[Pkg-samba-maint] [samba] 01/04: Commit 2:3.6.6-6+deb7u9 by the security team, undoing the NEWS changes that did not make it in

Andrew Bartlett abartlet-guest at moszumanska.debian.org
Sat Apr 16 02:09:49 UTC 2016


This is an automated email from the git hooks/post-receive script.

abartlet-guest pushed a commit to branch wheezy
in repository samba.

commit 185c7fac7541acb7abcfc373a7cc2fd8c01ce1d5
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Sat Apr 16 13:33:27 2016 +1200

    Commit 2:3.6.6-6+deb7u9 by the security team, undoing the NEWS changes that did not make it in
---
 debian/NEWS                               |  77 -------------------
 debian/changelog                          |   9 ++-
 debian/patches/CVE-2015-5370-v3-6.patch   |  80 +++++++++----------
 debian/patches/CVE-2016-2110-v3-6.patch   | 120 +++++++++++++++++++++++------
 debian/patches/CVE-2016-2111-v3-6.patch   |  34 ++++----
 debian/patches/CVE-2016-2112-v3-6.patch   |   8 +-
 debian/patches/CVE-2016-2115-v3-6.patch   |  22 +++---
 debian/patches/CVE-2016-2118-v3-6.patch   |  20 ++---
 debian/patches/CVE-preparation-v3-6.patch | 124 ++++++++++++++++++++----------
 9 files changed, 269 insertions(+), 225 deletions(-)

diff --git a/debian/NEWS b/debian/NEWS
index bcaeca5..679425a 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,80 +1,3 @@
-samba (2:3.6.6-6+deb7u8) wheezy-security; urgency=high
-
-    This Samba security release addresses both Denial of Service and Man in
-    the Middle vulnerabilities.
-
-    A significant number of patches were back-ported, and in some areas
-    of winbindd the behaviour is now more like Samba 4.2 than 3.6
-
-    This new security patch implements new smb.conf options and a
-    number of stricter behaviours to prevent Man in the Middle attacks
-    on our network services, as a client and as a server.
-
-    Between these changes, compatibility with a large number of older
-    software versions has been lost in the default configuration.
-
-    See the release notes in WHATNEW.txt for more information.
-
-
-    Here are some additional hints how to work around the new stricter default behaviors:
-
-    * As a File Server, compatibility with the Linux Kernel cifs
-      client depends on which configuration options are selected, please
-      use "sec=krb5(i)" or "sec=ntlmssp(i)", not "sec=ntlmv2".
-
-    * As a file or printer client and as a domain member, out of the
-      box compatibility with Samba less than 4.0 and other SMB/CIFS
-      servers, depends on support for SMB signing or SMB2 on the
-      server, which is often disabled or absent. You may need to
-      adjust the "client ipc signing" to "no" in these cases.
-
-    * Due to bug Samba bug #11830, when Samba is configured as a
-      domain member in Active Directory domain and this domain has
-      trust to other Active Directory domains, you will need to set
-
-        winbind sealed pipes = false
-	require strong key = false
-
-      Doing so will however remove an aspect of our protection against
-      MitM attacks between winbindd and the domain controllers.
-  
-    However, all of these can be worked around by setting smb.conf
-    options in Samba, see the 4.2.0 and 4.2.11 release notes (because
-    many of the fixes are backported from there) at
-    https://www.samba.org/samba/history/samba-4.2.0.html and
-    https://www.samba.org/samba/history/samba-4.2.11.html and the
-    Samba wiki for details, workarounds and suggested
-    security-improving changes to these and other software packages.
-
-
-    New smb.conf options and defaults:
-
-    * raw NTLMv2 auth = no
-    * client ipc signing = no
-    * winbind sealed pipes = yes
-    * allow dcerpc auth level connect = no
-
-
-    Suggested further improvements after patching:
-
-    It is recommended that administrators set these additional options,
-    if compatible with their network environment:
-
-        server signing = mandatory
-        ntlm auth = no
-
-    Without "server signing = mandatory", Man in the Middle attacks
-    are still possible against our file server and
-    classic/NT4-like/Samba3 Domain controller. (It is now enforced on
-    Samba's AD DC.) Note that this has heavy impact on the file server
-    performance, so you need to decide between performance and
-    security. These Man in the Middle attacks for smb file servers are
-    well known for decades.
-
-    Without "ntlm auth = no", there may still be clients not using
-    NTLMv2, and these observed passwords may be brute-forced easily using
-    cloud-computing resources or rainbow tables.
-
 samba (2:3.6.5-2) unstable; urgency=low
 
     NSS modules have been split out from libpam-winbind to
diff --git a/debian/changelog b/debian/changelog
index f0666da..f650363 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,11 @@
-samba (2:3.6.6-6+deb7u8) UNRELEASED; urgency=high
+samba (2:3.6.6-6+deb7u9) wheezy-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Update CVE patchset for regression fixes
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Tue, 12 Apr 2016 18:34:07 +0200
+
+samba (2:3.6.6-6+deb7u8) wheezy-security; urgency=high
   * Security update
     + Fixes:
      - CVE-2015-5370 (Multiple errors in DCE-RPC code)
diff --git a/debian/patches/CVE-2015-5370-v3-6.patch b/debian/patches/CVE-2015-5370-v3-6.patch
index a9aad58..fd7f7d8 100644
--- a/debian/patches/CVE-2015-5370-v3-6.patch
+++ b/debian/patches/CVE-2015-5370-v3-6.patch
@@ -1,4 +1,4 @@
-From 9ad47ca767b7d372d3dff6f8cda4ce24e76ed0ec Mon Sep 17 00:00:00 2001
+From 8716bb5e03cc4f10e2d4edc704d8defe7e8045f1 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Thu, 16 Jul 2015 22:46:05 +0200
 Subject: [PATCH 01/40] CVE-2015-5370: dcerpc.idl: add
@@ -35,7 +35,7 @@ index 75ef2ec..bbb42d1 100644
 2.8.1
 
 
-From dcc4ced352fdb390cb5c27f7201a6f1f4d36630d Mon Sep 17 00:00:00 2001
+From 3b1cdbd2dc1c4d3773b4a1ef86ad1643abc5c208 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Sun, 28 Jun 2015 01:19:57 +0200
 Subject: [PATCH 02/40] CVE-2015-5370: librpc/rpc: simplify and harden
@@ -178,7 +178,7 @@ index fe8129d..98a2e95 100644
 2.8.1
 
 
-From ccefb8e67091dc97209687d07563c1caaa072ee4 Mon Sep 17 00:00:00 2001
+From 3aa9e6ec1cf2b2220968c3e0f711dfeca9ee3450 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Mon, 29 Jun 2015 10:24:45 +0200
 Subject: [PATCH 03/40] CVE-2015-5370: s3:librpc/rpc: don't call
@@ -225,7 +225,7 @@ index 24f2f52..76f2acc 100644
 2.8.1
 
 
-From 392631de5ec9bbe07af0e6950219cc7e1ddb078b Mon Sep 17 00:00:00 2001
+From de179f2907134e2bc23d1e5cf9ac85a0c759dad3 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Fri, 26 Jun 2015 08:10:46 +0200
 Subject: [PATCH 04/40] CVE-2015-5370: librpc/rpc: add a
@@ -348,7 +348,7 @@ index 98a2e95..b3ae5b2 100644
 2.8.1
 
 
-From e7e9266a82f730b9ed1a622455a68b9956c71323 Mon Sep 17 00:00:00 2001
+From 4fda096df6005abdb964032bd4017da6496c1b50 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Tue, 7 Jul 2015 13:05:01 +0200
 Subject: [PATCH 05/40] CVE-2015-5370: s3:rpc_client: move AS/U hack to the top
@@ -412,7 +412,7 @@ index 5ddabb7..295b88f 100644
 2.8.1
 
 
-From 684a92839c4854e4bd66ec7dd35b5f1c05b5f0fa Mon Sep 17 00:00:00 2001
+From e0d9dfcb27d6d76f819c32db4c1f3dd720f7c964 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Tue, 7 Jul 2015 13:05:01 +0200
 Subject: [PATCH 06/40] CVE-2015-5370: s3:rpc_client: remove useless
@@ -455,7 +455,7 @@ index 295b88f..2787fbc 100644
 2.8.1
 
 
-From f6b8c87a094400923eabb5f5c46acd3ab5c09c05 Mon Sep 17 00:00:00 2001
+From 39c53a768b5b4eac7a644d4bd1afeb1cd7fb8ef1 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Fri, 26 Jun 2015 08:10:46 +0200
 Subject: [PATCH 07/40] CVE-2015-5370: s4:rpc_server: no authentication is
@@ -541,7 +541,7 @@ index 1e6aa24..61f2176 100644
 2.8.1
 
 
-From 5b99464c8d65aeacae846d15b7a7db549d84e589 Mon Sep 17 00:00:00 2001
+From f37e77ea11f691fe0717797890c0ac2d4fc76792 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Sat, 27 Jun 2015 10:31:48 +0200
 Subject: [PATCH 08/40] CVE-2015-5370: s4:librpc/rpc: check pkt->auth_length
@@ -614,7 +614,7 @@ index 61f2176..3051c1c 100644
 2.8.1
 
 
-From 097719efa48d5c9f3d27e087b438136d3b7deeff Mon Sep 17 00:00:00 2001
+From d3e41f6a15df3669b52009e48ce808b50bb837e4 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Sun, 28 Jun 2015 01:19:57 +0200
 Subject: [PATCH 09/40] CVE-2015-5370: librpc/rpc: don't allow pkt->auth_length
@@ -654,7 +654,7 @@ index 2f599d5..89b7597 100644
 2.8.1
 
