SOURCES/CVE-2023-3961.patch

@@ -0,0 +1,45 @@
+From ae476e1c28b797fe221172ed1066bf8efa476d8d Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Tue, 25 Jul 2023 17:41:04 -0700
+Subject: [PATCH] CVE-2023-3961:s3:smbd: Catch any incoming pipe path that
+ could exit socket_dir.
+
+For now, SMB_ASSERT() to exit the server. We will remove
+this once the test code is in place.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+---
+ source3/rpc_client/local_np.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/source3/rpc_client/local_np.c b/source3/rpc_client/local_np.c
+index 0e912d0e35a..dfed7e7beb6 100644
+--- a/source3/rpc_client/local_np.c
++++ b/source3/rpc_client/local_np.c
+@@ -542,6 +542,24 @@ struct tevent_req *local_np_connect_send(
+ 		return tevent_req_post(req, ev);
+ 	}
+ 
++	/*
++	 * Ensure we cannot process a path that exits
++	 * the socket_dir.
++	 */
++	if (ISDOTDOT(lower_case_pipename) ||
++	    (strchr(lower_case_pipename, '/')!=NULL))
++	{
++		DBG_DEBUG("attempt to connect to invalid pipe pathname %s\n",
++			lower_case_pipename);
++		/*
++		 * For now, panic the server until we have
++		 * the test code in place.
++		 */
++		SMB_ASSERT(false);
++		tevent_req_error(req, ENOENT);
++		return tevent_req_post(req, ev);
++	}
++
+ 	state->socketpath = talloc_asprintf(
+ 		state, "%s/np/%s", socket_dir, lower_case_pipename);
+ 	if (tevent_req_nomem(state->socketpath, req)) {

SOURCES/CVE-2023-4091.patch

@@ -0,0 +1,183 @@
+From b1fd65694185c26f1e196d84ee8756300e631bd5 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Tue, 1 Aug 2023 12:30:00 +0200
+Subject: [PATCH] CVE-2023-4091: smbtorture: test overwrite dispositions on
+ read-only file
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+---
+ selftest/knownfail.d/samba3.smb2.acls |   1 +
+ source4/torture/smb2/acls.c           | 143 ++++++++++++++++++++++++++
+ 2 files changed, 144 insertions(+)
+ create mode 100644 selftest/knownfail.d/samba3.smb2.acls
+
+diff --git a/selftest/knownfail.d/samba3.smb2.acls b/selftest/knownfail.d/samba3.smb2.acls
+new file mode 100644
+index 00000000000..18df260c0e5
+--- /dev/null
++++ b/selftest/knownfail.d/samba3.smb2.acls
+@@ -0,0 +1 @@
++^samba3.smb2.acls.OVERWRITE_READ_ONLY_FILE
+diff --git a/source4/torture/smb2/acls.c b/source4/torture/smb2/acls.c
+index bbf201bcf4b..53f482c5541 100644
+--- a/source4/torture/smb2/acls.c
++++ b/source4/torture/smb2/acls.c
+@@ -2989,6 +2989,148 @@ static bool test_mxac_not_granted(struct torture_context *tctx,
+ 	return ret;
+ }
+ 
++static bool test_overwrite_read_only_file(struct torture_context *tctx,
++					  struct smb2_tree *tree)
++{
++	NTSTATUS status;
++	struct smb2_create c;
++	const char *fname = BASEDIR "\\test_overwrite_read_only_file.txt";
++	struct smb2_handle handle = {{0}};
++	union smb_fileinfo q;
++	union smb_setfileinfo set;
++	struct security_descriptor *sd = NULL, *sd_orig = NULL;
++	const char *owner_sid = NULL;
++	int i;
++	bool ret = true;
++
++	struct tcase {
++		int disposition;
++		const char *disposition_string;
++		NTSTATUS expected_status;
++	} tcases[] = {
++#define TCASE(d, s) {				\
++		.disposition = d,		\
++		.disposition_string = #d,	\
++		.expected_status = s,		\
++	}
++		TCASE(NTCREATEX_DISP_OPEN, NT_STATUS_OK),
++		TCASE(NTCREATEX_DISP_SUPERSEDE, NT_STATUS_ACCESS_DENIED),
++		TCASE(NTCREATEX_DISP_OVERWRITE, NT_STATUS_ACCESS_DENIED),
++		TCASE(NTCREATEX_DISP_OVERWRITE_IF, NT_STATUS_ACCESS_DENIED),
++	};
++#undef TCASE
++
++	ret = smb2_util_setup_dir(tctx, tree, BASEDIR);
++	torture_assert_goto(tctx, ret, ret, done, "smb2_util_setup_dir not ok");
++
++	c = (struct smb2_create) {
++		.in.desired_access = SEC_STD_READ_CONTROL |
++			SEC_STD_WRITE_DAC |
++			SEC_STD_WRITE_OWNER,
++		.in.file_attributes = FILE_ATTRIBUTE_NORMAL,
++		.in.share_access = NTCREATEX_SHARE_ACCESS_READ |
++			NTCREATEX_SHARE_ACCESS_WRITE,
++		.in.create_disposition = NTCREATEX_DISP_OPEN_IF,
++		.in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
++		.in.fname = fname,
++	};
++
++	status = smb2_create(tree, tctx, &c);
++	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
++					"smb2_create failed\n");
++	handle = c.out.file.handle;
++
++	torture_comment(tctx, "get the original sd\n");
++
++	ZERO_STRUCT(q);
++	q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
++	q.query_secdesc.in.file.handle = handle;
++	q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
++
++	status = smb2_getinfo_file(tree, tctx, &q);
++	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
++					"smb2_getinfo_file failed\n");
++	sd_orig = q.query_secdesc.out.sd;
++
++	owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
++
++	sd = security_descriptor_dacl_create(tctx,
++					0, NULL, NULL,
++					owner_sid,
++					SEC_ACE_TYPE_ACCESS_ALLOWED,
++					SEC_FILE_READ_DATA,
++					0,
++					NULL);
++
++	ZERO_STRUCT(set);
++	set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
++	set.set_secdesc.in.file.handle = handle;
++	set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
++	set.set_secdesc.in.sd = sd;
++
++	status = smb2_setinfo_file(tree, &set);
++	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
++					"smb2_setinfo_file failed\n");
++
++	smb2_util_close(tree, handle);
++	ZERO_STRUCT(handle);
++
++	for (i = 0; i < ARRAY_SIZE(tcases); i++) {
++		torture_comment(tctx, "Verify open with %s dispostion\n",
++				tcases[i].disposition_string);
++
++		c = (struct smb2_create) {
++			.in.create_disposition = tcases[i].disposition,
++			.in.desired_access = SEC_FILE_READ_DATA,
++			.in.file_attributes = FILE_ATTRIBUTE_NORMAL,
++			.in.share_access = NTCREATEX_SHARE_ACCESS_MASK,
++			.in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
++			.in.fname = fname,
++		};
++
++		status = smb2_create(tree, tctx, &c);
++		smb2_util_close(tree, c.out.file.handle);
++		torture_assert_ntstatus_equal_goto(
++			tctx, status, tcases[i].expected_status, ret, done,
++			"smb2_create failed\n");
++	};
++
++	torture_comment(tctx, "put back original sd\n");
++
++	c = (struct smb2_create) {
++		.in.desired_access = SEC_STD_WRITE_DAC,
++		.in.file_attributes = FILE_ATTRIBUTE_NORMAL,
++		.in.share_access = NTCREATEX_SHARE_ACCESS_MASK,
++		.in.create_disposition = NTCREATEX_DISP_OPEN_IF,
++		.in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
++		.in.fname = fname,
++	};
++
++	status = smb2_create(tree, tctx, &c);
++	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
++					"smb2_create failed\n");
++	handle = c.out.file.handle;
++
++	ZERO_STRUCT(set);
++	set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
++	set.set_secdesc.in.file.handle = handle;
++	set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
++	set.set_secdesc.in.sd = sd_orig;
++
++	status = smb2_setinfo_file(tree, &set);
++	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
++					"smb2_setinfo_file failed\n");
++
++	smb2_util_close(tree, handle);
++	ZERO_STRUCT(handle);
++
++done:
++	smb2_util_close(tree, handle);
++	smb2_util_unlink(tree, fname);
++	smb2_deltree(tree, BASEDIR);
++	return ret;
++}
++
+ /*
+    basic testing of SMB2 ACLs
+ */
+@@ -3017,6 +3159,7 @@ struct torture_suite *torture_smb2_acls_init(TALLOC_CTX *ctx)
+ 			test_deny1);
+ 	torture_suite_add_1smb2_test(suite, "MXAC-NOT-GRANTED",
+ 			test_mxac_not_granted);
++	torture_suite_add_1smb2_test(suite, "OVERWRITE_READ_ONLY_FILE", test_overwrite_read_only_file);
+ 
+ 	suite->description = talloc_strdup(suite, "SMB2-ACLS tests");
+ 

SOURCES/CVE-2023-42669.patch

@@ -0,0 +1,86 @@
+From 3cf1beed5df7d8b5d854517de7de322c6a5bc7fa Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Tue, 12 Sep 2023 18:59:44 +1200
+Subject: [PATCH] CVE-2023-42669 s4-rpc_server: Disable rpcecho server by
+ default
+
+The rpcecho server is useful in development and testing, but should never
+have been allowed into production, as it includes the facility to
+do a blocking sleep() in the single-threaded rpc worker.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+---
+ docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml | 2 +-
+ lib/param/loadparm.c                                   | 2 +-
+ selftest/target/Samba4.pm                              | 2 +-
+ source3/param/loadparm.c                               | 2 +-
+ source4/rpc_server/wscript_build                       | 3 ++-
+ 5 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
+index 8a217cc7f118..c6642b795fd6 100644
+--- a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
++++ b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
+@@ -6,6 +6,6 @@
+ 	<para>Specifies which DCE/RPC endpoint servers should be run.</para>
+ </description>
+ 
+-<value type="default">epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value>
++<value type="default">epmapper, wkssvc, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value>
+ <value type="example">rpcecho</value>
+ </samba:parameter>
+diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
+index 9a7ae4f95fe8..673b913e6e5a 100644
+--- a/lib/param/loadparm.c
++++ b/lib/param/loadparm.c
+@@ -2730,7 +2730,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
+ 	lpcfg_do_global_parameter(lp_ctx, "ntvfs handler", "unixuid default");
+ 	lpcfg_do_global_parameter(lp_ctx, "max connections", "0");
+ 
+-	lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
++	lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
+ 	lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns");
+ 	lpcfg_do_global_parameter(lp_ctx, "kccsrv:samba_kcc", "true");
+ 	/* the winbind method for domain controllers is for both RODC
+diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
+index 49e3c174b07e..5f1f1bfffad6 100755
+--- a/selftest/target/Samba4.pm
++++ b/selftest/target/Samba4.pm
+@@ -783,7 +783,7 @@ sub provision_raw_step1($$)
+ 	wins support = yes
+ 	server role = $ctx->{server_role}
+ 	server services = +echo $services
+-        dcerpc endpoint servers = +winreg +srvsvc
++        dcerpc endpoint servers = +winreg +srvsvc +rpcecho
+ 	notify:inotify = false
+ 	ldb:nosync = true
+ 	ldap server require strong auth = yes
+diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
+index 1c3644589126..e7f4bbe3995e 100644
+--- a/source3/param/loadparm.c
++++ b/source3/param/loadparm.c
+@@ -883,7 +883,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
+ 
+ 	Globals.server_services = str_list_make_v3_const(NULL, "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns", NULL);
+ 
+-	Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);
++	Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);
+ 
+ 	Globals.tls_enabled = true;
+ 	Globals.tls_verify_peer = TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE;
+diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build
+index 0e44a3c2baed..31ec4f60c9a6 100644
+--- a/source4/rpc_server/wscript_build
++++ b/source4/rpc_server/wscript_build
+@@ -33,7 +33,8 @@ bld.SAMBA_MODULE('dcerpc_rpcecho',
+                  source='echo/rpc_echo.c',
+                  subsystem='dcerpc_server',
+                  init_function='dcerpc_server_rpcecho_init',
+-                 deps='ndr-standard events'
++                 deps='ndr-standard events',
++                 enabled=bld.CONFIG_GET('ENABLE_SELFTEST')
+                  )
+ 
+ 

