diff -Nru samba-3.6.25/debian/changelog samba-3.6.25/debian/changelog
--- samba-3.6.25/debian/changelog	2016-04-12 11:21:21.000000000 +0000
+++ samba-3.6.25/debian/changelog	2016-05-03 17:28:50.000000000 +0000
@@ -1,3 +1,19 @@
+samba (2:3.6.25-0ubuntu0.12.04.3) precise-security; urgency=medium
+
+  * SECURITY REGRESSION: Add additional backported commits to fix
+    regressions in the previous security updates. (LP: #1577739)
+    - debian/patches/security_trailer_regression.patch: fix a regression
+      verifying the security trailer in source3/rpc_server/srv_pipe.c.
+    - debian/patches/bug9669_regression.patch: fix a crash when running
+      net rpc join against an older Samba PDC in
+      source3/rpc_client/cli_pipe.c.
+    - debian/patches/netlogon_credentials_regression.patch: fix updating
+      netlogon credentials in source3/rpc_client/cli_pipe.c.
+    - Thanks to Andreas Schneider for the additional backports to
+      Samba 3.6!
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 03 May 2016 12:51:09 -0400
+
 samba (2:3.6.25-0ubuntu0.12.04.2) precise-security; urgency=medium
 
   * SECURITY UPDATE: fix multiple security issues
diff -Nru samba-3.6.25/debian/patches/bug9669_regression.patch samba-3.6.25/debian/patches/bug9669_regression.patch
--- samba-3.6.25/debian/patches/bug9669_regression.patch	1970-01-01 00:00:00.000000000 +0000
+++ samba-3.6.25/debian/patches/bug9669_regression.patch	2016-05-03 16:36:45.000000000 +0000
@@ -0,0 +1,37 @@
+From 0abef6992dc342d443137f8a2ac6c01f490cecee Mon Sep 17 00:00:00 2001
+From: Christian Ambach <ambi@samba.org>
+Date: Wed, 20 Feb 2013 16:59:05 +0100
+Subject: [PATCH] s3:rpc_client fix a crash
+
+state->cli->dc does not have to be set (e.g. when running
+net rpc join against an older Samba PDC), so check it before dereferencing it
+
+This fixes Bug 9669 - net rpc join crashes against a Samba 3.0.33 PDC
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=9669
+
+Signed-off-by: Christian Ambach <ambi@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+
+Autobuild-User(master): Christian Ambach <ambi@samba.org>
+Autobuild-Date(master): Wed Feb 20 19:00:52 CET 2013 on sn-devel-104
+(cherry picked from commit 3d29bb2d37b02909ecb500e864f3c13e06957a86)
+
+(cherry picked from commit ff658bb36c28c9db91fc80a68725e893ffe300aa)
+---
+ source3/rpc_client/cli_pipe.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: samba-3.6.25/source3/rpc_client/cli_pipe.c
+===================================================================
+--- samba-3.6.25.orig/source3/rpc_client/cli_pipe.c	2016-05-03 12:36:41.042457184 -0400
++++ samba-3.6.25/source3/rpc_client/cli_pipe.c	2016-05-03 12:36:41.038457186 -0400
+@@ -2276,7 +2276,7 @@
+ 	status = dcerpc_netr_LogonGetCapabilities_r_recv(subreq, talloc_tos());
+ 	TALLOC_FREE(subreq);
+ 	if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
+-		if (state->cli->dc->negotiate_flags &
++		if (state->cli->dc && state->cli->dc->negotiate_flags &
+ 		    NETLOGON_NEG_SUPPORTS_AES) {
+ 			DEBUG(5, ("AES is not supported and the error was %s\n",
+ 				  nt_errstr(status)));
diff -Nru samba-3.6.25/debian/patches/netlogon_credentials_regression.patch samba-3.6.25/debian/patches/netlogon_credentials_regression.patch
--- samba-3.6.25/debian/patches/netlogon_credentials_regression.patch	1970-01-01 00:00:00.000000000 +0000
+++ samba-3.6.25/debian/patches/netlogon_credentials_regression.patch	2016-05-03 16:36:56.000000000 +0000
@@ -0,0 +1,55 @@
+From 2d0424e7bb2c30bf9049529b207c73b55370dfc8 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 10 Jan 2012 16:38:16 +0100
+Subject: [PATCH] s3-rpc_client: Fix updating netlogon credentials.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: GÃ¼nther Deschner <gd@samba.org>