 
-From 2b5f6b2d2055247a2746eb6b3265e54fb5ea026d Mon Sep 17 00:00:00 2001
+From fc994e4614d7ff43736ff2a516d42bb43b7c8ec9 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Thu, 9 Jul 2015 07:59:24 +0200
 Subject: [PATCH 10/40] CVE-2015-5370: s3:librpc/rpc: remove auth trailer and
@@ -887,7 +887,7 @@ index 964b843..0ab7dc6 100644
 2.8.1
 
 
-From ef263a9387306f805b746ae4273a544425d6d37d Mon Sep 17 00:00:00 2001
+From 79bd5e74ad984a4f805e34bff5c4199da522c923 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Thu, 9 Jul 2015 07:59:24 +0200
 Subject: [PATCH 11/40] CVE-2015-5370: s3:librpc/rpc: let dcerpc_check_auth()
@@ -928,7 +928,7 @@ index d871339..c07835f 100644
 2.8.1
 
 
-From e609895f0fe1131bb912d1d4d54252fd909d67aa Mon Sep 17 00:00:00 2001
+From acabcb860d2e77b5b8ef878696b4405599f8c761 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Tue, 7 Jul 2015 13:05:01 +0200
 Subject: [PATCH 12/40] CVE-2015-5370: s3:rpc_client: make use of
@@ -993,7 +993,7 @@ index 776e2bf..27e37f8 100644
 2.8.1
 
 
-From cbbcae5d7968b43905fb0fbba7d66e5cc2f5dda9 Mon Sep 17 00:00:00 2001
+From adf098f191acd3cb6ba2b8893b6c259af66d8696 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Tue, 7 Jul 2015 13:05:01 +0200
 Subject: [PATCH 13/40] CVE-2015-5370: s3:rpc_client: make use of
@@ -1169,7 +1169,7 @@ index 27e37f8..6a22d38 100644
 2.8.1
 
 
-From 5469d46bb74c3cdafa98fcedf6898aa3e23d5bfb Mon Sep 17 00:00:00 2001
+From 46c9eb371fda87c5b0c5ba30e95c4f4992c9dd00 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Fri, 10 Jul 2015 14:48:38 +0200
 Subject: [PATCH 14/40] CVE-2015-5370: s3:rpc_client: protect
@@ -1207,7 +1207,7 @@ index 6a22d38..755b458 100644
 2.8.1
 
 
-From 475bcafcfeeae3037e8a70b69b5638f260a33fcb Mon Sep 17 00:00:00 2001
+From e7866caecb0433d490172f3b262280a7d6902c4d Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Tue, 7 Jul 2015 22:51:18 +0200
 Subject: [PATCH 15/40] CVE-2015-5370: s3:rpc_client: verify auth_{type,level}
@@ -1255,7 +1255,7 @@ index 755b458..1c4ff01 100644
 2.8.1
 
 
-From 245ea2177f05b5b92464f1ef85336d9ec62376da Mon Sep 17 00:00:00 2001
+From b73d83a791237fe0262b4dcca8adf16b457eb188 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Tue, 7 Jul 2015 13:05:01 +0200
 Subject: [PATCH 16/40] CVE-2015-5370: s3:rpc_server: make use of
@@ -1379,7 +1379,7 @@ index 0ab7dc6..40b1b8e 100644
 2.8.1
 
 
-From cd9a734cd58c0e5c16576e7714d7651b347360e1 Mon Sep 17 00:00:00 2001
+From 06e5f78341fbe220bd9fb8e27a7f2f8f4e593fa6 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Wed, 23 Dec 2015 12:38:55 +0100
 Subject: [PATCH 17/40] CVE-2015-5370: s3:rpc_server: let a failing
@@ -1409,7 +1409,7 @@ index 40b1b8e..da9b91c 100644
 2.8.1
 
 
-From f36526b298905aa6c44d74e0af432f0afcc586d9 Mon Sep 17 00:00:00 2001
+From 38ff4f5913f5a323b635253748684f98fc63549c Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Tue, 7 Jul 2015 13:05:01 +0200
 Subject: [PATCH 18/40] CVE-2015-5370: s3:rpc_server: don't ignore failures of
@@ -1451,7 +1451,7 @@ index da9b91c..71b4665 100644
 2.8.1
 
 
-From 7793fd5bb25cab8cff2e868cb9a063b6f0d81c2c Mon Sep 17 00:00:00 2001
+From c24152e5778bcdc1f252bbbeacb89af0c6f4f578 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Tue, 7 Jul 2015 13:05:01 +0200
 Subject: [PATCH 19/40] CVE-2015-5370: s3:rpc_server: don't allow auth3 if the
@@ -1494,7 +1494,7 @@ index 71b4665..4e5b50d4 100644
 2.8.1
 
 
-From af1cbdcd1342e51ba77ed5732d42269381b2d7f7 Mon Sep 17 00:00:00 2001
+From 1156d7445ed3c86af2610f0bfd2ea38831010726 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Tue, 14 Jul 2015 16:18:45 +0200
 Subject: [PATCH 20/40] CVE-2015-5370: s3:rpc_server: let a failing auth3 mark
@@ -1529,7 +1529,7 @@ index 4e5b50d4..d28ba8e 100644
 2.8.1
 
 
-From 4f86070a06b19bf901c5e3522ddcda483f580eea Mon Sep 17 00:00:00 2001
+From da145d9e8a4c1b5d507734b599563fdb0fff90a9 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Tue, 7 Jul 2015 13:05:01 +0200
 Subject: [PATCH 21/40] CVE-2015-5370: s3:rpc_server: make sure auth_level
@@ -1582,7 +1582,7 @@ index d28ba8e..1b81a4c 100644
 2.8.1
 
 
-From 38de42a26c52d9dbd9d01849bae7b78ac187ced6 Mon Sep 17 00:00:00 2001
+From 7a313b254fda2b7577a60bfb9d07ccd9c745abdf Mon Sep 17 00:00:00 2001
 From: Jeremy Allison <jra at samba.org>
 Date: Tue, 7 Jul 2015 09:15:39 +0200
 Subject: [PATCH 22/40] CVE-2015-5370: s3:rpc_server: ensure that the message
@@ -1780,7 +1780,7 @@ index 1b81a4c..41111aa 100644
 2.8.1
 
 
-From 671fee9ad5c6ee373d28ea1244966f82ba3ec7d8 Mon Sep 17 00:00:00 2001
+From 23147db714d05d113ca06d327ab65087f3420998 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Tue, 7 Jul 2015 16:06:59 +0200
 Subject: [PATCH 23/40] CVE-2015-5370: s3:rpc_server: use 'alter' instead of
@@ -1888,7 +1888,7 @@ index 41111aa..382d94a 100644
 2.8.1
 
 
-From 1fe6ef29eb84aac7c3359dc56d26c86387750f99 Mon Sep 17 00:00:00 2001
+From bf96df45abbd32c90a561b8f444e510d4a34da0e Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Tue, 7 Jul 2015 16:06:59 +0200
 Subject: [PATCH 24/40] CVE-2015-5370: s3:rpc_server: verify presentation
@@ -1945,7 +1945,7 @@ index 382d94a..335af2a 100644
 2.8.1
 
 
-From 044728996d6ff3a0d7dd7ab03db70c37570db9c0 Mon Sep 17 00:00:00 2001
+From 5d564f46ae2621f99c4450d21a198b432ca0cd30 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Tue, 7 Jul 2015 16:06:59 +0200
 Subject: [PATCH 25/40] CVE-2015-5370: s3:rpc_server: make use of
@@ -2087,7 +2087,7 @@ index 335af2a..2f404b4 100644
 2.8.1
 
 
-From 27ab776f3562ea32c995d6c76ab8ea9d565ce116 Mon Sep 17 00:00:00 2001
+From 5a53b46092399686d5c1ade79e15eb093b9d1842 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Wed, 23 Dec 2015 12:40:58 +0100
 Subject: [PATCH 26/40] CVE-2015-5370: s3:rpc_server: disconnect the connection
@@ -2139,7 +2139,7 @@ index 376d26a..3ba83e0 100644
 2.8.1
 
 
-From 865b9bec3d7ddc57042eb4bf65d4f797427337c3 Mon Sep 17 00:00:00 2001
+From a895ca55f14cbdb28b7327d3a1fdbf2b5397ad96 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Wed, 23 Dec 2015 12:38:55 +0100
 Subject: [PATCH 27/40] CVE-2015-5370: s3:rpc_server: let a failing BIND mark
@@ -2173,7 +2173,7 @@ index 2f404b4..6275190 100644
 2.8.1
 
 
-From 0c752e2760aa5d2a01aaafe06bf864682f8459f5 Mon Sep 17 00:00:00 2001
+From 1633842f3667442c3a5bdf683fc0dbb905755b11 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Wed, 23 Dec 2015 12:38:55 +0100
 Subject: [PATCH 28/40] CVE-2015-5370: s3:rpc_server: use
@@ -2217,7 +2217,7 @@ index 6275190..3fb8855 100644
 2.8.1
 
 
-From 687e5def17881bd5ac8b3c1cf1653530ae227ea2 Mon Sep 17 00:00:00 2001
+From 62e058a6874f9ae3f1856cd9c3c52516ce350f95 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Sat, 11 Jul 2015 10:58:07 +0200
 Subject: [PATCH 29/40] CVE-2015-5370: s3:librpc/rpc: remove unused
@@ -2307,7 +2307,7 @@ index c07835f..e4d0e3a 100644
 2.8.1
 
 
-From 765ffc9a7b65cf5850bc3460abf83c10426bddad Mon Sep 17 00:00:00 2001
+From 34cbf85617810fb81ad27250ef6bab0efd13a5e7 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Tue, 7 Jul 2015 13:05:01 +0200
 Subject: [PATCH 30/40] CVE-2015-5370: s3:rpc_server: check the transfer syntax
@@ -2364,7 +2364,7 @@ index 3fb8855..0e6b073 100644
 2.8.1
 