SOURCES/nsswitch-add-test-for-pthread_key_delete-missuse.patch

@@ -0,0 +1,613 @@
+From ced40c5a805dcfb06d5f3d68aa45a0aaa44bfdca Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 8 Sep 2023 13:57:26 +0200
+Subject: [PATCH 1/5] nsswitch: add test for pthread_key_delete missuse (bug
+ 15464)
+
+This is based on https://bugzilla.samba.org/attachment.cgi?id=18081
+written by Krzysztof Piotr Oledzki <ole@ans.pl>
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit 62af25d44e542548d8cdecb061a6001e0071ee76)
+---
+ nsswitch/b15464-testcase.c            | 77 +++++++++++++++++++++++++++
+ nsswitch/wscript_build                |  5 ++
+ selftest/knownfail.d/b15464_testcase  |  1 +
+ source3/selftest/tests.py             |  6 +++
+ testprogs/blackbox/b15464-testcase.sh | 21 ++++++++
+ 5 files changed, 110 insertions(+)
+ create mode 100644 nsswitch/b15464-testcase.c
+ create mode 100644 selftest/knownfail.d/b15464_testcase
+ create mode 100755 testprogs/blackbox/b15464-testcase.sh
+
+diff --git a/nsswitch/b15464-testcase.c b/nsswitch/b15464-testcase.c
+new file mode 100644
+index 000000000000..decb474a81ee
+--- /dev/null
++++ b/nsswitch/b15464-testcase.c
+@@ -0,0 +1,77 @@
++#include "replace.h"
++#include "system/wait.h"
++#include "system/threads.h"
++#include <assert.h>
++
++int main(int argc, const char *argv[])
++{
++	pid_t pid;
++	int wstatus;
++	pthread_key_t k1;
++	pthread_key_t k2;
++	pthread_key_t k3;
++	char *val = NULL;
++	const char *nss_winbind = (argc >= 2 ? argv[1] : "bin/plugins/libnss_winbind.so.2");
++	void *nss_winbind_handle = NULL;
++	union {
++		int (*fn)(void);
++		void *symbol;
++	} nss_winbind_endpwent = { .symbol = NULL, };
++
++	/*
++	 * load and invoke something simple like
++	 * _nss_winbind_endpwent in order to
++	 * get the libnss_winbind internal going
++	 */
++	nss_winbind_handle = dlopen(nss_winbind, RTLD_NOW);
++	printf("%d: nss_winbind[%s] nss_winbind_handle[%p]\n",
++	       getpid(), nss_winbind, nss_winbind_handle);
++	assert(nss_winbind_handle != NULL);
++
++	nss_winbind_endpwent.symbol = dlsym(nss_winbind_handle,
++					    "_nss_winbind_endpwent");
++	printf("%d: nss_winbind_handle[%p] _nss_winbind_endpwent[%p]\n",
++	       getpid(), nss_winbind_handle, nss_winbind_endpwent.symbol);
++	assert(nss_winbind_endpwent.symbol != NULL);
++	(void)nss_winbind_endpwent.fn();
++
++	val = malloc(1);
++	assert(val != NULL);
++
++	pthread_key_create(&k1, NULL);
++	pthread_setspecific(k1, val);
++	printf("%d: k1=%d\n", getpid(), k1);
++
++	pid = fork();
++	if (pid) {
++		free(val);
++		wait(&wstatus);
++		return WEXITSTATUS(wstatus);
++	}
++
++	pthread_key_create(&k2, NULL);
++	pthread_setspecific(k2, val);
++
++	printf("%d: Hello after fork, k1=%d, k2=%d\n", getpid(), k1, k2);
++
++	pid = fork();
++
++	if (pid) {
++		free(val);
++		wait(&wstatus);
++		return WEXITSTATUS(wstatus);
++	}
++
++	pthread_key_create(&k3, NULL);
++	pthread_setspecific(k3, val);
++
++	printf("%d: Hello after fork2, k1=%d, k2=%d, k3=%d\n", getpid(), k1, k2, k3);
++
++	if (k1 == k2 || k2 == k3) {
++		printf("%d: FAIL inconsistent keys\n", getpid());
++		return 1;
++	}
++
++	printf("%d: OK consistent keys\n", getpid());
++	return 0;
++}
+diff --git a/nsswitch/wscript_build b/nsswitch/wscript_build
+index 3247b6c2b7c3..4e62bb4c9461 100644
+--- a/nsswitch/wscript_build
++++ b/nsswitch/wscript_build
+@@ -15,6 +15,11 @@ if bld.CONFIG_SET('HAVE_PTHREAD'):
+ 		     deps='wbclient pthread',
+ 		     for_selftest=True
+ 		     )
++    bld.SAMBA_BINARY('b15464-testcase',
++		     source='b15464-testcase.c',
++		     deps='replace pthread dl',
++		     for_selftest=True
++		     )
+ 
+ # The nss_wrapper code relies strictly on the linux implementation and
+ # name, so compile but do not install a copy under this name.
+diff --git a/selftest/knownfail.d/b15464_testcase b/selftest/knownfail.d/b15464_testcase
+new file mode 100644
+index 000000000000..94dd7db7c2a5
+--- /dev/null
++++ b/selftest/knownfail.d/b15464_testcase
+@@ -0,0 +1 @@
++^b15464_testcase.run.b15464-testcase
+diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
+index 0c834ed48b5e..ea17ead3eda7 100755
+--- a/source3/selftest/tests.py
++++ b/source3/selftest/tests.py
+@@ -67,6 +67,8 @@ except KeyError:
+     samba4bindir = bindir()
+     config_h = os.path.join(samba4bindir, "default/include/config.h")
+ 
++bbdir = os.path.join(srcdir(), "testprogs/blackbox")
++
+ # check available features
+ config_hash = dict()
+ f = open(config_h, 'r')
+@@ -936,6 +938,10 @@ if with_pthreadpool:
+                   [os.path.join(samba3srcdir,
+                                 "script/tests/test_libwbclient_threads.sh"),
+                    "$DOMAIN", "$DC_USERNAME"])
++    plantestsuite("b15464_testcase", "none",
++                  [os.path.join(bbdir, "b15464-testcase.sh"),
++                   binpath("b15464-testcase"),
++                   binpath("plugins/libnss_winbind.so.2")])
+ 
+ plantestsuite("samba3.test_nfs4_acl", "none",
+               [os.path.join(bindir(), "test_nfs4_acls"),
+diff --git a/testprogs/blackbox/b15464-testcase.sh b/testprogs/blackbox/b15464-testcase.sh
+new file mode 100755
+index 000000000000..b0c88260d4cc
+--- /dev/null
++++ b/testprogs/blackbox/b15464-testcase.sh
+@@ -0,0 +1,21 @@
++#!/bin/sh
++# Blackbox wrapper for bug 15464
++# Copyright (C) 2023 Stefan Metzmacher
++
++if [ $# -lt 2 ]; then
++	cat <<EOF
++Usage: b15464-testcase.sh B15464_TESTCASE LIBNSS_WINBIND
++EOF
++	exit 1
++fi
++
++b15464_testcase=$1
++libnss_winbind=$2
++shift 2
++failed=0
++
++. $(dirname $0)/subunit.sh
++
++testit "run b15464-testcase" $VALGRIND $b15464_testcase $libnss_winbind || failed=$(expr $failed + 1)
++
++testok $0 $failed
+-- 
+2.34.1
+
+
+From 08728ee7847d7864d4c72a4ac1ddfeca78934326 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 7 Sep 2023 16:02:32 +0200
+Subject: [PATCH 2/5] nsswitch/wb_common.c: fix build without HAVE_PTHREAD
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit 4faf806412c4408db25448b1f67c09359ec2f81f)
+---
+ nsswitch/wb_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/nsswitch/wb_common.c b/nsswitch/wb_common.c
+index d569e761ebe4..c382a44c1209 100644
+--- a/nsswitch/wb_common.c
++++ b/nsswitch/wb_common.c
+@@ -104,7 +104,6 @@ static void wb_thread_ctx_initialize(void)
+ 				 wb_thread_ctx_destructor);
+ 	assert(ret == 0);
+ }
+-#endif
+ 
+ static struct winbindd_context *get_wb_thread_ctx(void)
+ {
+@@ -139,6 +138,7 @@ static struct winbindd_context *get_wb_thread_ctx(void)
+ 	}
+ 	return ctx;
+ }
++#endif /* HAVE_PTHREAD */
+ 
+ static struct winbindd_context *get_wb_global_ctx(void)
+ {
+-- 
+2.34.1
+
+
+From d1f43cd4cc6aeb2ac9fcaee9aa512012ca92ecb3 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 8 Sep 2023 09:53:42 +0200
+Subject: [PATCH 3/5] nsswitch/wb_common.c: winbind_destructor can always use
+ get_wb_global_ctx()
+
+The HAVE_PTHREAD logic inside of get_wb_global_ctx() will do all
+required magic.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit 836823e5047d0eb18e66707386ba03b812adfaf8)
+---
+ nsswitch/wb_common.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/nsswitch/wb_common.c b/nsswitch/wb_common.c
+index c382a44c1209..d56e48d9bdb8 100644
+--- a/nsswitch/wb_common.c
++++ b/nsswitch/wb_common.c
+@@ -246,14 +246,10 @@ static void winbind_destructor(void)
+ 		return;
+ 	}
+ 
+-#ifdef HAVE_PTHREAD_H
+-	ctx = (struct winbindd_context *)pthread_getspecific(wb_global_ctx.key);
++	ctx = get_wb_global_ctx();
+ 	if (ctx == NULL) {
+ 		return;
+ 	}
+-#else
+-	ctx = get_wb_global_ctx();
+-#endif
+ 
+ 	winbind_close_sock(ctx);
+ }
+-- 
+2.34.1
+
+
+From 6e29ea5b9efe5cf166cc9d633c1dc4eb8f192736 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 8 Sep 2023 09:56:47 +0200
+Subject: [PATCH 4/5] nsswitch/wb_common.c: don't operate on a stale
+ wb_global_ctx.key
+
+If nss_winbind is loaded into a process that uses fork multiple times
+without any further calls into nss_winbind, wb_atfork_child handler
+was using a wb_global_ctx.key that was no longer registered in the
+pthread library, so we operated on a slot that was potentially
+reused by other libraries or the main application. Which is likely
+to cause memory corruption.
+
+So we better don't call pthread_key_delete() in wb_atfork_child().
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464
+
+Reported-by: Krzysztof Piotr Oledzki <ole@ans.pl>
+Tested-by: Krzysztof Piotr Oledzki <ole@ans.pl>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit 91b30a7261e6455d3a4f31728c23e4849e3945b9)
+---
+ nsswitch/wb_common.c                 | 5 -----
+ selftest/knownfail.d/b15464_testcase | 1 -
+ 2 files changed, 6 deletions(-)
