
+-- 
+2.9.3
+
+
+From eda8d6ed343b32efb7055778b13252842b8c4f61 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Thu, 15 Dec 2016 13:04:46 -0800
+Subject: [PATCH 12/13] CVE-2017-2619: s3: smbd: Add the core functions to
+ prevent symlink open races.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Uri Simchoni <uri@samba.org>
+---
+ source3/smbd/open.c | 237 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 237 insertions(+)
+
+diff --git a/source3/smbd/open.c b/source3/smbd/open.c
+index b4b77cd..aa5df2c 100644
+--- a/source3/smbd/open.c
++++ b/source3/smbd/open.c
+@@ -376,6 +376,243 @@ static int link_errno_convert(int err)
+ 	return err;
+ }
+ 
++static int non_widelink_open(struct connection_struct *conn,
++			const char *conn_rootdir,
++			files_struct *fsp,
++			struct smb_filename *smb_fname,
++			int flags,
++			mode_t mode,
++			unsigned int link_depth);
++
++/****************************************************************************
++ Follow a symlink in userspace.
++****************************************************************************/
++
++static int process_symlink_open(struct connection_struct *conn,
++			const char *conn_rootdir,
++			files_struct *fsp,
++			struct smb_filename *smb_fname,
++			int flags,
++			mode_t mode,
++			unsigned int link_depth)
++{
++	int fd = -1;
++	char *link_target = NULL;
++	int link_len = -1;
++	char *oldwd = NULL;
++	size_t rootdir_len = 0;
++	char *resolved_name = NULL;
++	bool matched = false;
++	int saved_errno = 0;
++
++	/*
++	 * Ensure we don't get stuck in a symlink loop.
++	 */
++	link_depth++;
++	if (link_depth >= 20) {
++		errno = ELOOP;
++		goto out;
++	}
++
++	/* Allocate space for the link target. */
++	link_target = talloc_array(talloc_tos(), char, PATH_MAX);
++	if (link_target == NULL) {
++		errno = ENOMEM;
++		goto out;
++	}
++
++	/* Read the link target. */
++	link_len = SMB_VFS_READLINK(conn,
++				smb_fname->base_name,
++				link_target,
++				PATH_MAX - 1);
++	if (link_len == -1) {
++		goto out;
++	}
++
++	/* Ensure it's at least null terminated. */
++	link_target[link_len] = '\0';
++
++	/* Convert to an absolute path. */
++	resolved_name = SMB_VFS_REALPATH(conn, link_target);
++	if (resolved_name == NULL) {
++		goto out;
++	}
++
++	/*
++	 * We know conn_rootdir starts with '/' and
++	 * does not end in '/'. FIXME ! Should we
++	 * smb_assert this ?
++	 */
++	rootdir_len = strlen(conn_rootdir);
++
++	matched = (strncmp(conn_rootdir, resolved_name, rootdir_len) == 0);
++	if (!matched) {
++		errno = EACCES;
++		goto out;
++	}
++
++	/*
++	 * Turn into a path relative to the share root.
++	 */
++	if (resolved_name[rootdir_len] == '\0') {
++		/* Link to the root of the share. */
++		smb_fname->base_name = talloc_strdup(talloc_tos(), ".");
++		if (smb_fname->base_name == NULL) {
++			errno = ENOMEM;
++			goto out;
++		}
++	} else if (resolved_name[rootdir_len] == '/') {
++		smb_fname->base_name = &resolved_name[rootdir_len+1];
++	} else {
++		errno = EACCES;
++		goto out;
++	}
++
++	oldwd = vfs_GetWd(talloc_tos(), conn);
++	if (oldwd == NULL) {
++		goto out;
++	}
++
++	/* Ensure we operate from the root of the share. */
++	if (vfs_ChDir(conn, conn_rootdir) == -1) {
++		goto out;
++	}
++
++	/* And do it all again.. */
++	fd = non_widelink_open(conn,
++				conn_rootdir,
++				fsp,
++				smb_fname,
++				flags,
++				mode,
++				link_depth);
++	if (fd == -1) {
++		saved_errno = errno;
++	}
++
++  out:
++
++	SAFE_FREE(resolved_name);
++	TALLOC_FREE(link_target);
++	if (oldwd != NULL) {
++		int ret = vfs_ChDir(conn, oldwd);
++		if (ret == -1) {
++			smb_panic("unable to get back to old directory\n");
++		}
++		TALLOC_FREE(oldwd);
++	}
++	if (saved_errno != 0) {
++		errno = saved_errno;
++	}
++	return fd;
++}
++
++/****************************************************************************
++ Non-widelink open.