 
-From 53a0f84445dd19bcca74f5cf5f7b23eab65dd410 Mon Sep 17 00:00:00 2001
+From 511a212ad0bde4c84c6fb30625537cfc5052ac43 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Tue, 7 Jul 2015 13:05:01 +0200
 Subject: [PATCH 31/40] CVE-2015-5370: s3:rpc_server: don't allow an existing
@@ -2422,7 +2422,7 @@ index 0e6b073..4263a91 100644
 2.8.1
 
 
-From 69183622b6ddc2b077a7598c1d3ed32587843abb Mon Sep 17 00:00:00 2001
+From 6d8d1b5524548c7d2a5f4ba5d2f6263b3ed57590 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Wed, 8 Jul 2015 00:01:37 +0200
 Subject: [PATCH 32/40] CVE-2015-5370: s3:rpc_client: pass struct
@@ -2517,7 +2517,7 @@ index 1c4ff01..3af3d8f 100644
 2.8.1
 
 
-From e29a86c22c735962d2ed6eee43e3a702e87acaae Mon Sep 17 00:00:00 2001
+From 62166b207bd465b5c10e07dd23de4b9b2d44bfa4 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Wed, 8 Jul 2015 00:01:37 +0200
 Subject: [PATCH 33/40] CVE-2015-5370: s3:librpc/rpc: add auth_context_id to
@@ -2551,7 +2551,7 @@ index 9452e85..c25b0f5 100644
 2.8.1
 
 
-From c04d24646456dd3c01c2559b5955e9de79e418ae Mon Sep 17 00:00:00 2001
+From dbfd333649e66f03c13e266e5e2007cd70acdc44 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Wed, 8 Jul 2015 00:01:37 +0200
 Subject: [PATCH 34/40] CVE-2015-5370: s3:rpc_client: make use of
@@ -2665,7 +2665,7 @@ index 3af3d8f..755d676 100644
 2.8.1
 
 
-From e4de45d67300bed8d6931f10ba11f7c4fe282504 Mon Sep 17 00:00:00 2001
+From 2d58dfb478eccb3f93e1d56f1d2bbff1577d3c02 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Wed, 8 Jul 2015 00:01:37 +0200
 Subject: [PATCH 35/40] CVE-2015-5370: s3:rpc_server: make use of
@@ -2763,7 +2763,7 @@ index 4263a91..d6c4118 100644
 2.8.1
 
 
-From 7c40975f53365d147b748aec51c55b8279b62c77 Mon Sep 17 00:00:00 2001
+From 43a77c90f877df714e71274143ab01eef27271cb Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Wed, 8 Jul 2015 00:01:37 +0200
 Subject: [PATCH 36/40] CVE-2015-5370: s3:librpc/rpc: make use of
@@ -2798,7 +2798,7 @@ index e4d0e3a..977a372 100644
 2.8.1
 
 
-From b8c0e111624aea92fefa07a28944397680af642d Mon Sep 17 00:00:00 2001
+From fd2a01c93e86f1f7d23700c25cde5c84743bc289 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Wed, 8 Jul 2015 00:01:37 +0200
 Subject: [PATCH 37/40] CVE-2015-5370: s3:librpc/rpc: verify auth_context_id in
@@ -2835,7 +2835,7 @@ index 977a372..b00cf1bf 100644
 2.8.1
 
 
-From c53147ea64a1ba0a3e0c202ec7aa8353e479d57f Mon Sep 17 00:00:00 2001
+From b2f0b95a0cdeeaad2ca9b993940fbbb5687a3509 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Tue, 7 Jul 2015 22:51:18 +0200
 Subject: [PATCH 38/40] CVE-2015-5370: s3:rpc_client: verify auth_context_id in
@@ -2876,7 +2876,7 @@ index 755d676..ee33e80 100644
 2.8.1
 
 
-From 4989b97b6f2ab6017f8e3d33c7360d34a024cf0f Mon Sep 17 00:00:00 2001
+From 6e814c0173c4e74469d6f884f6eef3fc117e7117 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Wed, 8 Jul 2015 00:01:37 +0200
 Subject: [PATCH 39/40] CVE-2015-5370: s3:rpc_server: verify auth_context_id in
@@ -2932,7 +2932,7 @@ index d6c4118..26c4ee0 100644
 2.8.1
 
 
-From 030c87181e482abbf9abb2607966ad2d7db1d517 Mon Sep 17 00:00:00 2001
+From dca4488d6ce0477cac4bf4ab878444d64a83ebfb Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Tue, 22 Dec 2015 21:23:14 +0100
 Subject: [PATCH 40/40] CVE-2015-5370: s3:rpc_client: disconnect connection on
diff --git a/debian/patches/CVE-2016-2110-v3-6.patch b/debian/patches/CVE-2016-2110-v3-6.patch
index 86fdb53..1f454be 100644
--- a/debian/patches/CVE-2016-2110-v3-6.patch
+++ b/debian/patches/CVE-2016-2110-v3-6.patch
@@ -1,7 +1,7 @@
-From 20b39e2c22cf94a45cc160d5b032eacb276f3b68 Mon Sep 17 00:00:00 2001
+From 202d69267c8550b850438877fb51c3d2c992949d Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Tue, 1 Dec 2015 08:46:45 +0100
-Subject: [PATCH 1/9] CVE-2016-2110: s3:ntlmssp: set and use
+Subject: [PATCH 01/10] CVE-2016-2110: s3:ntlmssp: set and use
  ntlmssp_state->allow_lm_key
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -41,10 +41,10 @@ index 1de6189..20a5987 100644
 2.8.1
 
 
-From da8f8abd31300e217512e6a760e38381d338fe4a Mon Sep 17 00:00:00 2001
+From a701bc5f8a76584a2e0680b2c3dd9afb77f12430 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Fri, 11 Dec 2015 14:50:23 +0100
-Subject: [PATCH 2/9] CVE-2016-2110: s3:ntlmssp: add
+Subject: [PATCH 02/10] CVE-2016-2110: s3:ntlmssp: add
  ntlmssp3_handle_neg_flags()
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -141,10 +141,10 @@ index 20a5987..ad09f9f 100644
 2.8.1
 
 
-From ba2e2f98c10d805963ede277fce9f0cffad9d88b Mon Sep 17 00:00:00 2001
+From 92b2f5315d135b7b83a3ae106b43d18181be2f02 Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn at cryptomilk.org>
 Date: Thu, 31 Mar 2016 12:39:50 +0200
-Subject: [PATCH 3/9] CVE-2016-2110: s3:ntlmssp: let
+Subject: [PATCH 03/10] CVE-2016-2110: s3:ntlmssp: let
  ntlmssp3_handle_neg_flags() return NTSTATUS
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -254,10 +254,10 @@ index ad09f9f..81a85ce 100644
 2.8.1
 
 
-From d9ed2c9b3120e5fcc97afbe8ce4bbd03abdc4c97 Mon Sep 17 00:00:00 2001
+From a239a337e3c0081af1a41aaac8957bb1aa0771f8 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Tue, 1 Dec 2015 15:01:09 +0100
-Subject: [PATCH 4/9] CVE-2016-2110: s3:ntlmssp: don't allow a downgrade from
+Subject: [PATCH 04/10] CVE-2016-2110: s3:ntlmssp: don't allow a downgrade from
  NTLMv2 to LM_AUTH
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -298,10 +298,10 @@ index 81a85ce..23a5e5d 100644
 2.8.1
 
 
-From c27686cedcd7180b733eb8e2b71778c9e4e74211 Mon Sep 17 00:00:00 2001
+From e11dc9aa90420947f9fc82365b55ecb08353451c Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Thu, 31 Mar 2016 12:59:05 +0200
-Subject: [PATCH 5/9] CVE-2016-2110: s3:ntlmssp: maintain a required_flags
+Subject: [PATCH 05/10] CVE-2016-2110: s3:ntlmssp: maintain a required_flags
  variable
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -372,10 +372,10 @@ index 23a5e5d..48d7d45 100644
 2.8.1
 
 
-From 7af06ebbb6b36ff4204a2f58f6667ad08314a01e Mon Sep 17 00:00:00 2001
+From 06ca5b7655e577ff6e2d5817cf221c05f9bb5c86 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Thu, 31 Mar 2016 13:03:24 +0200
-Subject: [PATCH 6/9] CVE-2016-2110: s3:ntlmssp: don't allow a downgrade from
+Subject: [PATCH 06/10] CVE-2016-2110: s3:ntlmssp: don't allow a downgrade from
  NTLMv2 to LM_AUTH
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -413,10 +413,80 @@ index 48d7d45..bf40404 100644
 2.8.1
 