+ delete mode 100644 selftest/knownfail.d/b15464_testcase
+
+diff --git a/nsswitch/wb_common.c b/nsswitch/wb_common.c
+index d56e48d9bdb8..38f9f334016b 100644
+--- a/nsswitch/wb_common.c
++++ b/nsswitch/wb_common.c
+@@ -76,11 +76,6 @@ static void wb_atfork_child(void)
+ 
+ 	winbind_close_sock(ctx);
+ 	free(ctx);
+-
+-	ret = pthread_key_delete(wb_global_ctx.key);
+-	assert(ret == 0);
+-
+-	wb_global_ctx.control = (pthread_once_t)PTHREAD_ONCE_INIT;
+ }
+ 
+ static void wb_thread_ctx_destructor(void *p)
+diff --git a/selftest/knownfail.d/b15464_testcase b/selftest/knownfail.d/b15464_testcase
+deleted file mode 100644
+index 94dd7db7c2a5..000000000000
+--- a/selftest/knownfail.d/b15464_testcase
++++ /dev/null
+@@ -1 +0,0 @@
+-^b15464_testcase.run.b15464-testcase
+-- 
+2.34.1
+
+
+From 61ca2c66e0a3c837f2c542b8d9321a8d8cd03382 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 7 Sep 2023 15:59:59 +0200
+Subject: [PATCH 5/5] nsswitch/wb_common.c: fix socket fd and memory leaks of
+ global state
+
+When we are called in wb_atfork_child() or winbind_destructor(),
+wb_thread_ctx_destructor() is not called for the global state
+of the current nor any other thread, which means we would
+leak the related memory and socket fds.
+
+Now we maintain a global list protected by a global mutex.
+We traverse the list and close all socket fds, which are no
+longer used (winbind_destructor) or no longer valid in the
+current process (wb_atfork_child), in addition we 'autofree'
+the ones, which are only visible internally as global (per thread)
+context.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464
+
+Tested-by: Krzysztof Piotr Oledzki <ole@ans.pl>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+
+Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
+Autobuild-Date(master): Thu Sep 14 18:53:07 UTC 2023 on atb-devel-224
+
+(cherry picked from commit 4af3faace481d23869b64485b791bdd43d8972c5)
+---
+ nsswitch/wb_common.c | 143 ++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 113 insertions(+), 30 deletions(-)
+
+diff --git a/nsswitch/wb_common.c b/nsswitch/wb_common.c
+index 38f9f334016b..b7f84435a4ee 100644
+--- a/nsswitch/wb_common.c
++++ b/nsswitch/wb_common.c
+@@ -26,6 +26,7 @@
+ #include "replace.h"
+ #include "system/select.h"
+ #include "winbind_client.h"
++#include "lib/util/dlinklist.h"
+ #include <assert.h>
+ 
+ #ifdef HAVE_PTHREAD_H
+@@ -37,67 +38,112 @@ static __thread char client_name[32];
+ /* Global context */
+ 
+ struct winbindd_context {
++	struct winbindd_context *prev, *next;
+ 	int winbindd_fd;	/* winbind file descriptor */
+ 	bool is_privileged;	/* using the privileged socket? */
+ 	pid_t our_pid;		/* calling process pid */
++	bool autofree;		/* this is a thread global context */
+ };
+ 
+ static struct wb_global_ctx {
+-	bool initialized;
+ #ifdef HAVE_PTHREAD
+ 	pthread_once_t control;
+ 	pthread_key_t key;
++	bool key_initialized;
++#ifdef PTHREAD_ERRORCHECK_MUTEX_INITIALIZER_NP
++#define WB_GLOBAL_MUTEX_INITIALIZER PTHREAD_ERRORCHECK_MUTEX_INITIALIZER_NP
+ #else
+-	bool dummy;
++#define WB_GLOBAL_MUTEX_INITIALIZER PTHREAD_MUTEX_INITIALIZER
+ #endif
++#define WB_GLOBAL_LIST_LOCK do { \
++	int __pret = pthread_mutex_lock(&wb_global_ctx.list_mutex); \
++	assert(__pret == 0); \
++} while(0)
++#define WB_GLOBAL_LIST_UNLOCK do { \
++	int __pret = pthread_mutex_unlock(&wb_global_ctx.list_mutex); \
++	assert(__pret == 0); \
++} while(0)
++	pthread_mutex_t list_mutex;
++#else /* => not HAVE_PTHREAD */
++#define WB_GLOBAL_LIST_LOCK do { } while(0)
++#define WB_GLOBAL_LIST_UNLOCK do { } while(0)
++#endif /* not HAVE_PTHREAD */
++	struct winbindd_context *list;
+ } wb_global_ctx = {
+ #ifdef HAVE_PTHREAD
+ 	.control = PTHREAD_ONCE_INIT,
++	.list_mutex = WB_GLOBAL_MUTEX_INITIALIZER,
+ #endif
++	.list = NULL,
+ };
+ 
+ static void winbind_close_sock(struct winbindd_context *ctx);
++static void winbind_ctx_free_locked(struct winbindd_context *ctx);
++static void winbind_cleanup_list(void);
+ 
+ #ifdef HAVE_PTHREAD
+ static void wb_thread_ctx_initialize(void);
+ 
++static void wb_atfork_prepare(void)
++{
++	WB_GLOBAL_LIST_LOCK;
++}
++
++static void wb_atfork_parent(void)
++{
++	WB_GLOBAL_LIST_UNLOCK;
++}
++
+ static void wb_atfork_child(void)
+ {
+-	struct winbindd_context *ctx = NULL;
+-	int ret;
++	wb_global_ctx.list_mutex = (pthread_mutex_t)WB_GLOBAL_MUTEX_INITIALIZER;
+ 
+-	ctx = (struct winbindd_context *)pthread_getspecific(wb_global_ctx.key);
+-	if (ctx == NULL) {
+-		return;
+-	}
++	if (wb_global_ctx.key_initialized) {
++		int ret;
+ 
+-	ret = pthread_setspecific(wb_global_ctx.key, NULL);
+-	assert(ret == 0);
++		/*
++		 * After a fork the child still believes
++		 * it is the same thread as in the parent.
++		 * So pthread_getspecific() would return the
++		 * value of the thread that called fork().
++		 *
++		 * But we don't want that behavior, so
++		 * we just clear the reference and let
++		 * winbind_cleanup_list() below 'autofree'
++		 * the parent threads global context.
++		 */
++		ret = pthread_setspecific(wb_global_ctx.key, NULL);
++		assert(ret == 0);
++	}
+ 
+-	winbind_close_sock(ctx);
+-	free(ctx);
++	/*
++	 * But we need to close/cleanup the global state
++	 * of the parents threads.
++	 */
++	winbind_cleanup_list();
+ }
+ 
+ static void wb_thread_ctx_destructor(void *p)
+ {
+ 	struct winbindd_context *ctx = (struct winbindd_context *)p;
+ 
+-	winbind_close_sock(ctx);
+-	free(ctx);
++	winbindd_ctx_free(ctx);
+ }
+ 
+ static void wb_thread_ctx_initialize(void)
+ {
+ 	int ret;
+ 
+-	ret = pthread_atfork(NULL,
+-			     NULL,
++	ret = pthread_atfork(wb_atfork_prepare,
++			     wb_atfork_parent,
+ 			     wb_atfork_child);
+ 	assert(ret == 0);
+ 
+ 	ret = pthread_key_create(&wb_global_ctx.key,
+ 				 wb_thread_ctx_destructor);
+ 	assert(ret == 0);
++
++	wb_global_ctx.key_initialized = true;
+ }
+ 
+ static struct winbindd_context *get_wb_thread_ctx(void)
+@@ -123,9 +169,14 @@ static struct winbindd_context *get_wb_thread_ctx(void)
+ 	*ctx = (struct winbindd_context) {
+ 		.winbindd_fd = -1,
+ 		.is_privileged = false,
+-		.our_pid = 0
++		.our_pid = 0,
++		.autofree = true,
+ 	};
+ 
++	WB_GLOBAL_LIST_LOCK;
++	DLIST_ADD_END(wb_global_ctx.list, ctx);
++	WB_GLOBAL_LIST_UNLOCK;
++
+ 	ret = pthread_setspecific(wb_global_ctx.key, ctx);
+ 	if (ret != 0) {
+ 		free(ctx);
+@@ -142,7 +193,8 @@ static struct winbindd_context *get_wb_global_ctx(void)
+ 	static struct winbindd_context _ctx = {
+ 		.winbindd_fd = -1,
+ 		.is_privileged = false,
+-		.our_pid = 0
++		.our_pid = 0,
++		.autofree = false,
+ 	};
+ #endif
+ 
+@@ -150,9 +202,11 @@ static struct winbindd_context *get_wb_global_ctx(void)
+ 	ctx = get_wb_thread_ctx();
+ #else
+ 	ctx = &_ctx;
++	if (ctx->prev == NULL && ctx->next == NULL) {
++		DLIST_ADD_END(wb_global_ctx.list, ctx);
++	}
+ #endif
+ 
+-	wb_global_ctx.initialized = true;
+ 	return ctx;
+ }
+ 
+@@ -226,6 +280,30 @@ static void winbind_close_sock(struct winbindd_context *ctx)
+ 	}
+ }
+ 
++static void winbind_ctx_free_locked(struct winbindd_context *ctx)
++{
++	winbind_close_sock(ctx);
++	DLIST_REMOVE(wb_global_ctx.list, ctx);
++	free(ctx);
++}
++
++static void winbind_cleanup_list(void)
++{
++	struct winbindd_context *ctx = NULL, *next = NULL;
++
++	WB_GLOBAL_LIST_LOCK;
++	for (ctx = wb_global_ctx.list; ctx != NULL; ctx = next) {
++		next = ctx->next;
++
++		if (ctx->autofree) {
++			winbind_ctx_free_locked(ctx);
++		} else {
++			winbind_close_sock(ctx);
++		}
++	}
++	WB_GLOBAL_LIST_UNLOCK;
++}
++
+ /* Destructor for global context to ensure fd is closed */
+ 
+ #ifdef HAVE_DESTRUCTOR_ATTRIBUTE
+@@ -235,18 +313,18 @@ __attribute__((destructor))
+ #endif
+ static void winbind_destructor(void)
+ {
+-	struct winbindd_context *ctx;
+-
+-	if (!wb_global_ctx.initialized) {
+-		return;
++#ifdef HAVE_PTHREAD
++	if (wb_global_ctx.key_initialized) {
++		int ret;
++		ret = pthread_key_delete(wb_global_ctx.key);
++		assert(ret == 0);
++		wb_global_ctx.key_initialized = false;
+ 	}
+ 
+-	ctx = get_wb_global_ctx();
+-	if (ctx == NULL) {
+-		return;
+-	}
++	wb_global_ctx.control = (pthread_once_t)PTHREAD_ONCE_INIT;
++#endif /* HAVE_PTHREAD */
+ 
+-	winbind_close_sock(ctx);
++	winbind_cleanup_list();
+ }
+ 
+ #define CONNECT_TIMEOUT 30
+@@ -928,11 +1006,16 @@ struct winbindd_context *winbindd_ctx_create(void)
+ 
+ 	ctx->winbindd_fd = -1;
+ 
++	WB_GLOBAL_LIST_LOCK;
++	DLIST_ADD_END(wb_global_ctx.list, ctx);
++	WB_GLOBAL_LIST_UNLOCK;
++
+ 	return ctx;
+ }
+ 
+ void winbindd_ctx_free(struct winbindd_context *ctx)
+ {
+-	winbind_close_sock(ctx);
+-	free(ctx);
++	WB_GLOBAL_LIST_LOCK;
++	winbind_ctx_free_locked(ctx);
++	WB_GLOBAL_LIST_UNLOCK;
+ }
+-- 
+2.34.1