++****************************************************************************/
++
++static int non_widelink_open(struct connection_struct *conn,
++			const char *conn_rootdir,
++			files_struct *fsp,
++			struct smb_filename *smb_fname,
++			int flags,
++			mode_t mode,
++			unsigned int link_depth)
++{
++	NTSTATUS status;
++	int fd = -1;
++	struct smb_filename *smb_fname_rel = NULL;
++	int saved_errno = 0;
++	char *oldwd = NULL;
++	char *parent_dir = NULL;
++	const char *final_component = NULL;
++
++	if (!parent_dirname(talloc_tos(),
++			smb_fname->base_name,
++			&parent_dir,
++			&final_component)) {
++		goto out;
++	}
++
++	oldwd = vfs_GetWd(talloc_tos(), conn);
++	if (oldwd == NULL) {
++		goto out;
++	}
++
++	/* Pin parent directory in place. */
++	if (vfs_ChDir(conn, parent_dir) == -1) {
++		goto out;
++	}
++
++	/* Ensure the relative path is below the share. */
++	status = check_reduced_name(conn, final_component);
++	if (!NT_STATUS_IS_OK(status)) {
++		saved_errno = map_errno_from_nt_status(status);
++		goto out;
++	}
++
++	smb_fname_rel = synthetic_smb_fname(talloc_tos(),
++				final_component,
++				smb_fname->stream_name,
++				&smb_fname->st);
++
++	flags |= O_NOFOLLOW;
++
++	{
++		struct smb_filename *tmp_name = fsp->fsp_name;
++		fsp->fsp_name = smb_fname_rel;
++		fd = SMB_VFS_OPEN(conn, smb_fname_rel, fsp, flags, mode);
++		fsp->fsp_name = tmp_name;
++	}
++
++	if (fd == -1) {
++		saved_errno = link_errno_convert(errno);
++		if (saved_errno == ELOOP) {
++			if (fsp->posix_flags & FSP_POSIX_FLAGS_OPEN) {
++				/* Never follow symlinks on posix open. */
++				goto out;
++			}
++			if (!lp_follow_symlinks(SNUM(conn))) {
++				/* Explicitly no symlinks. */
++				goto out;
++			}
++			/*
++			 * We have a symlink. Follow in userspace
++			 * to ensure it's under the share definition.
++			 */
++			fd = process_symlink_open(conn,
++					conn_rootdir,
++					fsp,
++					smb_fname_rel,
++					flags,
++					mode,
++					link_depth);
++			if (fd == -1) {
++				saved_errno =
++					link_errno_convert(errno);
++			}
++		}
++	}
++
++  out:
++
++	TALLOC_FREE(parent_dir);
++	TALLOC_FREE(smb_fname_rel);
++
++	if (oldwd != NULL) {
++		int ret = vfs_ChDir(conn, oldwd);
++		if (ret == -1) {
++			smb_panic("unable to get back to old directory\n");
++		}
++		TALLOC_FREE(oldwd);
++	}
++	if (saved_errno != 0) {
++		errno = saved_errno;
++	}
++	return fd;
++}
++
+ /****************************************************************************
+  fd support routines - attempt to do a dos_open.
+ ****************************************************************************/
+-- 
+2.9.3
+
+
+From 81094d0c7519936b08d22efc22ba78e5bab24cd1 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Thu, 15 Dec 2016 13:06:31 -0800
+Subject: [PATCH 13/13] CVE-2017-2619: s3: smbd: Use the new
+ non_widelink_open() function.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Uri Simchoni <uri@samba.org>
+---
+ source3/smbd/open.c | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/source3/smbd/open.c b/source3/smbd/open.c
+index aa5df2c..0b66487 100644
+--- a/source3/smbd/open.c
++++ b/source3/smbd/open.c
+@@ -634,7 +634,28 @@ NTSTATUS fd_open(struct connection_struct *conn,
+ 		flags |= O_NOFOLLOW;
+ 	}
+ 
+-	fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, mode);
++	/* Ensure path is below share definition. */
++	if (!lp_widelinks(SNUM(conn))) {
++		const char *conn_rootdir = SMB_VFS_CONNECTPATH(conn,
++						smb_fname->base_name);
++		if (conn_rootdir == NULL) {
++			return NT_STATUS_NO_MEMORY;
++		}
++		/*
++		 * Only follow symlinks within a share
++		 * definition.