 
-From 2c2d5c81cd1b810653a49ca00c774d9a1096d3ee Mon Sep 17 00:00:00 2001
+From f99d4469a8b09dd93eb7124f2814e15869915671 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn at samba.org>
+Date: Mon, 11 Apr 2016 16:18:44 +0200
+Subject: [PATCH 07/10] CVE-2016-2110: auth/ntlmssp: don't let
+ ntlmssp3_handle_neg_flags() change ntlmssp_state->use_ntlmv2
+
+ntlmssp_handle_neg_flags() can only disable flags, but not
+set them. All supported flags are set at start time.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
+
+Signed-off-by: Andreas Schneider <asn at samba.org>
+Reviewed-by: Guenther Deschner <gd at samba.org>
+---
+ source3/libsmb/ntlmssp.c | 26 +++++++++++++++++---------
+ 1 file changed, 17 insertions(+), 9 deletions(-)
+
+diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
+index bf40404..7b17a43 100644
+--- a/source3/libsmb/ntlmssp.c
++++ b/source3/libsmb/ntlmssp.c
+@@ -391,6 +391,10 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
+ 		ntlmssp_state->allow_lm_key = false;
+ 	}
+ 
++	if (ntlmssp_state->allow_lm_key) {
++		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
++	}
++
+ 	/* generate the ntlmssp negotiate packet */
+ 	status = msrpc_gen(ntlmssp_state, next_request, "CddAA",
+ 		  "NTLMSSP",
+@@ -438,20 +442,24 @@ static NTSTATUS ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
+ 		ntlmssp_state->unicode = false;
+ 	}
+ 
+-	if ((flags & NTLMSSP_NEGOTIATE_LM_KEY) && ntlmssp_state->allow_lm_key) {
+-		/* other end forcing us to use LM */
+-		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
+-		ntlmssp_state->use_ntlmv2 = false;
+-	} else {
++	/*
++	 * NTLMSSP_NEGOTIATE_NTLM2 (NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY)
++	 * has priority over NTLMSSP_NEGOTIATE_LM_KEY
++	 */
++	if (!(flags & NTLMSSP_NEGOTIATE_NTLM2)) {
++		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
++	}
++
++	if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
+ 		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
+ 	}
+ 
+-	if (!(flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
+-		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
++	if (!(flags & NTLMSSP_NEGOTIATE_LM_KEY)) {
++		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
+ 	}
+ 
+-	if (!(flags & NTLMSSP_NEGOTIATE_NTLM2)) {
+-		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
++	if (!(flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
++		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
+ 	}
+ 
+ 	if (!(flags & NTLMSSP_NEGOTIATE_128)) {
+-- 
+2.8.1
+
+
+From 71dda1c57c36a9816af7873f169306a766e0284a Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Thu, 31 Mar 2016 14:21:12 +0200
-Subject: [PATCH 7/9] CVE-2016-2110: s3:ntlmssp: let ntlmssp3_client_initial
+Subject: [PATCH 08/10] CVE-2016-2110: s3:ntlmssp: let ntlmssp3_client_initial
  require NTLM2 (EXTENDED_SESSIONSECURITY) when using ntlmv2
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -431,7 +501,7 @@ Reviewed-by: Günther Deschner <gd at samba.org>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
-index bf40404..00b8b85 100644
+index 7b17a43..d5c83fd 100644
 --- a/source3/libsmb/ntlmssp.c
 +++ b/source3/libsmb/ntlmssp.c
 @@ -387,7 +387,7 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
@@ -447,11 +517,11 @@ index bf40404..00b8b85 100644
 2.8.1
 
 
-From 3bd43cee7be94c59944c6d70a7205398f8b7207f Mon Sep 17 00:00:00 2001
+From 911e171bd6fc66e2960cbcdf8c48f2f97d19313b Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn at cryptomilk.org>
 Date: Thu, 31 Mar 2016 14:30:05 +0200
-Subject: [PATCH 8/9] CVE-2016-2110: s3:ntlmssp: Change want_fetures to require
- flags
+Subject: [PATCH 09/10] CVE-2016-2110: s3:ntlmssp: Change want_fetures to
+ require flags
 
 Pair-Programmed-With: Ralph Boehme <slow at samba.org>
 Signed-off-by: Andreas Schneider <asn at samba.org>
@@ -461,7 +531,7 @@ Signed-off-by: Ralph Boehme <slow at samba.org>
  1 file changed, 11 insertions(+), 6 deletions(-)
 
 diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
-index 00b8b85..60dfb67 100644
+index d5c83fd..309175b 100644
 --- a/source3/libsmb/ntlmssp.c
 +++ b/source3/libsmb/ntlmssp.c
 @@ -176,17 +176,19 @@ void ntlmssp_want_feature_list(struct ntlmssp_state *ntlmssp_state, char *featur
@@ -515,10 +585,10 @@ index 00b8b85..60dfb67 100644
 2.8.1
 
 
-From 6bea2025f95c5e2d8fe308bc679ff9d90ea1db07 Mon Sep 17 00:00:00 2001
+From a95a44eff90cdbd42d683567e0d511e9d52026ad Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn at samba.org>
 Date: Thu, 31 Mar 2016 15:02:11 +0200
-Subject: [PATCH 9/9] CVE-2016-2110: s3:ntlmssp: Fix downgrade also for the
+Subject: [PATCH 10/10] CVE-2016-2110: s3:ntlmssp: Fix downgrade also for the
  ntlmssp creds cache case
 
 Pair-Programmed-With: Ralph Boehme <slow at samba.org>
@@ -529,10 +599,10 @@ Signed-off-by: Ralph Boehme <slow at samba.org>
  1 file changed, 20 insertions(+), 22 deletions(-)
 
 diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
-index 60dfb67..5b7db89 100644
+index 309175b..045dc87 100644
 --- a/source3/libsmb/ntlmssp.c
 +++ b/source3/libsmb/ntlmssp.c
-@@ -530,6 +530,26 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
+@@ -538,6 +538,26 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
  	DATA_BLOB encrypted_session_key = data_blob_null;
  	NTSTATUS nt_status = NT_STATUS_OK;
  
@@ -559,7 +629,7 @@ index 60dfb67..5b7db89 100644
  	if (ntlmssp_state->use_ccache) {
  		struct wbcCredentialCacheParams params;
  		struct wbcCredentialCacheInfo *info = NULL;
-@@ -580,17 +600,6 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
+@@ -588,17 +608,6 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
  
  noccache:
  
@@ -577,7 +647,7 @@ index 60dfb67..5b7db89 100644
  	if (DEBUGLEVEL >= 10) {
  		struct CHALLENGE_MESSAGE *challenge = talloc(
  			talloc_tos(), struct CHALLENGE_MESSAGE);
-@@ -607,17 +616,6 @@ noccache:
+@@ -615,17 +624,6 @@ noccache:
  		}
  	}
  
diff --git a/debian/patches/CVE-2016-2111-v3-6.patch b/debian/patches/CVE-2016-2111-v3-6.patch
index abcd629..9817367 100644
--- a/debian/patches/CVE-2016-2111-v3-6.patch
+++ b/debian/patches/CVE-2016-2111-v3-6.patch
@@ -1,4 +1,4 @@
-From 8367bf408bea8c0c0d9bcbe47198c272cc954e2f Mon Sep 17 00:00:00 2001
+From ee105156fa151ebfd34b8febc2928e144b3b7b0e Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd at samba.org>
 Date: Sat, 26 Sep 2015 01:29:10 +0200
 Subject: [PATCH 01/15] CVE-2016-2111: s3:rpc_server/netlogon: always go
@@ -62,7 +62,7 @@ index 4734bfe..54b8c5c 100644
 2.8.1
 
 
-From 3bb481e0d1d177919e6f9dd651c71916de03c37b Mon Sep 17 00:00:00 2001
+From f93668be5dffea9b67c5ec2d49ebf7495b74c7fc Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Fri, 7 Aug 2015 13:33:17 +0200
 Subject: [PATCH 02/15] CVE-2016-2111: s3:rpc_server/netlogon: require
@@ -102,7 +102,7 @@ index 54b8c5c..30e1bc0 100644
 2.8.1
 
 
-From 2d9b62b0dafd619c4ef812f78a76b3f771afc8bc Mon Sep 17 00:00:00 2001
+From 70f12940ef563f83310d5c82cf0a3fc5876d98ac Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Sat, 12 Dec 2015 22:23:18 +0100
 Subject: [PATCH 03/15] CVE-2016-2111: s4:torture/rpc: fix rpc.samba3.netlogon
@@ -141,7 +141,7 @@ index 26bed19..d39cf55 100644
 2.8.1
 
 
-From 2476a86f1a41f2dcd45994c9c40e395f5e19e505 Mon Sep 17 00:00:00 2001
+From d8e061a1bcbb88ab6ba0f0dffbcac16a5e1db4f9 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Tue, 23 Feb 2016 19:08:31 +0100
 Subject: [PATCH 04/15] CVE-2016-2111: libcli/auth: add
@@ -181,7 +181,7 @@ index 11b720df..558a6eb 100644
  /***********************************************************
   encode a password buffer with a unicode password.  The buffer
 diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c
-index e0326d4..906e652 100644
+index 8fe606e..7c3142c 100644
 --- a/libcli/auth/smbencrypt.c
 +++ b/libcli/auth/smbencrypt.c
 @@ -26,7 +26,7 @@
@@ -193,7 +193,7 @@ index e0326d4..906e652 100644
  
  void SMBencrypt_hash(const uint8_t lm_hash[16], const uint8_t *c8, uint8_t p24[24])
  {
-@@ -515,6 +515,146 @@ bool SMBNTLMv2encrypt(TALLOC_CTX *mem_ctx,
+@@ -522,6 +522,146 @@ bool SMBNTLMv2encrypt(TALLOC_CTX *mem_ctx,
  				     lm_response, nt_response, lm_session_key, user_session_key);
  }
  
@@ -476,7 +476,7 @@ index 2668a6b..d562d17 100644
 2.8.1
 
 
-From 138ca374deab8758c63547cc78385e240ae20971 Mon Sep 17 00:00:00 2001
+From d49e3329a639a570db8e99a13796713fb5a23616 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Wed, 9 Dec 2015 13:12:43 +0100
 Subject: [PATCH 05/15] CVE-2016-2111: s3:rpc_server/netlogon: check
@@ -526,7 +526,7 @@ index 30e1bc0..a630b47 100644
 2.8.1
 
 
-From 120d4c156325fc8990ad10d24dd8261555e700ee Mon Sep 17 00:00:00 2001
+From bded435d42be34099d28db69258b1b5ef95ced48 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Sat, 26 Mar 2016 22:24:23 +0100
 Subject: [PATCH 06/15] CVE-2016-2111: s4:torture/raw: don't use ntlmv2 for dos
@@ -595,7 +595,7 @@ index a603111..b99d40f 100644
 2.8.1
 