SOURCES/smb.conf.vendor

@@ -18,9 +18,6 @@
 	load printers = yes
 	cups options = raw
 
-	# Install samba-usershares package for support
-	include = /etc/samba/usershares.conf
-
 [homes]
 	comment = Home Directories
 	valid users = %S, %D%w%S

SPECS/samba.spec

@@ -138,7 +138,7 @@
 %define samba_requires_eq()  %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
 
 %global samba_version 4.18.6
-%global baserelease 1
+%global baserelease 102
 # This should be rc1 or %%nil
 %global pre_release %nil
 
@@ -176,7 +176,7 @@
 %global tevent_version 0.14.1
 %global ldb_version 2.7.2
 
-%global required_mit_krb5 1.18
+%global required_mit_krb5 1.20.1
 
 # This is a network daemon, do a hardened build
 # Enables PIE and full RELRO protection
@@ -202,7 +202,7 @@
 
 Name:           samba
 Version:        %{samba_version}
-Release:        %{samba_release}%{?dist}
+Release:        %{samba_release}%{?dist}.alma.1
 
 %if 0%{?fedora}
 Epoch:          2
@@ -234,6 +234,16 @@ Source17:       samba-usershares-systemd-sysusers.conf
 Source201:      README.downgrade
 Source202:      samba.abignore
 
+# Patches were taken from upstream:
+# https://github.com/samba-team/samba/commit/ae476e1c28b797fe221172ed1066bf8efa476d8d
+Patch0: CVE-2023-3961.patch
+# https://github.com/samba-team/samba/commit/b1fd65694185c26f1e196d84ee8756300e631bd5
+Patch1: CVE-2023-4091.patch
+# https://github.com/samba-team/samba/commit/3cf1beed5df7d8b5d854517de7de322c6a5bc7fa
+Patch2: CVE-2023-42669.patch
+# https://github.com/samba-team/samba/commit/62af25d44e542548d8cdecb061a6001e0071ee76
+Patch3: nsswitch-add-test-for-pthread_key_delete-missuse.patch
+
 Requires(pre): /usr/sbin/groupadd
 
 Requires(pre): %{name}-common = %{samba_depver}
@@ -4328,404 +4338,596 @@ fi
 %endif
 
 %changelog
-* Thu Aug 17 2023 Andreas Schneider <asn@redhat.com> - 4.18.6-1
-- related: rhbz#2190417 - Update to version 4.18.6
-- resolves: rhbz#2232564 - Fix the rpc dsgetinfo command
+* Wed Mar 06 2024 Eduard Abdullin <eabdullin@almalinux.org> - 4.18.6-102.alma.1
+- nsswitch: add test for pthread_key_delete missuse (bug 15464)
 
-* Thu Jul 20 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.18.5-0
-- resolves: rhbz#2222894 - Fix CVE-2022-2127 CVE-2023-3347 CVE-2023-34966 CVE-2023-34967 CVE-2023-34968
+* Tue Nov 07 2023 Eduard Abdullin <eabdullin@almalinux.org> - 4.18.6-101.alma.1
+- CVE-2023-3961 CVE-2023-4091 CVE-2023-42669
 
-* Mon Jul 17 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.18.4-2
-- resolves: rhbz#2222884 - Fix trust relationship between workstation and DC
+* Thu Aug 17 2023 Andreas Schneider <asn@redhat.com> - 4.18.6-100
+- related: rhbz#2190415 - Update to version 4.18.6
+- resolves: rhbz#2211617 - Fix the rpcclient dfsgetinfo command
 
-* Mon Jul 10 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.18.4-1
-- resolves: rhbz#2221594 - Fix broken symlink for libwbclient
-- resolves: rhbz#2221600 - Fix segfault of winbind child when listing users with `winbind scan trusted domains = yes`
-- resolves: rhbz#2175385 - Fix access of Samba share with veto files = /.*/
-- resolves: rhbz#2218237 - Fix Python tarfile extraction to avoid a warning
+* Wed Jul 19 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.18.5-100
+- resolves: rhbz#2222895 - Fix CVE-2022-2127 CVE-2023-3347 CVE-2023-34966 CVE-2023-34967 CVE-2023-34968
 
-* Thu Jul 06 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.18.4-0
-- resolves: rhbz#2190417 - Update to version 4.18.4
+* Mon Jul 17 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.18.4-102
+- resolves: rhbz#2222883 - Fix trust relationship between workstation and DC
 
-* Tue Jun 13 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.18.3-0
-- resolves: rhbz#2190417 - Update to version 4.18.3
+* Mon Jul 10 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.18.4-101
+- resolves: rhbz#2216712 - Fix broken symlink for libwbclient
+- resolves: rhbz#2214327 - Fix segfault of winbind child when listing users with `winbind scan trusted domains = yes`
+- resolves: rhbz#2211605 - Fix access of Samba share with veto files = /.*/
+- resolves: rhbz#2207692 - Fix Python tarfile extraction to avoid a warning
 
-* Tue Jun 06 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.18.2-2
-- resolves: rhbz#2190417 - Rebuild to trigger distrobaker sync
+* Thu Jul 06 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.18.4-100
+- resolves: rhbz#2190415 - Update to version 4.18.4
 
-* Wed May 24 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.18.2-1
-- resolves: rhbz#2190417 - Add missing tests to fix osci.brew-build.tier0.functional
+* Tue Jun 13 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.18.3-100
+- resolves: rhbz#2190415 - Update to version 4.18.3
 
-* Mon May 22 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.18.2-0
-- resolves: rhbz#2190417 - Update to version 4.18.2
+* Mon Jun 05 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.18.2-101
+- resolves: rhbz#2187313 - Fix weak dependencies in BaseOS
 
-* Wed Feb 15 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.17.5-2
-- resolves: rhbz#2169339 - Fix winbind memory leak
-- resolves: rhbz#2152899 - Fix Samba shares not accessible issue
+* Mon May 22 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.18.2-100
+- resolves: rhbz#2190415 - Update to version 4.18.2
 
-* Mon Feb 13 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.17.5-1
-- resolves: rhbz#2167691 - Create package samba-tools
+* Thu Apr 27 2023 Andreas Schneider <asn@redhat.com> - 4.17.5-104
+- related: rhbz#2182163 - Rebuild for liburing rebase to version 2.3
 
-* Fri Jan 27 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.17.5-0
-- related: rhbz#2132051 - Update to version 4.17.5
+* Wed Feb 15 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.17.5-102
+- resolves: rhbz#2169980 - Fix winbind memory leak
+- resolves: rhbz#2156056 - Fix Samba shares not accessible issue
 
-* Thu Dec 22 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.17.4-1
-- related: rhbz#2132051 - Create package dc-libs also for 'non-dc build'
+* Mon Feb 13 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.17.5-101
+- resolves: rhbz#2168534 - Create package samba-tools
 
-* Tue Dec 20 2022 Pavel Filipenský <pfilipenn@redhat.com> - 4.17.4-0
-- related: rhbz#2132051 - Update to version 4.17.4
-- resolves: rhbz#2154370 - Fix CVE-2022-38023
-- resolves: rhbz#2142331 - Fix %U include directive for share listing (netshareenum)
-- resolves: rhbz#2148943 - Fix Winbind to retrieve user groups from Active Directory
+* Fri Jan 27 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.17.5-100
+- related: rhbz#2131993 - Update to version 4.17.5
 
-* Wed Nov 02 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.17.2-2
+* Thu Dec 22 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.17.4-102
+- related: rhbz#2131993 - Create package dc-libs also for 'non-dc build'
+
+* Wed Dec 21 2022 Pavel Filipenský <pfilipenn@redhat.com> - 4.17.4-101
+- related: rhbz#2131993 - Rebuild for MIT Kerberos 1.20.1
+
+* Mon Dec 19 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.17.4-100
+- related: rhbz#2131993 - Update to version 4.17.4
+- resolves: rhbz#2154373 - Fix CVE-2022-38023
+- resolves: rhbz#2143196 - Fix %U include directive for share listing (netshareenum)
+- resolves: rhbz#2114884 - Fix id command to return new groups after successful user login
+- resolves: rhbz#2154885 - Fix Winbind to retrieve user groups from Active Directory
+
+* Wed Nov 02 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.17.2-103
 - Always add epoch to samba_depver to fix osci.brew-build.rpmdeplint.functional
-- related: rhbz#2132051
+- related: rhbz#2131993
 
-* Wed Oct 26 2022 Andreas Schneider <asn@redhat.com> - 4.17.2-1
-- resolves: rhbz#2132051 - Update to version 4.17.2
-- resolves: rhbz#2126174 - Fix CVE-2022-1615
-- resolves: rhbz#2108487 - ctdb: Add dependency to samba-winbind-clients
+* Wed Oct 26 2022 Andreas Schneider <asn@redhat.com> - 4.17.2-102
+- Fix CVE-2022-1615 GnuTLS gnutls_rnd() can fail and give predictable random values
+- resolves: rhbz#2126175
 
-* Thu Aug 25 2022 Andreas Schneider <asn@redhat.com> - 4.16.4-2
-- resolves: rhbz#2120956 - Do not require samba package in python3-samba
+* Wed Oct 26 2022 Andreas Schneider <asn@redhat.com> - 4.17.2-101
+- resolves: rhbz#2131993 - Update to version 4.17.2
 
-* Thu Jul 28 2022 Andreas Schneider <asn@redhat.com> - 4.16.4-1
+* Thu Aug 25 2022 Andreas Schneider <asn@redhat.com> - 4.16.4-101
+- resolves: rhbz#2121317 - Do not require samba package in python3-samba
+
+* Wed Jul 27 2022 Andreas Schneider <asn@redhat.com> - 4.16.4-100
 - Rebase to version 4.16.4
-- resolves: rhbz#2108331 - Fix CVE-2022-32742
+- resolves: rhbz#2108332 - Fix CVE-2022-32742
 
-* Mon Jul 18 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.16.3-0
-- related: rhbz#2077468 - Rebase Samba to 4.16.3
-- resolves: rhbz#2106672 - The pcap background queue process should not be stopped
-- resolves: rhbz#2106263 - Fix crash in rpcd_classic
-- resolves: rhbz#2100093 - Fix net ads info returns LDAP server and LDAP server name
+* Mon Jul 18 2022 Pavel Filipenský <pfilipen@redhat.com> -  4.16.3-101
+- related: rhbz#2077487 - Rebase Samba to 4.16.3
+- resolves: rhbz#2097655 - The pcap background queue process should not be stopped
+- resolves: rhbz#2100105 - Fix net ads info LDAP server and LDAP server name
 
-* Tue Jun 14 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.16.2-1
-- resolves: rhbz#2084162 - Fix printer displays only after 300 seconds timeout
+* Wed Jul 13 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.16.2-102
+- resolves: rhbz#2106279 - Fix crash in rpcd_classic
 