+(cherry picked from commit 33206b1e240e55acedad606aed4f1952f7496b35)
+---
+ source3/rpc_client/cli_pipe.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+Index: samba-3.6.25/source3/rpc_client/cli_pipe.c
+===================================================================
+--- samba-3.6.25.orig/source3/rpc_client/cli_pipe.c	2016-05-03 12:36:52.810453161 -0400
++++ samba-3.6.25/source3/rpc_client/cli_pipe.c	2016-05-03 12:36:52.806453162 -0400
+@@ -2268,9 +2268,6 @@
+ 	struct rpc_pipe_bind_state *state =
+ 		tevent_req_data(req,
+ 				struct rpc_pipe_bind_state);
+-	struct schannel_state *schannel_auth =
+-		talloc_get_type_abort(state->cli->auth->auth_ctx,
+-				      struct schannel_state);
+ 	NTSTATUS status;
+ 
+ 	status = dcerpc_netr_LogonGetCapabilities_r_recv(subreq, talloc_tos());
+@@ -2328,8 +2325,8 @@
+ 		return;
+ 	}
+ 
+-	TALLOC_FREE(schannel_auth->creds);
+-	schannel_auth->creds = talloc_steal(state->cli, state->creds);
++	TALLOC_FREE(state->cli->dc);
++	state->cli->dc = talloc_steal(state->cli, state->creds);
+ 
+ 	if (!NT_STATUS_IS_OK(state->r.out.result)) {
+ 		DEBUG(0, ("dcerpc_netr_LogonGetCapabilities_r_recv failed with %s\n",
+@@ -3526,10 +3523,12 @@
+ 	 * The credentials on a new netlogon pipe are the ones we are passed
+ 	 * in - copy them over
+ 	 */
+-	result->dc = netlogon_creds_copy(result, *pdc);
+ 	if (result->dc == NULL) {
+-		TALLOC_FREE(result);
+-		return NT_STATUS_NO_MEMORY;
++		result->dc = netlogon_creds_copy(result, *pdc);
++		if (result->dc == NULL) {
++			TALLOC_FREE(result);
++			return NT_STATUS_NO_MEMORY;
++		}
+ 	}
+ 
+ 	DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
diff -Nru samba-3.6.25/debian/patches/security_trailer_regression.patch samba-3.6.25/debian/patches/security_trailer_regression.patch
--- samba-3.6.25/debian/patches/security_trailer_regression.patch	1970-01-01 00:00:00.000000000 +0000
+++ samba-3.6.25/debian/patches/security_trailer_regression.patch	2016-05-03 16:36:33.000000000 +0000
@@ -0,0 +1,36 @@
+From 82fa625540abf8b8ec23d43c41e2ca906a9928a5 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Fri, 15 Apr 2016 11:56:08 +0200
+Subject: [PATCH] s3:rpc_server: Fix a regression verifying the security
+ trailer
+
+We do not support header signing so we should not check verify it if a
+client sends the flag.
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+---
+ source3/rpc_server/srv_pipe.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+Index: samba-3.6.25/source3/rpc_server/srv_pipe.c
+===================================================================
+--- samba-3.6.25.orig/source3/rpc_server/srv_pipe.c	2016-05-03 12:36:30.854463862 -0400
++++ samba-3.6.25/source3/rpc_server/srv_pipe.c	2016-05-03 12:36:30.846463868 -0400
+@@ -1748,7 +1748,6 @@
+ {
+ 	TALLOC_CTX *frame = talloc_stackframe();
+ 	struct dcerpc_sec_verification_trailer *vt = NULL;
+-	const uint32_t bitmask1 = 0;
+ 	const struct dcerpc_sec_vt_pcontext pcontext = {
+ 		.abstract_syntax = pipe_fns->syntax,
+ 		.transfer_syntax = ndr_transfer_syntax,
+@@ -1769,7 +1768,7 @@
+ 		goto done;
+ 	}
+ 
+-	ret = dcerpc_sec_verification_trailer_check(vt, &bitmask1,
++	ret = dcerpc_sec_verification_trailer_check(vt, NULL,
+ 						    &pcontext, &header2);
+ done:
+ 	TALLOC_FREE(frame);
diff -Nru samba-3.6.25/debian/patches/series samba-3.6.25/debian/patches/series
--- samba-3.6.25/debian/patches/series	2016-04-11 16:46:21.000000000 +0000
+++ samba-3.6.25/debian/patches/series	2016-05-03 16:36:51.000000000 +0000
@@ -25,3 +25,6 @@
 CVE-2016-2115-v3-6.patch
 CVE-2016-2118-v3-6.patch
 CVE-2015-5370-v3-6.patch
+security_trailer_regression.patch
+bug9669_regression.patch
+netlogon_credentials_regression.patch