 
-From 905d32faf30377269f5e4b4795b980482d421c62 Mon Sep 17 00:00:00 2001
+From 12c908158213b1b82aca5c4485961da89299b6cf Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Sat, 26 Mar 2016 22:24:23 +0100
 Subject: [PATCH 07/15] CVE-2016-2111: s4:torture/base: don't use ntlmv2 for
@@ -668,7 +668,7 @@ index d7bac45..7f74bb9 100644
 2.8.1
 
 
-From 98ef79d88eb504ab337ce745bf1c2ac4bcffb86b Mon Sep 17 00:00:00 2001
+From 0b659fd0d7b684244c9791e01cc1370c0696e3f7 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Sat, 26 Mar 2016 18:08:16 +0100
 Subject: [PATCH 08/15] CVE-2016-2111: s3:libsmb: don't send a raw NTLMv2
@@ -708,7 +708,7 @@ index 8653ba7..4c0abdf 100644
 2.8.1
 
 
-From 2c6d69015bfa7bd1d0d8b55eb98677a43bdc5336 Mon Sep 17 00:00:00 2001
+From 5ed1b3a84a1e3d9707a788a89698aa28769a79be Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Sun, 27 Mar 2016 01:09:05 +0100
 Subject: [PATCH 09/15] CVE-2016-2111: docs-xml: document the new "client
@@ -759,7 +759,7 @@ index b151df2..1b6d887 100644
 2.8.1
 
 
-From 18065d539f941c6a4042a1af3741313340f5065b Mon Sep 17 00:00:00 2001
+From 8ac4cd75a89732938b1e3161a884f9d5df68ffaf Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Tue, 15 Mar 2016 21:02:34 +0100
 Subject: [PATCH 10/15] CVE-2016-2111: docs-xml: add "raw NTLMv2 auth"
@@ -849,7 +849,7 @@ index 753252a..42ddcf5 100644
 2.8.1
 
 
-From 13bf1551e1fa25aa3d0d10192869d70da6ee556a Mon Sep 17 00:00:00 2001
+From de2ba16834dece138d8c0761cc3c834da42dfd33 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Tue, 15 Mar 2016 21:02:34 +0100
 Subject: [PATCH 11/15] CVE-2016-2111(<=4.3): loadparm: add "raw NTLMv2 auth"
@@ -891,7 +891,7 @@ index 42ddcf5..f806788 100644
 2.8.1
 
 
-From ed20bcd8047bdc120650a29f3e87b60f0384f152 Mon Sep 17 00:00:00 2001
+From 094fb71d1dda38894be501674c7ec3e4ec03078e Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Tue, 1 Mar 2016 10:25:54 +0100
 Subject: [PATCH 12/15] CVE-2016-2111: s3:auth: implement "raw NTLMv2 auth"
@@ -944,7 +944,7 @@ index 288f461..98bbbef 100644
 2.8.1
 
 
-From c68847ec3bba2e9e0aae179ff176c4c804f4af3a Mon Sep 17 00:00:00 2001
+From a2ef1fb0cf0b83a2799b95795d31b8fb03da11bb Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Sat, 26 Mar 2016 22:08:38 +0100
 Subject: [PATCH 13/15] CVE-2016-2111: selftest:Samba3: use "raw NTLMv2 auth =
@@ -974,7 +974,7 @@ index 01a1c47..ee3696e 100644
 2.8.1
 
 
-From 33248b5ebfe6335f217dfd0bfc3a018482077011 Mon Sep 17 00:00:00 2001
+From 74da0e00f3b817dd20d6429f7ba7748f66b9b6a4 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Tue, 15 Mar 2016 21:59:42 +0100
 Subject: [PATCH 14/15] CVE-2016-2111: docs-xml/smbdotconf: default "raw NTLMv2
@@ -1024,7 +1024,7 @@ index f806788..7065cf6 100644
 2.8.1
 
 
-From 898e2ff88b7e370c88c9e30d1238eeed760619a5 Mon Sep 17 00:00:00 2001
+From 44530ad870745f8d649aff9cc18480aaeeccf01a Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn at samba.org>
 Date: Mon, 4 Apr 2016 16:44:39 +0200
 Subject: [PATCH 15/15] CVE-2016-2111: s3:selftest: Disable client ntlmv2 auth
diff --git a/debian/patches/CVE-2016-2112-v3-6.patch b/debian/patches/CVE-2016-2112-v3-6.patch
index acaab89..57c6f68 100644
--- a/debian/patches/CVE-2016-2112-v3-6.patch
+++ b/debian/patches/CVE-2016-2112-v3-6.patch
@@ -1,4 +1,4 @@
-From 92484160212322d6246b71145e683faa79bbbeab Mon Sep 17 00:00:00 2001
+From 126e3e992bed7174d60ee19212db9b717647ab2e Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn at cryptomilk.org>
 Date: Wed, 30 Mar 2016 16:55:44 +0200
 Subject: [PATCH 1/3] CVE-2016-2112: s3:ntlmssp: Implement missing
@@ -23,7 +23,7 @@ index 32b4e3d..43008ea 100644
  			const DATA_BLOB in, DATA_BLOB *out) ;
  NTSTATUS ntlmssp_server_start(TALLOC_CTX *mem_ctx,
 diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
-index 5b7db89..d31ae67 100644
+index 045dc87..7e58990 100644
 --- a/source3/libsmb/ntlmssp.c
 +++ b/source3/libsmb/ntlmssp.c
 @@ -162,6 +162,36 @@ NTSTATUS ntlmssp_set_domain(struct ntlmssp_state *ntlmssp_state, const char *dom
@@ -67,7 +67,7 @@ index 5b7db89..d31ae67 100644
 2.8.1
 
 
-From 641060a92762c3f1c22837ce9515ad9503a344d5 Mon Sep 17 00:00:00 2001
+From 15338742e0c7304aeecce0e8368f0dad85e8075b Mon Sep 17 00:00:00 2001
 From: Ralph Boehme <slow at samba.org>
 Date: Thu, 24 Mar 2016 16:22:36 +0100
 Subject: [PATCH 2/3] CVE-2016-2112: s3:libads: make sure we detect downgrade
@@ -128,7 +128,7 @@ index e7daa8a..6690f83 100644
 2.8.1
 
 
-From aa4dde5ce112083282147d61561b45c740f05cab Mon Sep 17 00:00:00 2001
+From b020ae88f9024bcc868ed2d85879d14901db32e5 Mon Sep 17 00:00:00 2001
 From: Andrew Bartlett <abartlet at samba.org>
 Date: Fri, 5 Sep 2014 17:38:38 +1200
 Subject: [PATCH 3/3] CVE-2016-2112: winbindd: Change value of "ldap sasl
diff --git a/debian/patches/CVE-2016-2115-v3-6.patch b/debian/patches/CVE-2016-2115-v3-6.patch
index 82514c4..6167d35 100644
--- a/debian/patches/CVE-2016-2115-v3-6.patch
+++ b/debian/patches/CVE-2016-2115-v3-6.patch
@@ -1,4 +1,4 @@
-From daead519703ca6953cd033d35b503549967e4d80 Mon Sep 17 00:00:00 2001
+From 513bd34e4523e49e742487be32a7239111486a12 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Sat, 27 Feb 2016 03:43:58 +0100
 Subject: [PATCH 1/4] CVE-2016-2115: docs-xml: add "client ipc signing" option
@@ -118,7 +118,7 @@ index c5249b7..a612e5a3 100644
 2.8.1
 
 
-From 11f77c7646ca80c33ff25d8aec2e3c42eace1048 Mon Sep 17 00:00:00 2001
+From 633fcce5f7f488738ef8f45393aa8990e01118f4 Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn at samba.org>
 Date: Tue, 5 Apr 2016 10:46:53 +0200
 Subject: [PATCH 2/4] CVE-2016-2115: s3: Use lp_client_ipc_signing() if we are
@@ -176,7 +176,7 @@ index 181a7b5..a0fcf27 100644
 2.8.1
 
 
-From 9b5d8e20e8bbaa422c68b28d1c411bae6c596b94 Mon Sep 17 00:00:00 2001
+From e319838866bdd3f5f1602b441516d07a1171ab24 Mon Sep 17 00:00:00 2001
 From: Ralph Boehme <slow at samba.org>
 Date: Thu, 31 Mar 2016 11:30:03 +0200
 Subject: [PATCH 3/4] CVE-2016-2115: s3/param: pick up s4 option "winbind
@@ -278,7 +278,7 @@ index c58f860..fdc9407 100644
 2.8.1
 
 
-From 0eea58205109a9f9b1b855705dba3c27b612cbd5 Mon Sep 17 00:00:00 2001
+From b47d8644e6a826f01dae3911fc510a7b2ff60273 Mon Sep 17 00:00:00 2001
 From: Andrew Bartlett <abartlet at samba.org>
 Date: Fri, 5 Sep 2014 17:00:31 +1200
 Subject: [PATCH 4/4] CVE-2016-2115: winbindd: Do not make anonymous
@@ -298,16 +298,16 @@ Reviewed-by: Stefan Metzmacher <metze at samba.org>
  1 file changed, 31 insertions(+), 1 deletion(-)
 
 diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
-index 8271279..4c55227 100644
+index 8271279..50a341e 100644
 --- a/source3/winbindd/winbindd_cm.c
 +++ b/source3/winbindd/winbindd_cm.c
 @@ -2384,6 +2384,15 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
  	TALLOC_FREE(conn->samr_pipe);
  
   anonymous:
-+	if (lp_winbind_sealed_pipes()) {
++	if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) {
 +		status = NT_STATUS_DOWNGRADE_DETECTED;
-+		DEBUG(1, ("Unwilling to make SAMR connection to domain %s"
++		DEBUG(1, ("Unwilling to make SAMR connection to domain %s "
 +			  "without connection level security, "
 +			  "must set 'winbind sealed pipes = false' "
 +			  "to proceed: %s\n",
@@ -321,9 +321,9 @@ index 8271279..4c55227 100644
  
   anonymous:
  