-* Mon Jun 13 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.16.2-0
+* Tue Jun 14 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.16.2-101
+- resolves: rhbz#2093833 - Fix weak dependency on logrotate
+- resolves: rhbz#2096813 - Fix printer displays only after 300 seconds timeout
+
+* Mon Jun 13 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.16.2-100
 - Fix rpminspect abidiff
-- related: rhbz#2077468 - Rebase Samba to 4.16.2
+- related: rhbz#2077487 - Rebase Samba to 4.16.2
 
-* Mon May 02 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.16.1-0
-- Update to Samba 4.16.1
-- resolves: rhbz#2077468 Rebase Samba to the the latest 4.16.x release
+* Mon May 02 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.16.1-100
+- resolves: rhbz#2077487 - Rebase Samba to the the latest 4.16.x release
 
-* Wed Apr 27 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.15.5-8
-- resolves: rhbz#2070522 - Fix UPNs handling in lookup_name*() calls
+* Wed Apr 27 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.15.5-108
+- resolves: rhbz#2078838 - Fix UPNs handling in lookup_name*() calls
 
-* Wed Apr 20 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.15.5-7
-- resolves: rhbz#2076505 - PAM Kerberos authentication fails with a clock skew error
+* Wed Apr 20 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.15.5-106
+- resolves: rhbz#2065376 - Fix 'create krb5 conf = yes` when a KDC has a single IP address.
+- resolves: rhbz#2076504 - PAM Kerberos authentication fails with a clock skew error
 
-* Wed Apr 13 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.15.5-6
-- resolves: rhbz#2059151 - Fix username map for unix groups
-- resolves: rhbz#2065212 - Fix 'create krb5 conf = yes` when a KDC has a single IP address.
+* Wed Apr 13 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.15.5-105
+- resolves: rhbz#2074891 - Fix username map for unix groups
 
-* Thu Feb 24 2022 Andreas Schneider <asn@redhat.com> - 4.15.5-4
-- resolves: rhbz#2057503 - Fix winbind kerberos ticket refresh
+* Thu Feb 24 2022 Andreas Schneider <asn@redhat.com> - 4.15.5-104
+- resolves: rhbz#2057500 - Fix winbind kerberos ticket refresh
 
-* Mon Feb 21 2022 Andreas Schneider <asn@redhat.com> - 4.15.5-3
-- related: rhbz#1979959 - Fix typo in testparm output
+* Mon Feb 21 2022 Andreas Schneider <asn@redhat.com> - 4.15.5-103
+- related: rhbz#2044231 - Fix typo in testparm output
 
-* Thu Feb 17 2022 Andreas Schneider <asn@redhat.com> - 4.15.5-2
-- resolves: rhbz#1979959 - Improve idmap autorid sanity checks and documentation
+* Thu Feb 17 2022 Andreas Schneider <asn@redhat.com> - 4.15.5-102
+- resolves: rhbz#2044231 - Improve idmap autorid sanity checks and documentation
 
-* Mon Feb 14 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.15.5-1
-- resolves: #1995849 - [RFE] Change change password change prompt phrasing
-- resolves: #2029417 - virusfilter_vfs_openat: Not scanned: Directory or special file 
+* Mon Feb 14 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.15.5-101
+- resolves: #2050111 - [RFE] Change change password change prompt phrasing
+- resolves: #2054110 - virusfilter_vfs_openat: Not scanned: Directory or special file
 
-* Wed Feb 02 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.15.5-0
-- Update to Samba 4.15.5
-- related: rhbz#2013596 - Rebase Samba to the the latest 4.15.x release
-- resolves: rhbz#2046127 - Fix CVE-2021-44141
-- resolves: rhbz#2046153 - Fix CVE-2021-44142
-- resolves: rhbz#2044404 - Printing no longer works on Windows 7
-- resolves: rhbz#2043154 - Fix systemd notifications
-- resolves: rhbz#2049602 - Disable NTLMSSP for ldap client connections (e.g. libads)
+* Wed Feb 02 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.15.5-100
+- related: rhbz#2013578 - Rebase Samba to the the latest 4.15.x release
+- resolves: #2046129 - Fix CVE-2021-44141
+- resolves: #2046154 - Fix CVE-2021-44142
+- resolves: #2044405 - Fix printing no longer works on Windows 7
+- resolves: #2049485 - Fix systemd notifications
+- resolves: #2049604 - Disable NTLMSSP for ldap client connections
 
-* Fri Jan 21 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.15.4-0
-- Update to Samba 4.15.4
-- related: rhbz#2013596 - Rebase Samba to the the latest 4.15.x release
-- resolves: rhbz#2039153 - Fix CVE-2021-20316
-- resolves: rhbz#1912549 - Winexe: Kerberos flag not invoking Kerberos Auth
-- resolves: rhbz#2039157 - Fix CVE-2021-43566
-- resolves: rhbz#2038148 - Failed to authenticate users after upgrade samba package to release samba-4.14.5-7
-- resolves: rhbz#2035528 - [smb] Segmentation fault when joining the domain
-- resolves: rhbz#2038796 - filename_convert_internal: open_pathref_fsp [xxx] failed: NT_STATUS_ACCESS_DENIED 
+* Mon Jan 24 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.15.4-100
+- related: rhbz#2013578 - Rebase Samba to the the latest 4.15.x release
+- resolves: #2039154 - Fix CVE-2021-20316
+- resolves: #2044238 - Failed to authenticate users after upgrade samba package to release samba-4.14.5-7x
+- resolves: #2044239 - [smb] Segmentation fault when joining the domain
+- resolves: #2044241 - filename_convert_internal: open_pathref_fsp [xxx] failed: NT_STATUS_ACCESS_DENIED
+- resolves: #2044255 - Fix CVE-2021-43566
 
-* Thu Dec 16 2021 Pavel Filipenský <pfilipen@redhat.com> - 4.15.3-1
-- related: rhbz#2013596 - Rebase to version 4.15.3
-- resolves: rhbz#2028029 - Fix possible null pointer dereference in winbind
-- resolves: rhbz#1912549 - Winexe: Kerberos Auth is respected via --use-kerberos=desired
+* Wed Dec 15 2021 Pavel Filipenský <pfilipen@redhat.com> - 4.15.3-1
+- related: rhbz#2013578 - Rebase to Samba 4.15.3
+- resolves: rhbz#2028026 - Fix possible null pointer dereference in winbind
+- resolves: rhbz#2033317 - Winexe: Kerberos Auth is respected via --use-kerberos=desired
 
-* Fri Dec 03 2021 Andreas Schneider <asn@redhat.com> - 4.15.2-2
-- related: rhbz#2013596 - Remove unneeded lmdb dependency
+* Fri Dec 03 2021 Andreas Schneider <asn@redhat.com> - 4.15.2-3
+- related: rhbz#2013578 - Remove unneeded lmdb dependency
 
-* Thu Nov 25 2021 Pavel Filipenský <pfilipen@redhat.com> - 4.15.2-1
-- resolves: rhbz#2013596 - Rebase to version 4.15.2
-- resolves: rhbz#1999294 - Remove noisy error message in winbindd
-- resolves: rhbz#1958881 - Don't require winbind being online for krb5 auth
-                           with one-way trusts
-- resolves: rhbz#2019461 - Fix deleting directories with dangling symlinks
+* Wed Dec 01 2021 Pavel Filipenský <pfilipen@redhat.com> - 4.15.2-2
+- resolves: rhbz#2019675 - Fix CVE-2020-25717
 
-* Mon Nov 22 2021 Andreas Schneider <asn@redhat.com> - 4.14.5-14
-- related: rbhz#2019674 - Fix CVE-2020-25717
-- Fix running ktest (selftest)
+* Wed Dec 01 2021 Pavel Filipenský <pfilipen@redhat.com> - 4.15.2-2
+- resolves: rhbz#2019669 - Fix CVE-2021-23192
 
-* Sat Nov 13 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.14.5-13
-- related: rbhz#2019674 - Fix CVE-2020-25717
-- Add missing checks for IPA DC server role
+* Wed Dec 01 2021 Pavel Filipenský <pfilipen@redhat.com> - 4.15.2-2
+- resolves: rhbz#2019663 - Fix CVE-2016-2124
 
-* Wed Nov 10 2021 Andreas Schneider <asn@redhat.com> - 4.14.5-12
-- related: rbhz#2019674 - Fix regression with 'allow trusted domains = no'
+* Mon Nov 29 2021 Pavel Filipenský <pfilipen@redhat.com> - 4.15.2-1
+- resolves: rhbz#2013578 - Rebase to Samba 4.15.2
 
-* Tue Nov 09 2021 Andreas Schneider <asn@redhat.com> - 4.14.5-11
-- resolves: rhbz#2021425 - Add missing PAC buffer types to krb5pac.idl
+* Tue Aug 31 2021 Andreas Schneider <asn@redhat.com> - 4.14.5-103
+- resolves: rhbz#1980356 - Fix winbind restart on package upgrade
 
-* Fri Nov 05 2021 Andreas Schneider <asn@redhat.com> - 4.14.4-3
-- resolves: rhbz#2019662 - Fix CVE-2016-2124
-- resolves: rhbz#2019668 - Fix CVE-2021-23192
-- resolves: rbhz#2019674 - Fix CVE-2020-25717
+* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 0:4.14.5-102
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
 
-* Tue Jul 13 2021 Andreas Schneider <asn@redhat.com> -  4.14.4-2
-- related: rhbz#1980346 - Rebuild for libtalloc 0.11.0
+* Thu Jun 24 2021 Andreas Schneider <asn@redhat.com> - 4.14.5-101
+- related: rhbz#1975690 - Create a subpackage for vfs-iouring
 
-* Thu Jun 24 2021 Andreas Schneider <asn@redhat.com> - 4.14.4-1
-- resolves: rhbz#1974792 - Create a subpackage for vfs-io-uring
-- resolves: rhbz#1965397 - Raise log level for dfs ENOENT debug message
+* Tue Jun 22 2021 Andreas Schneider <asn@redhat.com> - 4.14.5-100
+- related: rhbz#1954531 - Make sure upgrades to RHEL9 will work
 
-* Thu Jun 10 2021 Andreas Schneider <asn@redhat.com> - 4.14.4-0
-- related: rhbz#1944657 - Update to version 4.14.5
-- resolves: rhbz#1969787 - Fix memory leak in RPC server
-- resolves: rhbz#1954974 - Validate smb.conf option for domain members with testparm
-- resolves: rhbz#1963298 - Fix smbd trying to delete files with wrong permissions
-- resolves: rhbz#1890008 - Update rpcclient manpage to list all available commands
-- resolves: rhbz#1857254 - Update smbcacls manpage to document inhertance flags
+* Tue Jun 01 2021 Andreas Schneider <asn@redhat.com> - 4.14.5-0
+- related: rhbz#1954531 - Update to Samba 4.14.5
 
-* Wed May 12 2021 Andreas Schneider <asn@redhat.com> - 4.14.4-4
-- related: rhbz#1944657 - Fix possible upgrade issues
+* Thu May 20 2021 Andreas Schneider <asn@redhat.com> - 4.14.4-7
+- related: rhbz#1954531 - Fix build issues with gcc
+- resolves: rhbz#1959712 - Add iouring vfs module
 