++		 */
++		fsp->fh->fd = non_widelink_open(conn,
++					conn_rootdir,
++					fsp,
++					smb_fname,
++					flags,
++					mode,
++					0);
++	} else {
++		fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, mode);
++	}
++
+ 	if (fsp->fh->fd == -1) {
+ 		int posix_errno = link_errno_convert(errno);
+ 		status = map_nt_error_from_unix(posix_errno);
+-- 
+2.9.3
+
diff --git a/SOURCES/samba-4.4.x-fix_libads_krb5_memcache.patch b/SOURCES/samba-4.4.x-fix_libads_krb5_memcache.patch
new file mode 100644
index 0000000..0802eb5
--- /dev/null
+++ b/SOURCES/samba-4.4.x-fix_libads_krb5_memcache.patch
@@ -0,0 +1,206 @@
+From 66668deb267d63f17c70aaea6f720a7c440bb71c Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 10 Oct 2016 15:53:26 +0200
+Subject: [PATCH 1/3] HEIMDAL:lib/krb5: destroy a memory ccache on reinit
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12369
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Uri Simchoni <uri@samba.org>
+(cherry picked from commit 2abc3710a8a63327a769ba0482c553ed274b2113)
+---
+ source4/heimdal/lib/krb5/mcache.c | 52 ++++++++++++++++++++++++++-------------
+ 1 file changed, 35 insertions(+), 17 deletions(-)
+
+diff --git a/source4/heimdal/lib/krb5/mcache.c b/source4/heimdal/lib/krb5/mcache.c
+index e4b90c1..dc79b87 100644
+--- a/source4/heimdal/lib/krb5/mcache.c
++++ b/source4/heimdal/lib/krb5/mcache.c
+@@ -155,13 +155,47 @@ mcc_gen_new(krb5_context context, krb5_ccache *id)
+     return 0;
+ }
+ 
++static void KRB5_CALLCONV
++mcc_destroy_internal(krb5_context context,
++		     krb5_mcache *m)
++{
++    struct link *l;
++
++    if (m->primary_principal != NULL) {
++	krb5_free_principal (context, m->primary_principal);
++	m->primary_principal = NULL;
++    }
++    m->dead = 1;
++
++    l = m->creds;
++    while (l != NULL) {
++	struct link *old;
++
++	krb5_free_cred_contents (context, &l->cred);
++	old = l;
++	l = l->next;
++	free (old);
++    }
++
++    m->creds = NULL;
++    return;
++}
++
+ static krb5_error_code KRB5_CALLCONV
+ mcc_initialize(krb5_context context,
+ 	       krb5_ccache id,
+ 	       krb5_principal primary_principal)
+ {
+     krb5_mcache *m = MCACHE(id);
++    /*
++     * It's important to destroy any existing
++     * creds here, that matches the baheviour
++     * of all other backends and also the
++     * MEMORY: backend in MIT.
++     */
++    mcc_destroy_internal(context, m);
+     m->dead = 0;
++    m->kdc_offset = 0;
+     m->mtime = time(NULL);
+     return krb5_copy_principal (context,
+ 				primary_principal,
+@@ -195,7 +229,6 @@ mcc_destroy(krb5_context context,
+ 	    krb5_ccache id)
+ {
+     krb5_mcache **n, *m = MCACHE(id);
+-    struct link *l;
+ 
+     if (m->refcnt == 0)
+ 	krb5_abortx(context, "mcc_destroy: refcnt already 0");
+@@ -211,22 +244,7 @@ mcc_destroy(krb5_context context,
+ 	    }
+ 	}
+ 	HEIMDAL_MUTEX_unlock(&mcc_mutex);
+-	if (m->primary_principal != NULL) {
+-	    krb5_free_principal (context, m->primary_principal);
+-	    m->primary_principal = NULL;
+-	}
+-	m->dead = 1;
+-
+-	l = m->creds;
+-	while (l != NULL) {
+-	    struct link *old;
+-
+-	    krb5_free_cred_contents (context, &l->cred);
+-	    old = l;
+-	    l = l->next;
+-	    free (old);
+-	}
+-	m->creds = NULL;
++	mcc_destroy_internal(context, m);
+     }
+     return 0;
+ }
+-- 
+1.9.1
+
+
+From 5484f6cb0d812d11234347f592dff1a15ef5ef50 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 10 Oct 2016 17:07:12 +0200
+Subject: [PATCH 2/3] s3:libads: don't use MEMORY:ads_sasl_gssapi_do_bind nor
+ set "KRB5CCNAME"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Most callers just set "KRB5CCNAME", but leave ads->auth.ccache_name = NULL.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12369
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Uri Simchoni <uri@samba.org>
+(cherry picked from commit 890b1bbdb8e965c4ff6e35214acc96ffbbff5dfd)
+---
+ source3/libads/sasl.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
+index 85a2eb0..4e4486f 100644
+--- a/source3/libads/sasl.c
++++ b/source3/libads/sasl.c