-+	if (lp_winbind_sealed_pipes()) {
++	if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) {
 +		result = NT_STATUS_DOWNGRADE_DETECTED;
-+		DEBUG(1, ("Unwilling to make LSA connection to domain %s"
++		DEBUG(1, ("Unwilling to make LSA connection to domain %s "
 +			  "without connection level security, "
 +			  "must set 'winbind sealed pipes = false' "
 +			  "to proceed: %s\n",
@@ -340,9 +340,9 @@ index 8271279..4c55227 100644
  	if ((lp_client_schannel() == False) ||
 -			((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
 +		((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
-+		if (lp_winbind_sealed_pipes()) {
++		if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) {
 +			result = NT_STATUS_DOWNGRADE_DETECTED;
-+			DEBUG(1, ("Unwilling to make connection to domain %s"
++			DEBUG(1, ("Unwilling to make connection to domain %s "
 +				  "without connection level security, "
 +				  "must set 'winbind sealed pipes = false' "
 +				  "to proceed: %s\n",
diff --git a/debian/patches/CVE-2016-2118-v3-6.patch b/debian/patches/CVE-2016-2118-v3-6.patch
index 6e5b5a2..a14a2d4 100644
--- a/debian/patches/CVE-2016-2118-v3-6.patch
+++ b/debian/patches/CVE-2016-2118-v3-6.patch
@@ -1,4 +1,4 @@
-From 71c10424cfdfb3487b06b3572f0569581a952d56 Mon Sep 17 00:00:00 2001
+From d68424b5ef92f5810760f90e9eeb664572a61e4e Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Tue, 15 Dec 2015 14:49:36 +0100
 Subject: [PATCH 01/10] CVE-2016-2118: s3: rpcclient: change the default auth
@@ -37,7 +37,7 @@ index 949e14c..81c5f42 100644
 2.8.1
 
 
-From 8dd2d22a5593c040814ef02ac5b74f741abd1984 Mon Sep 17 00:00:00 2001
+From 89f17bd1aea2bc4672e2fef6392881c792f52c86 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Fri, 11 Mar 2016 16:02:25 +0100
 Subject: [PATCH 02/10] CVE-2016-2118: s4:librpc: use integrity by default for
@@ -84,7 +84,7 @@ index 2cd9499..a6d0df5 100644
 2.8.1
 
 
-From b1ef57bab7cc3b6c2f1d1d4f01024068c8544b61 Mon Sep 17 00:00:00 2001
+From 198d8d61d171656a7bd45b688c01c3c9bfd1eb6d Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Thu, 10 Mar 2016 17:03:59 +0100
 Subject: [PATCH 03/10] CVE-2016-2118: docs-xml: add "allow dcerpc auth level
@@ -139,7 +139,7 @@ index 0000000..5552112
 2.8.1
 
 
-From b2ebdf3d9423e23b090311de93e56c04f69dd486 Mon Sep 17 00:00:00 2001
+From 052d417237aaebfc088348fc19314a5d704e3a55 Mon Sep 17 00:00:00 2001
 From: Ralph Boehme <slow at samba.org>
 Date: Fri, 18 Mar 2016 08:45:11 +0100
 Subject: [PATCH 04/10] CVE-2016-2118: param: add "allow dcerpc auth level
@@ -219,7 +219,7 @@ index fdc9407..87d33c5 100644
 2.8.1
 
 
-From bf1251499b1ea59b25e35a1bfe4967414bf9bd9d Mon Sep 17 00:00:00 2001
+From 2ec6ac0e4f5d5e12b12f1246c4aa466ccaea1b8e Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Fri, 18 Mar 2016 04:40:30 +0100
 Subject: [PATCH 05/10] CVE-2016-2118: s3:rpc_server: make use of "allow dcerpc
@@ -354,7 +354,7 @@ index d659705..c462dcf 100644
 2.8.1
 
 
-From 65f5a36ee12233c4d501b937f894a7193ba32ef8 Mon Sep 17 00:00:00 2001
+From 37d164dc511a7b25cb0209ade4c2ec1e69c5e0c1 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Fri, 7 Aug 2015 09:50:30 +0200
 Subject: [PATCH 06/10] CVE-2016-2118: s3:rpc_server/{samr,lsa,netlogon}:
@@ -456,7 +456,7 @@ index a733f14..8dfbf1e 100755
 2.8.1
 
 
-From 05cadb9cac8b7f477fe992126ca22c9bba69b6e7 Mon Sep 17 00:00:00 2001
+From c32407437c6bcf42e09df6b9c06a597a9f32fdd2 Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn at samba.org>
 Date: Tue, 5 Apr 2016 09:54:38 +0200
 Subject: [PATCH 07/10] CVE-2016-2118: s3:selftest: The lsa tests which use
@@ -482,7 +482,7 @@ index 8717a4d..7d9275e 100644
 2.8.1
 
 
-From f77b2463989f68dc2a9bfe0123d23f066aa1ff42 Mon Sep 17 00:00:00 2001
+From 73b9cbc9f828a0f6f715ea26d19c673a4c8e4236 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Sat, 26 Mar 2016 08:47:42 +0100
 Subject: [PATCH 08/10] CVE-2016-2118: s3:rpc_server/{epmapper,echo}: allow
@@ -533,7 +533,7 @@ index 3086b9e..964b843 100644
 2.8.1
 
 
-From 16ae4105218430d191df6c8ad7f51021c63b6606 Mon Sep 17 00:00:00 2001
+From 79699ebf983f629de7cecc861953d412d60cb6a1 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Thu, 10 Mar 2016 17:03:59 +0100
 Subject: [PATCH 09/10] CVE-2016-2118: docs-xml/param: default "allow dcerpc
@@ -588,7 +588,7 @@ index 87d33c5..a514727 100644
 2.8.1
 
 
-From 3abb6ea0e8cb7bbfdc52e7cb626628e27778726b Mon Sep 17 00:00:00 2001
+From 547ce7df460d6a15a9f1817b051042cceea76abf Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Sun, 28 Feb 2016 22:48:11 +0100
 Subject: [PATCH 10/10] CVE-2016-2118: s3:rpc_server/samr: allow
diff --git a/debian/patches/CVE-preparation-v3-6.patch b/debian/patches/CVE-preparation-v3-6.patch
index 75e27fd..11e2029 100644
--- a/debian/patches/CVE-preparation-v3-6.patch
+++ b/debian/patches/CVE-preparation-v3-6.patch
@@ -1,7 +1,7 @@
 From 39a3fa39967faaf216be8e108ca57d07de1aa95a Mon Sep 17 00:00:00 2001
 From: Vadim Zhukov <persgray at gmail.com>
 Date: Sat, 25 May 2013 15:19:24 +0100
-Subject: [PATCH 01/40] pidl: Recent Perl warns about "defined(@var)"
+Subject: [PATCH 01/41] pidl: Recent Perl warns about "defined(@var)"
  constructs.
 
 Signed-off-by: Jelmer Vernooij <jelmer at samba.org>
@@ -48,7 +48,7 @@ index 2a46e92..c65092e 100755
 From 853bfa0392e690fc4500a3cde23438eb0404df52 Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn at samba.org>
 Date: Fri, 1 Apr 2016 14:53:59 +0200
-Subject: [PATCH 02/40] s4:heimdal: Fix getopt with perl5
+Subject: [PATCH 02/41] s4:heimdal: Fix getopt with perl5
 
 ---
  source4/heimdal/cf/make-proto.pl | 6 +++---
@@ -85,7 +85,7 @@ index bc323b9..feee18a 100644
 From 84087c0ff8a5e9fcfdd9d504cd24fdd77ed19f56 Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn at samba.org>
 Date: Fri, 1 Apr 2016 15:22:17 +0200
-Subject: [PATCH 03/40] s3-selftest: Fix building smbtorture4
+Subject: [PATCH 03/41] s3-selftest: Fix building smbtorture4
 
 ---
  source3/Makefile-smbtorture4 | 2 +-
@@ -127,7 +127,7 @@ index df08f87..245e61e 100755
 From b038303b4b5beb27a436a7c7d8dbac3fa9db95fa Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn at samba.org>
 Date: Fri, 1 Apr 2016 16:44:23 +0200
-Subject: [PATCH 04/40] selftest: Skip tests which do not work
+Subject: [PATCH 04/41] selftest: Skip tests which do not work
 
 ---
  source3/selftest/skip | 5 +++++
@@ -153,7 +153,7 @@ index b4de818..9d88dc8 100644
 From 4b951db066a3a7a9931b50d5af7c1bb3f58072b0 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Tue, 24 Nov 2015 15:40:29 +0100
-Subject: [PATCH 05/40] librpc/ndr: add ndr_ntlmssp_find_av() helper function
+Subject: [PATCH 05/41] librpc/ndr: add ndr_ntlmssp_find_av() helper function
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -208,7 +208,7 @@ index e07ff15..5c979ff 100644
 From 1b7d7ade976e9a86182b8b8cb0e32cc8d1a9f03d Mon Sep 17 00:00:00 2001
 From: Kai Blin <kai at samba.org>
 Date: Fri, 18 Jan 2013 18:35:15 +0100
-Subject: [PATCH 06/40] librpc: Add NDR_PRINT_DEBUGC to ndr print to a debug
+Subject: [PATCH 06/41] librpc: Add NDR_PRINT_DEBUGC to ndr print to a debug
  class
 
 Signed-off-by: Kai Blin <kai at samba.org>
@@ -574,7 +574,7 @@ index 8b442b6..ba17a27 100644
 From a78ed56ca69b44f1b35738438b019cae8b406a77 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Fri, 3 Jan 2014 09:25:23 +0100
-Subject: [PATCH 07/40] librpc/ndr: add LIBNDR_FLAG_SUBCONTEXT_NO_UNREAD_BYTES
+Subject: [PATCH 07/41] librpc/ndr: add LIBNDR_FLAG_SUBCONTEXT_NO_UNREAD_BYTES
 
 This lets ndr_pull_subcontext_end() make sure that all
 subcontext bytes are consumed otherwise it returns NDR_ERR_UNREAD_BYTES.
@@ -661,7 +661,7 @@ index ba17a27..fc11738 100644
 From 26a9f8f469ed83e8d15b3c626791a76ec72415b0 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Thu, 2 Jan 2014 11:18:38 +0100
-Subject: [PATCH 08/40] dcerpc.idl: add dcerpc_sec_verification_trailer
+Subject: [PATCH 08/41] dcerpc.idl: add dcerpc_sec_verification_trailer
 
 See [MS-RPCE] 2.2.2.13 Verification Trailer for details.
 