-* Tue May 11 2021 Andreas Schneider <asn@redhat.com> - 4.14.4-2
-- resolves: rhbz#1944657 - Update to version 4.14.4
-- resolves: rhbz#1949445 - Fix CVE-2021-20254
-- resolves: rhbz#1947945 - Fix libsmbldap.so.2 not being a symbolic link
-- resolves: rhbz#1908506 - Fix creating the gencache user directory
-- resolves: rhbz#1901029 - Build the vfs_io_uring module
+* Mon May 03 2021 Andreas Schneider <asn@redhat.com> - 4.14.4-5
+* related: rhbz#1954531 - Add rpminspect.yaml
 
-* Thu Feb 04 2021 Andreas Schneider <asn@redhat.com> - 4.13.3-3
-- resolves: #1924615 - Fix a memcache bug when cache is full
-- resolves: #1924571 - Ensure that libwbclient has been updated before
-                       restarting services
+* Fri Apr 30 2021 Andreas Schneider <asn@redhat.com> - 4.14.4-2
+- related: rhbz#1954531 - Remove obsolete /var/spool/samba
 
-* Fri Jan 29 2021 Andreas Schneider <asn@redhat.com> - 4.13.3-2
-- resolves: #1909647 - Fix winbind in trust scenarios with connection issues
+* Thu Apr 29 2021 Andreas Schneider <asn@redhat.com> - 4.14.4-1
+- resolves: rhbz#1954531 - Update to Samba 4.14.4
+- resolves: rhbz#1949446 - Fix CVE-2021-20254
+- resolves: rhbz#1942378 - Disable nis support
 
-* Wed Dec 16 2020 Andreas Schneider <asn@redhat.com> - 4.13.3-1
-- related: #1878109 - Rebase Samba to version 4.13.3
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0:4.14.2-0.1
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 
-* Fri Dec 04 2020 Andreas Schneider <asn@redhat.com> - 4.13.2-5
-- resolves: #1904174 - Fix ldap timeout with 'net ads join'
+* Thu Mar 25 2021 Guenther Deschner <gdeschner@redhat.com> - 4.14.2-0
+- Update to Samba 4.14.2
+- related: #1941400, #1942496 - Security fixes for CVE-2020-27840
+- related: #1941402, #1942497 - Security fixes for CVE-2021-20277
 
-* Fri Nov 27 2020 Andreas Schneider <asn@redhat.com> - 4.13.2-4
-- resolves: #1902198 - Document weak crypto output of testparm
+* Wed Mar 24 2021 Guenther Deschner <gdeschner@redhat.com> - 4.14.1-0
+- Update to Samba 4.14.1
+- resolves: #1941400, #1942496 - Security fixes for CVE-2020-27840
+- resolves: #1941402, #1942497 - Security fixes for CVE-2021-20277
 
-* Wed Nov 25 2020 Andreas Schneider <asn@redhat.com> - 4.13.2-3
-- resolves: #1899113 - Fix following dfs links with smb clients
+* Tue Mar 09 2021 Guenther Deschner <gdeschner@redhat.com> - 4.14.0-3
+- Update to Samba 4.14.0
 
-* Tue Nov 17 2020 Andreas Schneider <asn@redhat.com> - 4.13.2-2
-- related: #1869702 - Fix spoolss crash
-- resolves: #1896736 - Fix name lookups of FreeIPA users
-- resolves: #1899113 - Fix DFS links
+* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2:4.14.0-0.0.rc4.2
+- Rebuilt for updated systemd-rpm-macros
+  See https://pagure.io/fesco/issue/2583.
+
+* Mon Mar 01 2021 Guenther Deschner <gdeschner@redhat.com> - 4.14.0rc4-0
+- Update to Samba 4.14.0rc4
+
+* Thu Feb 18 2021 Guenther Deschner <gdeschner@redhat.com> - 4.14.0rc3-0
+- Update to Samba 4.14.0rc3
+
+* Thu Feb 04 2021 Guenther Deschner <gdeschner@redhat.com> - 4.14.0rc2-0
+- Update to Samba 4.14.0rc2
+
+* Wed Jan 27 2021 Guenther Deschner <gdeschner@redhat.com> - 4.14.0rc1-0
+- Update to Samba 4.14.0rc1
+
+* Tue Jan 26 2021 Guenther Deschner <gdeschner@redhat.com> - 4.13.4-0
+- Update to Samba 4.13.4
+
+* Wed Dec 16 2020 Guenther Deschner <gdeschner@redhat.com> - 4.13.3-1
+- Rebuild against krb5-1.19
+- Resolves: rhbz#1915928
+
+* Tue Dec 15 2020 Guenther Deschner <gdeschner@redhat.com> - 4.13.3-0
+- Update to Samba 4.13.3
+
+* Wed Nov 25 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.13.2-2
+- rhbz#1892745, rhbz#1900232: smbclient mget crashes (upstream bug 14517)
+- Merge RHEL 8.4 patches:
+  - FIPS-related enhancements
+  - FreeIPA Global Catalog patches
 
 * Tue Nov 03 2020 Andreas Schneider <asn@redhat.com> - 4.13.2-1
-- resolves: #1878109 - Rebase Samba to version 4.13.2
-- resolves: #1872833 - Add samba-winexe subpackage
-- resolves: #1891688 - Fix CVE-2020-14323
-- resolves: #1892633 - Fix CVE-2020-14318
-- resolves: #1892639 - Fix CVE-2020-14383
-- resolves: #1879835 - Fix CVE-2020-1472
-- resolves: #1888990 - Update smb.conf manpages to describe how to apply
-                       config changes.
-- resolves: #1869702 - Fix %U substitution for 'valid users' option
-- resolves: #1818038 - Improve FIPS compliance
+- Create a python3-samba-devel package to avoid unnessary dependencies
 
-* Wed Aug 12 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.12.3-12
-- resolves: #1868558 - cannot create a directory in home over SMB2, mkdirat returns EBADF
+* Tue Nov 03 2020 Guenther Deschner <gdeschner@redhat.com> - 4.13.2-0
+- Update to Samba 4.13.2
 
-* Wed Jul 22 2020 Andreas Schneider <asn@redhat.com> - 4.12.3-11
-- resolves: #1859277 - Allow a user to use gencache
+* Thu Oct 29 2020 Guenther Deschner <gdeschner@redhat.com> - 4.13.1-0
+- Update to Samba 4.13.1
+- resolves: #1892631, #1892634 - Security fixes for CVE-2020-14318
+- resolves: #1891685, #1892628 - Security fixes for CVE-2020-14323
+- resolves: #1892636, #1892640 - Security fixes for CVE-2020-14383
 
-* Wed Jul 15 2020 Isaac Boukris <iboukris@redhat.com> - 4.12.3-10
-- related: #1856315 - Fix net-ads-join with LDAP over TLS
+* Mon Oct 26 2020 Andreas Schneider <asn@redhat.com> - 4.13.0-14
+- Fixed dbcheck running in a release tarball
+- Updated internal resolv_wrapper copy to verison 1.1.7
 
-* Tue Jul 14 2020 Andreas Schneider <asn@redhat.com> - 4.12.3-9
-- related: #1817557 - Move DECRPC mdssvc data files to correct package
-- resolves: #1856676 - Fix lookuprids in winbind
+* Sun Oct 25 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.13.0-13
+- Report 'samba' daemon status back to systemd
+- Support dnspython 2.0.0 or later in samba_dnsupdate
 
-* Mon Jul 13 2020 Isaac Boukris <iboukris@redhat.com> - 4.12.3-8
-- resolves: #1856315 - Fix net-ads-join with LDAP over TLS
+* Thu Oct 22 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.13.0-12
+- Add preliminary support for S4U operations in Samba AD DC
+  resolves: #1836630 - Samba DC: Remote Desktop cannot access files
+- Fix lookup_unix_user_name to allow lookup of realm-qualified users and groups
+  required for upcoming FreeIPA Global Catalog support
 
-* Fri Jul 10 2020 Andreas Schneider <asn@redhat.com> - 4.12.3-7
-- resolves: #1855711 - Fix 'require_membership_of' documentation in
-                       pam_winbind manpage
+* Tue Sep 22 2020 Guenther Deschner <gdeschner@redhat.com> - 4.13.0-11
+- Update to Samba 4.13.0
 
-* Thu Jul 09 2020 Andreas Schneider <asn@redhat.com> - 4.12.3-6
-- related: #1842844 - Fix TLS connections with GnuTLS
+* Fri Sep 18 2020 Guenther Deschner <gdeschner@redhat.com> - 4.13.0rc6-10
+- Update to Samba 4.13.0rc6
+- resolves: #1879822, #1880703 - Security fixes for CVE-2020-1472
 
-* Wed Jul 01 2020 Andreas Schneider <asn@redhat.com> - 4.12.3-5
-- resolves: #1823612 - Fix segfault in 'net ads dns gethostbyname'
-- resolves: #1792553 - Fix 'net ads join createcomputer=OU'
+* Wed Sep 16 2020 Guenther Deschner <gdeschner@redhat.com> - 4.13.0rc5-9
+- Update to Samba 4.13.0rc5
 
-* Fri Jun 26 2020 Isaac Boukris <iboukris@redhat.com> - 4.12.3-4
-- resolves: #1850980 - Add "additional dns hostname" to keytab
-- resolves: #1850981 - Add net-ads-join dnshostname=fqdn option
+* Mon Sep 07 2020 Guenther Deschner <gdeschner@redhat.com> - 4.13.0rc4-8
+- Update to Samba 4.13.0rc4
 
-* Fri Jun 19 2020 Andreas Schneider <asn@redhat.com> - 4.12.3-1
-- resolves: #1666737 - Add a new smbc_readdirplus2() function to libsmbclient
-- resolves: #1842844 - Fix GnuTLS priority list for TLS connections
+* Fri Aug 28 2020 Neal Gompa <ngompa13@gmail.com> - 4.13.0rc3-6
+- Enable winexe by default everywhere
 
-* Tue Jun 02 2020 Andreas Schneider <asn@redhat.com> - 4.12.3-0
-- resolves: #1817557 - Rebase to version 4.12.3
-- resolves: #1813833 - Fix 'net ads join createupn='
+* Fri Aug 28 2020 Guenther Deschner <gdeschner@redhat.com> - 4.13.0rc3-5
+- Update to Samba 4.13.0rc3
 
-* Fri May 29 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.11.2-14
-- Rebuild with krb5 1.18
-- Resolves: #1817578 - support krb5 1.18
+* Fri Aug 14 2020 Guenther Deschner <gdeschner@redhat.com> - 4.13.0rc2-4
+- Update to Samba 4.13.0rc2
 
-* Thu Feb 13 2020 Isaac Boukris <iboukris@redhat.com> - 4.11.2-13
-- resolves: #1802182 - Fix join using netbios name
+* Wed Aug 12 2020 Andreas Schneider <asn@redhat.com> - 4.13.0rc1-3
+- resolves: #1865831 - Add missing /usr/lib64/samba/krb5 directory
+- resolves: #1866989 - Remove obsolete python3-crypto dependency
 
-* Wed Jan 29 2020 Andreas Schneider <asn@redhat.com> - 4.11.2-12
-- related: #1781232 - Improve debug output of smbclient
-- resolves: #1794461 - Do not return bogus inode numbers in
-                       cli_qpathinfo2()/cli_qpathinfo3() for SMB1
-- resolves: #1794442 - Fix segfault in smbd_do_qfilepathinfo()
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.13.0-0.2.rc1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 
-* Thu Jan 23 2020 Isaac Boukris <iboukris@redhat.com> - 4.11.2-11
-- resolves: #1778130 - Remove usage of DES encryption types in krb5
+* Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 2:4.13.0-0.2.rc1
+- Use make macros
+  https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
 