+@@ -1027,7 +1027,6 @@ static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads)
+ {
+ 	ADS_STATUS status;
+ 	struct ads_service_principal p;
+-	const char *ccache_name = "MEMORY:ads_sasl_gssapi_do_bind";
+ 
+ 	status = ads_generate_service_principal(ads, &p);
+ 	if (!ADS_ERR_OK(status)) {
+@@ -1046,10 +1045,6 @@ static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads)
+ 			  "calling kinit\n", ads_errstr(status)));
+ 	}
+ 
+-	if (ads->auth.ccache_name != NULL) {
+-		ccache_name = ads->auth.ccache_name;
+-	}
+-	setenv(KRB5_ENV_CCNAME, ccache_name, 1);
+ 	status = ADS_ERROR_KRB5(ads_kinit_password(ads));
+ 
+ 	if (ADS_ERR_OK(status)) {
+-- 
+1.9.1
+
+
+From 012e763219f42071ced497fcc0ecd387789efd4f Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 10 Oct 2016 17:07:12 +0200
+Subject: [PATCH 3/3] s3:libads: don't use MEMORY:ads_sasl_spnego_bind nor set
+ "KRB5CCNAME"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Most callers just set "KRB5CCNAME", but leave ads->auth.ccache_name = NULL.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12369
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Uri Simchoni <uri@samba.org>
+
+Autobuild-User(master): Jeremy Allison <jra@samba.org>
+Autobuild-Date(master): Thu Oct 13 00:35:21 CEST 2016 on sn-devel-144
+
+(cherry picked from commit a5f895a53016af71db53967062728fec5bc307ca)
+---
+ source3/libads/sasl.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
+index 4e4486f..39c60c3 100644
+--- a/source3/libads/sasl.c
++++ b/source3/libads/sasl.c
+@@ -749,11 +749,6 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
+ 	if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
+ 	    got_kerberos_mechanism) 
+ 	{
+-		const char *ccache_name = "MEMORY:ads_sasl_spnego_bind";
+-		if (ads->auth.ccache_name != NULL) {
+-			ccache_name = ads->auth.ccache_name;
+-		}
+-
+ 		if (ads->auth.password == NULL ||
+ 		    ads->auth.password[0] == '\0')
+ 		{
+@@ -771,7 +766,6 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
+ 				  "calling kinit\n", ads_errstr(status)));
+ 		}
+ 
+-		setenv(KRB5_ENV_CCNAME, ccache_name, 1);
+ 		status = ADS_ERROR_KRB5(ads_kinit_password(ads)); 
+ 
+ 		if (ADS_ERR_OK(status)) {
+-- 
+1.9.1
+
diff --git a/SPECS/samba.spec b/SPECS/samba.spec
index fa05aee..177a601 100644
--- a/SPECS/samba.spec
+++ b/SPECS/samba.spec
@@ -6,7 +6,7 @@
 # ctdb is enabled by default, you can disable it with: --without clustering
 %bcond_without clustering
 
-%define main_release 12
+%define main_release 13
 
 %define samba_version 4.4.4
 %define talloc_version 2.1.6
@@ -120,6 +120,10 @@ Patch9:    samba-4.4.7-fix_smget_auth_callback.patch
 Patch10:   samba-4.4.6-fix_nss_wins.patch
 Patch11:   samba-4.4.7-fix_group_substituion_with_ad.patch
 Patch12:   samba-4.4.6-fix_smbclient_against_apple_and_azure.patch
+Patch13:   samba-4.4.x-fix_libads_krb5_memcache.patch
+Patch14:   CVE-2016-2125-v4-4.patch
+Patch15:   CVE-2016-2126-v4-4.patch
+Patch16:   CVE-2017-2619-v4-4.patch
 
 BuildRoot:      %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 
@@ -717,6 +721,10 @@ and use CTDB instead.
 %patch10 -p1 -b .samba-4.4.6-fix_nss_wins.patch
 %patch11 -p1 -b .samba-4.4.7-fix_group_substituion_with_ad.patch
 %patch12 -p1 -b .samba-4.4.6-fix_smbclient_against_apple_and_azure.patch
+%patch13 -p1 -b .samba-4.4.x-fix_libads_krb5_memcache.patch
+%patch14 -p1 -b .CVE-2016-2125-v4-4.patch
+%patch15 -p1 -b .CVE-2016-2126-v4-4.patch
+%patch16 -p1 -b .CVE-2017-2619-v4-4.patch
 
 %build
 %global _talloc_lib ,talloc,pytalloc,pytalloc-util
@@ -2025,7 +2033,11 @@ rm -rf %{buildroot}
 %endif # with_clustering_support
 
 %changelog
-* Tue Nov 15 2016 Andreas Schneider <asn@redhat.com> - 4.4.4-11
+* Wed Apr 05 2017 Andreas Schneider <asn@redhat.com> - 4.4.4-13
+- resolves: #1437816 - Fix krb5 memory cache in libads sasl code
+- resolves: #1437741 - Fix CVE-2016-2125, CVE-2016-2126 and CVE-2017-2619
+
+* Tue Nov 15 2016 Andreas Schneider <asn@redhat.com> - 4.4.4-12
 - related: #1393051 - Fix return code if ip not defined in gethostbyname
 
 * Wed Nov 09 2016 Andreas Schneider <asn@redhat.com> - 4.4.4-11