@@ -868,7 +868,7 @@ index 9e8e03d..4f9cbb4 100644
 From 61bffbdb21d845745261beb9107c57b8a3a163b5 Mon Sep 17 00:00:00 2001
 From: Andrew Tridgell <tridge at samba.org>
 Date: Wed, 7 Sep 2011 15:29:32 +1000
-Subject: [PATCH 09/40] libndr: moved the NDR_* flags to have less overlap
+Subject: [PATCH 09/41] libndr: moved the NDR_* flags to have less overlap
 
 We have 3 different types of flags values in our NDR layer. We've
 recently found bugs where these types of flags have been mixed up,
@@ -964,7 +964,7 @@ index 2453d5a..924a4e4 100644
 From 858d2740f460140e3f2d909b1ee6eca4912ba2f4 Mon Sep 17 00:00:00 2001
 From: Andrew Tridgell <tridge at samba.org>
 Date: Wed, 7 Sep 2011 15:34:20 +1000
-Subject: [PATCH 10/40] libndr: add checking to all pull/push functions of base
+Subject: [PATCH 10/41] libndr: add checking to all pull/push functions of base
  types
 
 this checks that the passed in ndr_flags are valid
@@ -1254,7 +1254,6 @@ index c7a2c11..2ce2dc3 100644
 2.8.1
 
 
- /****************************************************************************
 diff --git a/lib/util/bitmap.h b/lib/util/bitmap.h
 new file mode 100644
 index 0000000..cf7aa1b
@@ -1470,7 +1469,7 @@ index 9615907..cf786db 100644
 From 58191de16e3ce49723361049857a62a07b75c2d3 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Sun, 5 Jan 2014 07:57:51 +0100
-Subject: [PATCH 12/40] s3:rpc_client: fill alloc_hint with the remaining data
+Subject: [PATCH 12/41] s3:rpc_client: fill alloc_hint with the remaining data
  not the total data.
 
 Signed-off-by: Stefan Metzmacher <metze at samba.org>
@@ -1500,7 +1499,7 @@ index 9636479..7d78772 100644
 From dadd2b521440a3d03038034c3dbb1f78045241c0 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Sun, 5 Jan 2014 08:12:45 +0100
-Subject: [PATCH 13/40] s3:rpc_client: send a dcerpc_sec_verification_trailer
+Subject: [PATCH 13/41] s3:rpc_client: send a dcerpc_sec_verification_trailer
  if needed
 
 Signed-off-by: Stefan Metzmacher <metze at samba.org>
@@ -1829,7 +1828,7 @@ index 6561b28..8024f01 100644
 From 572ce89e8653d07bf81681267ee38bd29abbc4b3 Mon Sep 17 00:00:00 2001
 From: Gregor Beck <gbeck at sernet.de>
 Date: Thu, 2 Jan 2014 15:30:52 +0100
-Subject: [PATCH 14/40] librpc/ndr: add
+Subject: [PATCH 14/41] librpc/ndr: add
  ndr_pop_dcerpc_sec_verification_trailer()
 
 This extracts the dcerpc_sec_verification_trailer from the end
@@ -2024,7 +2023,7 @@ index 0000000..f544fb1
 From eec44076563f650a5e65e0d39b0a87b9e37d0373 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Tue, 8 Mar 2011 10:14:51 +0100
-Subject: [PATCH 15/40] librpc/ndr: add NDR_ERR_INCOMPLETE_BUFFER and
+Subject: [PATCH 15/41] librpc/ndr: add NDR_ERR_INCOMPLETE_BUFFER and
  LIBNDR_FLAG_INCOMPLETE_BUFFER
 
 If we pull a pipe chunk we need a way to check if we
@@ -2105,7 +2104,7 @@ index fc11738..2c82998 100644
 From d1ec252f3a7df1e7626ed27e986624f1e1eca6f9 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Sat, 21 Sep 2013 22:30:25 +0200
-Subject: [PATCH 16/40] librpc/ndr: remember INCOMPLETE_BUFFER missing bytes in
+Subject: [PATCH 16/41] librpc/ndr: remember INCOMPLETE_BUFFER missing bytes in
  relative_highest_offset
 
 Signed-off-by: Stefan Metzmacher <metze at samba.org>
@@ -2148,7 +2147,7 @@ index d1156e9..d32db16 100644
 From e67e8d16d970d6b76de1df4399b170cab28225e1 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Sat, 21 Sep 2013 21:58:05 +0200
-Subject: [PATCH 17/40] librpc/ndr: add support for a shallow copy to
+Subject: [PATCH 17/41] librpc/ndr: add support for a shallow copy to
  ndr_pull_subcontext_start/end
 
 This will be usefull to try parsing DCERPC pipe chunks for
@@ -2206,7 +2205,7 @@ index 2c82998..f7f366e 100644
 From 52606a96c64492d17abdd87fa07743c8d5885687 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Sat, 21 Sep 2013 02:28:33 +0200
-Subject: [PATCH 18/40] librpc/ndr: add ndr_pull_append/pop()
+Subject: [PATCH 18/41] librpc/ndr: add ndr_pull_append/pop()
 
 They can be used to parse a fragmented NDR byte stream.
 
@@ -2362,7 +2361,7 @@ index f7f366e..453b1c1 100644
 From 527e379b59cd2b3c755857cb1017cd7c0611b38d Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Tue, 4 Feb 2014 12:54:42 +0100
-Subject: [PATCH 19/40] librpc/ndr: add ndr_syntax_id_[from|to]_string()
+Subject: [PATCH 19/41] librpc/ndr: add ndr_syntax_id_[from|to]_string()
 
 Signed-off-by: Stefan Metzmacher <metze at samba.org>
 Reviewed-by: Guenther Deschner <gd at samba.org>
@@ -2706,7 +2705,7 @@ index c4a1adb..fa643c8 100644
 From f9dcc92e71353524fd090265350dcb2aeb4e40d4 Mon Sep 17 00:00:00 2001
 From: Gregor Beck <gbeck at sernet.de>
 Date: Mon, 13 Jan 2014 13:33:09 +0100
-Subject: [PATCH 20/40] librpc/rpc: add
+Subject: [PATCH 20/41] librpc/rpc: add
  dcerpc_sec_vt_header2_[from_ncacn_packet|equal]()
 
 Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
@@ -2823,7 +2822,7 @@ index 924645d..4f9190d 100644
 From d9c11a2fd6d2e63ba3f024f7f82ea2cc11a6eb53 Mon Sep 17 00:00:00 2001
 From: Gregor Beck <gbeck at sernet.de>
 Date: Wed, 8 Jan 2014 09:50:33 +0100
-Subject: [PATCH 21/40] librpc/rpc: add dcerpc_sec_verification_trailer_check()
+Subject: [PATCH 21/41] librpc/rpc: add dcerpc_sec_verification_trailer_check()
 
 Signed-off-by: Gregor Beck <gbeck at sernet.de>
 Reviewed-by: Stefan Metzmacher <metze at samba.org>
@@ -3032,7 +3031,7 @@ index 1f8e556..751d4a3 100644
 From 1337bc1628e555ceb3784a41d750f35ca1dad9f4 Mon Sep 17 00:00:00 2001
 From: Andrew Tridgell <tridge at samba.org>
 Date: Wed, 7 Sep 2011 15:35:55 +1000
-Subject: [PATCH 22/40] torture-ndr: added support for testing push functions
+Subject: [PATCH 22/41] torture-ndr: added support for testing push functions
 
 this allows us to check the symmetry of pull/push functions in NDR
 tests
@@ -3198,7 +3197,7 @@ index b248527..ee4db0a 100644
 From 07c59161786705a447cbda8555f64102d381e9c7 Mon Sep 17 00:00:00 2001
 From: Andrew Tridgell <tridge at samba.org>
 Date: Wed, 7 Sep 2011 15:36:22 +1000
-Subject: [PATCH 23/40] torture-ndr: fixed NDR tests for DFS blobs
+Subject: [PATCH 23/41] torture-ndr: fixed NDR tests for DFS blobs
 
 Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
 ---
@@ -3231,7 +3230,7 @@ index 23a32e1..8f62497 100644
 From 5d681fbe64867bd7581a0fb81c4222afd64e7d1b Mon Sep 17 00:00:00 2001
 From: Andrew Tridgell <tridge at samba.org>
 Date: Wed, 7 Sep 2011 15:36:38 +1000
-Subject: [PATCH 24/40] torture-ndr: fixed NDR tests for NBT blobs
+Subject: [PATCH 24/41] torture-ndr: fixed NDR tests for NBT blobs
 
 Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
 ---
@@ -3261,7 +3260,7 @@ index 8955f4d..5c35e7a 100644
 From e5606230a49cec5c87332feb85eb105fa23a6894 Mon Sep 17 00:00:00 2001
 From: Andrew Tridgell <tridge at samba.org>
 Date: Wed, 7 Sep 2011 15:36:57 +1000
-Subject: [PATCH 25/40] torture-ndr: fixed NDR tests for NTLMSSP blobs
+Subject: [PATCH 25/41] torture-ndr: fixed NDR tests for NTLMSSP blobs
 
 Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
 ---
@@ -3294,7 +3293,7 @@ index b139fdf..038b360 100644
 From 2bea7253c1916cc9cf6375d92bcbacff9621d917 Mon Sep 17 00:00:00 2001
 From: Andrew Tridgell <tridge at samba.org>
 Date: Wed, 7 Sep 2011 15:37:22 +1000
-Subject: [PATCH 26/40] torture-drs: fixed NDR tests for DRS blobs
+Subject: [PATCH 26/41] torture-drs: fixed NDR tests for DRS blobs
 
 this also adds new tests for trustAuthInOutBlob blobs
 
@@ -3372,7 +3371,7 @@ index ca3fa1d..d127819 100644
 From d9f8f02cf06cc1a1235de1b23b0ee9368a557a36 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd at samba.org>
 Date: Tue, 15 Jan 2013 17:04:08 +0100
-Subject: [PATCH 27/40] s4-torture: allow to do ndr tests with flags, not only
+Subject: [PATCH 27/41] s4-torture: allow to do ndr tests with flags, not only
  ndr_flags.
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -3471,7 +3470,7 @@ index ee4db0a..068d5f6 100644
 From 6375a7a93f9bee57b1bdebf4348598b819aa7c3f Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd at samba.org>
 Date: Fri, 1 Feb 2013 17:45:02 +0100
-Subject: [PATCH 28/40] s4-torture: make sure to deal with the highest relative
+Subject: [PATCH 28/41] s4-torture: make sure to deal with the highest relative
  pointer offset correctly.
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -3564,7 +3563,7 @@ index 2a87d14..8cdc4e7 100644
 From e06603fa6ddac5e846711c8503616ee5e1978fb9 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Sat, 11 Jan 2014 11:52:37 +0100
-Subject: [PATCH 29/40] dcerpc.idl: add a bitmap for dcerpc_pfc_flags
+Subject: [PATCH 29/41] dcerpc.idl: add a bitmap for dcerpc_pfc_flags
 
 Signed-off-by: Stefan Metzmacher <metze at samba.org>
 Reviewed-by: Guenther Deschner <gd at samba.org>
@@ -3624,7 +3623,7 @@ index 6c4e4c1..4f99021 100644
 From 67e2b1dca0cf65aa6bb24ed35e2fb008a5212a20 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Sun, 15 Sep 2013 16:43:22 +0200
-Subject: [PATCH 30/40] dcerpc.idl: add DCERPC_NCACN_PAYLOAD_OFFSET
+Subject: [PATCH 30/41] dcerpc.idl: add DCERPC_NCACN_PAYLOAD_OFFSET
 
 Signed-off-by: Stefan Metzmacher <metze at samba.org>
 Reviewed-by: Michael Adam <obnox at samba.org>
@@ -3653,7 +3652,7 @@ index 4f99021..75ef2ec 100644
 From 610bdbc90cf2db843d1f45ce6d9f37b3ebf38ae1 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze at samba.org>
 Date: Mon, 13 Jan 2014 10:16:40 +0100
-Subject: [PATCH 31/40] s3:rpcclient: add support for DCERPC_AUTH_LEVEL_CONNECT
+Subject: [PATCH 31/41] s3:rpcclient: add support for DCERPC_AUTH_LEVEL_CONNECT
 
 Signed-off-by: Stefan Metzmacher <metze at samba.org>
 Reviewed-by: Guenther Deschner <gd at samba.org>
@@ -3722,7 +3721,7 @@ index c2f3e4c..949e14c 100644
 From edba19cd2d347d1bcfc527f2bda4f6a6f660bfff Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn at samba.org>
 Date: Mon, 2 Jan 2012 18:54:47 +0100
-Subject: [PATCH 32/40] s3-rpc_client: Add capabilities check for AES encrypted
+Subject: [PATCH 32/41] s3-rpc_client: Add capabilities check for AES encrypted
  connections.
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -4030,7 +4029,7 @@ index 5bf4549..6663656 100644
 From 686a10e801a58133f7f8cef9751c9fe7c5896d05 Mon Sep 17 00:00:00 2001
 From: Andrew Bartlett <abartlet at samba.org>
 Date: Tue, 3 Jan 2012 15:57:40 +1100
-Subject: [PATCH 33/40] s3-selftest: Add test for rpcclient
+Subject: [PATCH 33/41] s3-selftest: Add test for rpcclient
 
 Andrew Bartlett
 
@@ -4096,7 +4095,7 @@ index 028012c..a733f14 100755
 From 20f3bdf575b3e6d5dcc970a633f6d0756ec2bb86 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd at samba.org>
 Date: Tue, 11 Dec 2012 09:25:53 +0100
-Subject: [PATCH 34/40] s4-torture: move samr_ValidatePassword test out of main
+Subject: [PATCH 34/41] s4-torture: move samr_ValidatePassword test out of main
  samr test.
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -4184,7 +4183,7 @@ index adfc5d4..8806763 100644
 From 0dd65ea3941450b191d44cac180aaa58735639b7 Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn at samba.org>
 Date: Tue, 30 Aug 2011 16:37:40 +0200
-Subject: [PATCH 35/40] s3-rpc_server: Make sure we switch always the
+Subject: [PATCH 35/41] s3-rpc_server: Make sure we switch always the
  connecting user.
 
 We always have a valid session info and if it is a anonymous connection
@@ -4249,7 +4248,7 @@ index cb50573..eace128 100644
 From c6f5caa838a3fc1890286759cc6c6e7b4b5aeec3 Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn at samba.org>
 Date: Fri, 8 Apr 2016 14:18:28 +0200
-Subject: [PATCH 36/40] s3:rpc_server: Store the syntax in the pipes_fn
+Subject: [PATCH 36/41] s3:rpc_server: Store the syntax in the pipes_fn
  structure
 
 ---
@@ -4368,7 +4367,7 @@ index eace128..6e4e760 100644
 From 09e5c8f477f70d81467794a51ab1f30269e80fb3 Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn at samba.org>
 Date: Fri, 8 Apr 2016 14:27:43 +0200
-Subject: [PATCH 37/40] s3:rpc_server: Simplify api_pipe_request() logic.
+Subject: [PATCH 37/41] s3:rpc_server: Simplify api_pipe_request() logic.
 
 Signed-off-by: Andreas Schneider <asn at samba.org>
 ---
@@ -4451,7 +4450,7 @@ index 6e4e760..57386b2 100644
 From 9d6412e6860d6934fd2c6e1e4590e48e419133de Mon Sep 17 00:00:00 2001
 From: Gregor Beck <gbeck at sernet.de>
 Date: Fri, 10 Jan 2014 13:56:06 +0100
-Subject: [PATCH 38/40] s3:rpc_server: check verification trailer
+Subject: [PATCH 38/41] s3:rpc_server: check verification trailer
 
 Signed-off-by: Gregor Beck <gbeck at sernet.de>
 Reviewed-by: Stefan Metzmacher <metze at samba.org>
@@ -4535,7 +4534,7 @@ index 57386b2..3d49d79 100644
 From 5b3d5fa29425ca03189547b133f929dea992fceb Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn at samba.org>
 Date: Wed, 27 Jun 2012 15:21:11 +0200
-Subject: [PATCH 39/40] s3-rpc_server: Make it possible to use more rpc
+Subject: [PATCH 39/41] s3-rpc_server: Make it possible to use more rpc
  exceptions.
 
 ---
@@ -7648,7 +7647,7 @@ index 2d3ec1e..be16250 100644
 From 079831e3d8fe62ad00f31a67688251ea4991c037 Mon Sep 17 00:00:00 2001
 From: Jeremy Allison <jra at samba.org>
 Date: Thu, 17 Oct 2013 14:44:35 -0700
-Subject: [PATCH 40/40] CVE-2013-4408:s3:Ensure we always check call_id when
+Subject: [PATCH 40/41] CVE-2013-4408:s3:Ensure we always check call_id when
  validating an RPC reply.
 
 Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
@@ -7708,3 +7707,48 @@ index 6663656..5ddabb7 100644
 -- 
 2.8.1
 
+
+From ea6f2386611d0a4edd65962a59b3448be976c1bb Mon Sep 17 00:00:00 2001
+From: Christian Ambach <christian.ambach at de.ibm.com>
+Date: Thu, 7 Apr 2011 14:01:50 +0200
+Subject: [PATCH 41/41] libcli: allow exclusion of netbios name in NTLMV2 blob
+
+when no hostname is given, leave away the MsvAvNbComputerName part
+of the ntlmv2 blob
+
+Signed-off-by: Andrew Bartlett <abartlet at samba.org>
+---
+ libcli/auth/smbencrypt.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c
+index e0326d4..8fe606e 100644
+--- a/libcli/auth/smbencrypt.c
++++ b/libcli/auth/smbencrypt.c
+@@ -355,11 +355,18 @@ DATA_BLOB NTLMv2_generate_names_blob(TALLOC_CTX *mem_ctx,
+ 	DATA_BLOB names_blob = data_blob_talloc(mem_ctx, NULL, 0);
+ 
+ 	/* Deliberately ignore return here.. */
+-	(void)msrpc_gen(mem_ctx, &names_blob,
+-		  "aaa",
+-		  MsvAvNbDomainName, domain,
+-		  MsvAvNbComputerName, hostname,
+-		  MsvAvEOL, "");
++	if (hostname != NULL) {
++		(void)msrpc_gen(mem_ctx, &names_blob,
++			  "aaa",
++			  MsvAvNbDomainName, domain,
++			  MsvAvNbComputerName, hostname,
++			  MsvAvEOL, "");
++	} else {
++		(void)msrpc_gen(mem_ctx, &names_blob,
++			  "aa",
++			  MsvAvNbDomainName, domain,
++			  MsvAvEOL, "");
++	}
+ 	return names_blob;
+ }
+ 
+-- 
+2.8.1
+

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-samba/samba.git




More information about the Pkg-samba-maint mailing list