-* Fri Jan 17 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.11.2-10
-- resolves: #1790353 - Fix access check in DsRGetForestTrustInformation
-- resolves: #1791209 - Fix CVE-2019-14907
+* Tue Jul 14 2020 Andreas Schneider <asn@redhat.com> - 4.13.0rc1-1
+- Move mdssvc data files to correct package
 
-* Fri Jan 10 2020 Andreas Schneider <asn@redhat.com> - 4.11.2-9
-- resolves: #1785134 - Fix libwbclient manual alternative settings
+* Thu Jul 09 2020 Guenther Deschner <gdeschner@redhat.com> - 4.13.0rc1-0
+- Update to Samba 4.13.0rc1
 
-* Fri Jan 10 2020 Andreas Schneider <asn@redhat.com> - 4.11.2-8
-- resolves: #1781232 - Fix smbclient debug message
+* Wed Jul 08 2020 Merlin Mathesius <mmathesi@redhat.com> - 4.12.5-1
+- Remove nonexistent --without-winexe option from configure
 
-* Thu Dec 12 2019 Andreas Schneider <asn@redhat.com> - 4.11.2-7
-- related: #1637861 - Fix trust creation if weak crypto is disallowed
+* Thu Jul 02 2020 Guenther Deschner <gdeschner@redhat.com> - 4.12.5-0
+- Update to Samba 4.12.5
 
-* Tue Dec 10 2019 Andreas Schneider <asn@redhat.com> - 4.11.2-6
-- resolves: #1637861 - Use GnuTLS for crypto
+* Thu Jul 02 2020 Guenther Deschner <gdeschner@redhat.com> - 4.12.4-0
+- Update to Samba 4.12.4
+- resolves: #1849489, #1853255 - Security fixes for CVE-2020-10730
+- resolves: #1849491, #1853256 - Security fixes for CVE-2020-10745
+- resolves: #1849509, #1853276 - Security fixes for CVE-2020-10760
+- resolves: #1851298, #1853259 - Security fixes for CVE-2020-14303
 
-* Thu Dec 05 2019 Andreas Schneider <asn@redhat.com> - 4.11.2-4
-- related: #1754409 - Add patch to avoid overlinking with libnsl and libsocket
-- related: #1754409 - Fix permissions for pidl
-- related: #1754409 - Fix logrotate script
-- related: #1754409 - Add missing README files
+* Sat Jun 27 2020 Jitka Plesnikova <jplesnik@redhat.com> - 2:4.12.3-1.1
+- Perl 5.32 re-rebuild updated packages
 
-* Mon Dec 02 2019 Andreas Schneider <asn@redhat.com> - 4.11.2-3
-- related: #1754409 - Fix pidl packaging
+* Thu Jun 25 2020 Guenther Deschner <gdeschner@redhat.com> - 4.12.3-1
+- Add BuildRequires for python3-setuptools
 
-* Fri Nov 29 2019 Andreas Schneider <asn@redhat.com> - 4.11.2-1
-- resolves: #1754409 - Rebase to Samba version 4.11.2
-- resolves: #1776312 - Winbind is not restarted on upgrade
-- resolves: #1764469 - Fix CVE-2019-10218
-- resolves: #1746241 - Fix CVE-2019-10197
-- resolves: #1710980 - Add support for KCM ccache in pam_winbind
+* Thu Jun 25 2020 Jitka Plesnikova <jplesnik@redhat.com> - 2:4.12.3-0.4
+- Perl 5.32 rebuild
 
-* Wed Oct 23 2019 Andreas Schneider <asn@redhat.com> - 4.10.4-101
-- related: #1760824 - Removed additional issues with overlinking
+* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 2:4.12.3-0.3
+- Rebuilt for Python 3.9
 
-* Fri Oct 11 2019 Andreas Schneider <asn@redhat.com> - 4.10.4-100
-- resolves: #1754575 - Avoid overlinking with librt and libpthread
-- resolves: #1755440 - Fix forest trusts enumeration
-- resolves: #1755445 - Fix CUPS username/password authentication with smbspool
+* Tue May 19 2020 Guenther Deschner <gdeschner@redhat.com> - 4.12.3-0
+- Update to Samba 4.12.3
 
-* Wed Jun 19 2019 Andreas Schneider <asn@redhat.com> - 4.10.4-1
-- resolves: #1712378 - Fix smbspool CUPS backend
-- resolves: #1696612 - Fix 'net ads join -U admin@parentdomain'
+* Fri May 15 2020 Pete Walter <pwalter@fedoraproject.org> - 2:4.12.2-1.2
+- Rebuild for ICU 67
 
-* Thu May 23 2019 Andreas Schneider <asn@redhat.com> - 4.10.4-0
-- related: #1638001 - Rebase to Samba version 4.10.4
-- resolves: #1597298 - Build Samba with python3
-- resolves: #1658558 - Add 'net ads leave --keep-account' option
-- resolves: #1669004 - Fix systemd status notifications
-- resolves: #1672167 - Fix printing cache timeout in debug output
-- resolves: #1696525 - Fix CVE-2019-3880
+* Wed May 13 2020 Guenther Deschner <gdeschner@redhat.com> - 4.12.2-1
+- Add support for building the new experimental io_uring VFS module
 
-* Fri May 17 2019 Andreas Schneider <asn@redhat.com> - 4.10.3-0
-- related: #1638001 - Rebase to Samba version 4.10.3
+* Tue Apr 28 2020 Guenther Deschner <gdeschner@redhat.com> - 4.12.2-0
+- Update to Samba 4.12.2
+- resolves: #1825731, #1828870 - Security fixes for CVE-2020-10700
+- resolves: #1825734, #1828872 - Security fixes for CVE-2020-10704
 
-* Fri May 10 2019 Andreas Schneider <asn@redhat.com> - 4.10.2-1
-- related: #1638001 - Fix package upgrades
+* Sun Apr 12 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.12.1-1
+- Revert POSIX stat tuning in libsmbclient
+- Resolves: rhbz#1801442
 
-* Mon May 06 2019 Andreas Schneider <asn@redhat.com> - 4.10.2-0
-- resolves: #1638001 - Rebase Samba to version 4.10
+* Tue Apr 07 2020 Guenther Deschner <gdeschner@redhat.com> - 4.12.1-0
+- Update to Samba 4.12.1
 
-* Thu Jan 03 2019 Andreas Schneider <asn@redhat.com> - 4.9.1-8
-- resolves: #1663421 - Fix perl interpreter dependencies
+* Sat Mar 21 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.12.0-6
+- Fix samba_requires_eq macro definition
+- Resolves rhbz#1815739
 
-* Wed Dec 19 2018 Andreas Schneider <asn@redhat.com> - 4.9.1-7
-- resolves: #1658690 - Add smbc_setOptionProtocols()
-- resolves: #1658678 - Fix spoolss client operations against Windows
+* Tue Mar 10 2020 Guenther Deschner <gdeschner@redhat.com> - 4.12.0-5
+- Add build requirement for perl-FindBin
+- resolves: #1661213 - Add winexe subpackage for remote windows command execution
 
-* Mon Dec 10 2018 Andreas Schneider <asn@redhat.com> - 4.9.1-6
-- resolves: #1642092 - Harden [homes] share export
-- resolves: #1648846 - Fix out of bound array access in ctdb
-- resolves: #1657266 - Fix tmp directory creation in /run
+* Tue Mar 03 2020 Guenther Deschner <gdeschner@redhat.com> - 4.12.0-3
+- Update to Samba 4.12.0
 
-* Fri Nov 09 2018 Andreas Schneider <asn@redhat.com> - 4.9.1-5
-- resolves: #1644327 - Segfault if wrong 'passdb backend' is configured
-- resolves: #1647959 - Segfault in the debug system with hardended build
+* Wed Feb 26 2020 Guenther Deschner <gdeschner@redhat.com> - 4.12.0rc4-2
+- Update to Samba 4.12.0rc4
 
-* Fri Sep 28 2018 Andreas Schneider <asn@redhat.com> - 4.9.1-4
-- related: #1614232 - Fix some spec file issues detected by rpmdiff
+* Wed Feb 19 2020 Guenther Deschner <gdeschner@redhat.com> - 4.12.0rc3-2
+- Update to Samba 4.12.0rc3
 
-* Wed Sep 26 2018 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.1-3
-- Temporarily remove smbtorture from samba-test due to Python 2 linkage
-- related: #1609661 - samba-test package cannot be installed due to unresolved dependencies
+* Tue Feb 04 2020 Guenther Deschner <gdeschner@redhat.com> - 4.12.0rc2-2
+- Update to Samba 4.12.0rc2
 
-* Wed Sep 26 2018 Andreas Schneider <asn@redhat.com> - 4.9.1-2
-- related: #1614232 - Add CTDB examples with a config migration script
+* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.12.0-0.1.rc1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 
-* Tue Sep 25 2018 Andreas Schneider <asn@redhat.com> - 4.9.1-1
-- resolves: #1614232 - Update to Samba 4.9.1
+* Fri Jan 24 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.12.0.rc1-1
+- Allow building against krb5 1.18 beta and require it for Rawhide
+
+* Wed Jan 22 2020 Guenther Deschner <gdeschner@redhat.com> - 4.12.0rc1-0
+- Update to Samba 4.12.0rc1
+
+* Tue Jan 21 2020 Guenther Deschner <gdeschner@redhat.com> - 4.11.5-0
+- Update to Samba 4.11.5
+- resolves: #1791201, #1793405 - Security fixes for CVE-2019-14902
+- resolves: #1791207, #1793407 - Security fixes for CVE-2019-14907
+- resolves: #1791204, #1793406 - Security fixes for CVE-2019-19344
+
+* Mon Dec 16 2019 Guenther Deschner <gdeschner@redhat.com> - 4.11.4-0
+- Update to Samba 4.11.4
+
+* Tue Dec 10 2019 Guenther Deschner <gdeschner@redhat.com> - 4.11.3-0
+- Update to Samba 4.11.3
+- resolves: #1778586, #1781542 - Security fixes for CVE-2019-14861
+- resolves: #1778589, #1781545 - Security fixes for CVE-2019-14870
+
+* Thu Dec 05 2019 Andreas Schneider <asn@redhat.com> - 4.11.2-2
+- Restart winbindd on samba-winbind package upgrade
+
+* Wed Nov 06 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.11.2-1
+- Update DES removal patch
+
+* Tue Oct 29 2019 Guenther Deschner <gdeschner@redhat.com> - 4.11.2-0
+- Update to Samba 4.11.2
+- resolves: #1763137, #1766558 - Security fixes for CVE-2019-10218
+- resolves: #1764126, #1766559 - Security fixes for CVE-2019-14833
+
+* Sun Oct 27 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.11.1-1
+- resolves: #1757071 - Deploy new samba DC fails
+
+* Fri Oct 18 2019 Guenther Deschner <gdeschner@redhat.com> - 4.11.1-0
+- Update to Samba 4.11.1
+
+* Tue Sep 17 2019 Guenther Deschner <gdeschner@redhat.com> - 4.11.0-3
+- Update to Samba 4.11.0
+
+* Wed Sep 11 2019 Guenther Deschner <gdeschner@redhat.com> - 4.11.0rc4-2
+- Update to Samba 4.11.0rc4
+
+* Tue Sep 03 2019 Guenther Deschner <gdeschner@redhat.com> - 4.11.0rc3-2
+- Update to Samba 4.11.0rc3
+- resolves: #1746225, #1748308 - Security fixes for CVE-2019-10197
+
+* Tue Aug 27 2019 Guenther Deschner <gdeschner@redhat.com> - 4.11.0rc2-2
+- resolves: #1746014 - re-add pidl
+
+* Mon Aug 26 2019 Lubomir Rintel <lkundrak@v3.sk> - 2:4.11.0-0.1.rc2
+- Move the NetworkManager dispatcher script out of /etc
+
+* Wed Aug 21 2019 Guenther Deschner <gdeschner@redhat.com> - 4.11.0rc2-0
+- Update to Samba 4.11.0rc2
+
+* Tue Aug 20 2019 Guenther Deschner <gdeschner@redhat.com> - 4.11.0rc1-0
+- Update to Samba 4.11.0rc1
+
+* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 2:4.10.6-1.1
+- Rebuilt for Python 3.8
+
+* Fri Aug 16 2019 Alexander Bokovoy <abokovoy@redhat.com> - 2:4.10.6-1
+- Fix Samba bug https://bugzilla.samba.org/show_bug.cgi?id=14091
+- Fixes: Windows systems cannot resolve IPA users and groups over LSA RPC
+
+* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.10.6-0.2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Mon Jul 08 2019 Guenther Deschner <gdeschner@redhat.com> - 4.10.6-0
+- Update to Samba 4.10.6
+
+* Mon Jul 01 2019 Guenther Deschner <gdeschner@redhat.com> - 4.10.5-2
+- resolves: #1718113 - Avoid deprecated time.clock in wafsamba
+- resolves: #1711638 - Update to latest waf version 2.0.17
+
+* Thu Jun 20 2019 Guenther Deschner <gdeschner@redhat.com> - 4.10.5-1
+- resolves: #1602824 - Make vfs_fruit operable with other remote VFS modules
+- resolves: #1716455 - Avoid pathconf() in get_real_filename() VFS calls
+- resolves: #1706090, #1700791 - Fix smbspool
+
+* Wed Jun 19 2019 Guenther Deschner <gdeschner@redhat.com> - 4.10.5-0
+- Update to Samba 4.10.5
+- resolves: #1711816, #1721872 - Security fixes for CVE-2019-12435
+- resolves: #1711837, #1721873 - Security fixes for CVE-2019-12436
+
+* Fri May 31 2019 Jitka Plesnikova <jplesnik@redhat.com> - 2:4.10.4-1.1
+- Perl 5.30 rebuild
+
+* Tue May 28 2019 Guenther Deschner <gdeschner@redhat.com> - 4.10.4-1
+- Add missing ctdb directories
+- resolves: #1656777
+
+* Wed May 22 2019 Guenther Deschner <gdeschner@redhat.com> - 4.10.4-0
+- Update to Samba 4.10.4
+
+* Tue May 14 2019 Guenther Deschner <gdeschner@redhat.com> - 4.10.3-0
+- Update to Samba 4.10.3
+- resolves: #1705877, #1709679 - Security fixes for CVE-2018-16860
+
+* Mon Apr 15 2019 Andreas Schneider <asn@redhat.com> - 4.10.2-1
+- resolves: #1699230 - Rebuild for MIT Kerberos soname bump of libkadm5srv
+
+* Mon Apr 08 2019 Guenther Deschner <gdeschner@redhat.com> - 4.10.2-0
+- Update to Samba 4.10.2
+- resolves: #1689010, #1697718 - Security fixes for CVE-2019-3870
+- resolves: #1691518, #1697717 - Security fixes for CVE-2019-3880
+
+* Wed Apr 03 2019 Guenther Deschner <gdeschner@redhat.com> - 4.10.1-0
+- Update to Samba 4.10.1
+
+* Mon Mar 25 2019 Andreas Schneider <asn@redhat.com> - 4.10.0-6
+- resolves: #1692347 - Add missing DC requirement for its python3 tools
+
+* Wed Mar 20 2019 Guenther Deschner <gdeschner@redhat.com> - 4.10.0-5
+- Fix build failure (duplication during install)
+
+* Tue Mar 19 2019 Guenther Deschner <gdeschner@redhat.com> - 4.10.0-4
+- Update to Samba 4.10.0
+
+* Wed Mar 06 2019 Guenther Deschner <gdeschner@redhat.com> - 4.10.0rc4-2
+- Update to Samba 4.10.0rc4
+
+* Fri Feb 22 2019 Guenther Deschner <gdeschner@redhat.com> - 4.10.0rc3-2
+- Update to Samba 4.10.0rc3
+
+* Sun Feb 17 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2:4.10.0-0.2.rc2.1
+- Rebuild for readline 8.0
+
+* Thu Feb 14 2019 Andreas Schneider <asn@redhat.com> - 4.10.0rc2-2
+- resolves: #1672231 - Fix public NDR API
+
+* Tue Feb 12 2019 Guenther Deschner <gdeschner@redhat.com> - 4.10.0rc2-1
+- resolves: #1674547 - Move samba.xattr modules out of python3 test package
+
+* Wed Feb 06 2019 Guenther Deschner <gdeschner@redhat.com> - 4.10.0rc2-0
+- Update to Samba 4.10.0rc2
+
+* Tue Jan 15 2019 Guenther Deschner <gdeschner@redhat.com> - 4.10.0rc1-0
+- Update to Samba 4.10.0rc1
+
+* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 2:4.9.4-0.1
+- Rebuilt for libcrypt.so.2 (#1666033)
+
+* Thu Dec 20 2018 Guenther Deschner <gdeschner@redhat.com> - 4.9.4-0
+- Update to Samba 4.9.4
+
+* Tue Nov 27 2018 Guenther Deschner <gdeschner@redhat.com> - 4.9.3-0
+- Update to Samba 4.9.3
+- resolves: #1625449, #1654078 - Security fixes for CVE-2018-14629
+- resolves: #1642545, #1654082 - Security fixes for CVE-2018-16841
+- resolves: #1646377, #1654091 - Security fixes for CVE-2018-16851
+- resolves: #1646386, #1654092 - Security fixes for CVE-2018-16852
+- resolves: #1647246, #1654093 - Security fixes for CVE-2018-16853
+- resolves: #1649278, #1654095 - Security fixes for CVE-2018-16857
+
+* Thu Nov 08 2018 Guenther Deschner <gdeschner@redhat.com> - 4.9.2-0
+- Update to Samba 4.9.2
+
+* Wed Sep 26 2018 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.1-2
+- Package ctdb/doc/examples
+
+* Mon Sep 24 2018 Andreas Schneider <asn@redhat.com> - 4.9.1-1
+- Update to Samba 4.9.1
+
+* Thu Sep 13 2018 Guenther Deschner <gdeschner@redhat.com> - 4.9.0-4
+- Update to Samba 4.9.0
 
 * Thu Sep 06 2018 Andreas Schneider <asn@redhat.com> - 4.9.0rc5-3
-- related: #1614232 - Update to Samba 4.9.0rc5
-- resolves: #1610909 - Re-enable glubsterfs vfs module
-- resolves: #1624170 - Build with -fstack-protectore-strong if available
-- resolves: #1602685 - Fixed issues found by covscan
+- Update to Samba 4.9.0rc5
 
-* Fri Aug 17 2018 Andreas Schneider <asn@redhat.com> - 4.9.0rc3-3
-- related: #1614232 - Update to Samba 4.9.0rc3
-- resolves: #1554753 - Fix CVE-2018-1050
-- resolves: #1617912 - Fix CVE-2018-10858
-- resolves: #1617913 - Fix CVE-2018-10918
-- resolves: #1617914 - Fix CVE-2018-10919
-- resolves: #1617915 - Fix CVE-2018-1139
-- resolves: #1612522 - Manpage fixes
+* Wed Aug 29 2018 Guenther Deschner <gdeschner@redhat.com> - 4.9.0rc4-3
+- Update to Samba 4.9.0rc4
+
+* Thu Aug 16 2018 Andreas Schneider <asn@redhat.com> - 4.9.0rc3-3
+- Fix python3 packaging
+
+* Wed Aug 15 2018 Guenther Deschner <gdeschner@redhat.com> - 4.9.0rc3-2
+- Update to Samba 4.9.0rc3
+- resolves: #1589651, #1617916 - Security fixes for CVE-2018-1139
+- resolves: #1580230, #1618613 - Security fixes for CVE-2018-1140
+- resolves: #1612805, #1618697 - Security fixes for CVE-2018-10858
+- resolves: #1610640, #1617910 - Security fixes for CVE-2018-10918
+- resolves: #1610645, #1617911 - Security fixes for CVE-2018-10919
 
 * Wed Aug 01 2018 Andreas Schneider <asn@redhat.com> - 4.9.0rc2-2
+- Add some spec file cleanups
+
+* Wed Aug 01 2018 Guenther Deschner <gdeschner@redhat.com> - 4.9.0rc2-0
 - Update to Samba 4.9.0rc2
 
-* Fri Jul 27 2018 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.0rc1-2
-- Do not package Python 2 artefacts by default
-
-* Sat Jul 21 2018 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.0rc1-1
-- Don't build dns and dsdb-related modules without AD DC
-
-* Fri Jul 13 2018 Guenther Deschner <gdeschner@redhat.com> - 4.9.0rc1-0
+* Thu Jul 12 2018 Guenther Deschner <gdeschner@redhat.com> - 4.9.0rc1-0
 - Update to Samba 4.9.0rc1
 
-* Mon Jul 02 2018 Petr Viktorin <pviktori@redhat.com> - 4.8.3-2
-- Use %%{__python2}, not "python", as the Python2 interpreter
-- Add workaround to allow building with Python 2
-- Change unversioned python macros to python2
-- Disable gluster temporarily
+* Thu Jul 12 2018 Alexander Bokovoy <abokovoy@redhat.com> - 2:4.8.3-4.1
+- Scope to local __bss_start symbol (typo in a patch)
+- Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1600035
+
+* Thu Jul 12 2018 Alexander Bokovoy <abokovoy@redhat.com> - 2:4.8.3-4
+- Change scope to local for symbols automatically added by upcoming binutils 2.31
+- Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1600035
+
+* Wed Jul 11 2018 Alexander Bokovoy <abokovoy@redhat.com> - 2:4.8.3-3
+- Rebuild Samba against binutils 2.30.90-2.fc29
+- Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1600035
+- Add explicit BuildRequires for gcc
+
+* Fri Jul 06 2018 Petr Pisar <ppisar@redhat.com>
+- Perl 5.28 rebuild
+
+* Thu Jul 05 2018 Alexander Bokovoy <abokovoy@redhat.com> - 2:4.8.3-2
+- Fix rawhide build by explicitly using /usr/bin/python2
+
+* Tue Jul 03 2018 Petr Pisar <ppisar@redhat.com>
+- Perl 5.28 rebuild
+
+* Mon Jul 02 2018 Miro Hrončok <mhroncok@redhat.com> - 2:4.8.3-1.2
+- Rebuilt for Python 3.7
+
+* Thu Jun 28 2018 Jitka Plesnikova <jplesnik@redhat.com> - 2:4.8.3-1.1
+- Perl 5.28 rebuild
 
 * Tue Jun 26 2018 Andreas Schneider <asn@redhat.com> - 4.8.3-1
 - Update to Samba 4.8.3