diff -Nru samba-3.6.3/debian/changelog samba-3.6.3/debian/changelog
--- samba-3.6.3/debian/changelog	2016-02-15 17:43:28.000000000 +0000
+++ samba-3.6.3/debian/changelog	2016-03-07 12:15:03.000000000 +0000
@@ -1,3 +1,21 @@
+samba (2:3.6.3-2ubuntu2.17) precise-security; urgency=medium
+
+  * SECURITY UPDATE: incorrect ACL get/set allowed on symlink path
+    - debian/patches/CVE-2015-7560.patch: properly handle symlinks in
+      source3/smbd/nttrans.c, source3/smbd/trans2.c.
+    - CVE-2015-7560
+  * SECURITY UPDATE: clickjacking vulnerability in SWAT
+    - debian/patches/security-CVE-2013-0213.patch: use X-Frame-Options
+      header in source3/web/swat.c.
+    - CVE-2013-0213
+  * SECURITY UPDATE: CSRF vulnerability in SWAT
+    - debian/patches/security-CVE-2013-0214.patch: use additional nonce on
+      XSRF protection in source3/web/cgi.c, source3/web/swat.c,
+      source3/web/swat_proto.h.
+    - CVE-2013-0214
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 07 Mar 2016 07:13:51 -0500
+
 samba (2:3.6.3-2ubuntu2.14) precise-security; urgency=medium
 
   * Fixes regression introduced by debian/patches/CVE-2015-5252.patch.
diff -Nru samba-3.6.3/debian/patches/CVE-2015-7560.patch samba-3.6.3/debian/patches/CVE-2015-7560.patch
--- samba-3.6.3/debian/patches/CVE-2015-7560.patch	1970-01-01 00:00:00.000000000 +0000
+++ samba-3.6.3/debian/patches/CVE-2015-7560.patch	2016-03-07 12:14:45.000000000 +0000
@@ -0,0 +1,166 @@
+Description: fix incorrect ACL get/set allowed on symlink path
+Origin: upstream, https://bugzilla.samba.org/show_bug.cgi?id=11648#c68
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=11648
+
+Index: samba-3.6.3/source3/smbd/nttrans.c
+===================================================================
+--- samba-3.6.3.orig/source3/smbd/nttrans.c	2016-03-07 07:10:55.487855152 -0500
++++ samba-3.6.3/source3/smbd/nttrans.c	2016-03-07 07:11:10.908012349 -0500
+@@ -859,6 +859,12 @@
+ 		return status;
+ 	}
+ 
++	if (S_ISLNK(fsp->fsp_name->st.st_ex_mode)) {
++		DEBUG(10, ("ACL set on symlink %s denied.\n",
++			fsp_str_dbg(fsp)));
++		return NT_STATUS_ACCESS_DENIED;
++	}
++
+ 	if (psd->owner_sid == NULL) {
+ 		security_info_sent &= ~SECINFO_OWNER;
+ 	}
+@@ -1886,6 +1892,12 @@
+ 		return NT_STATUS_ACCESS_DENIED;
+ 	}
+ 
++	if (S_ISLNK(fsp->fsp_name->st.st_ex_mode)) {
++		DEBUG(10, ("ACL get on symlink %s denied.\n",
++			fsp_str_dbg(fsp)));
++		return NT_STATUS_ACCESS_DENIED;
++	}
++
+ 	if (security_info_wanted & (SECINFO_DACL|SECINFO_OWNER|
+ 			SECINFO_GROUP|SECINFO_SACL)) {
+ 		/* Don't return SECINFO_LABEL if anything else was
+Index: samba-3.6.3/source3/smbd/trans2.c
+===================================================================
+--- samba-3.6.3.orig/source3/smbd/trans2.c	2016-03-07 07:10:33.000000000 -0500
++++ samba-3.6.3/source3/smbd/trans2.c	2016-03-07 07:11:10.924012512 -0500
+@@ -50,6 +50,34 @@
+ 				files_struct *fsp,
+ 				const SMB_STRUCT_STAT *psbuf);
+ 
++/****************************************************************************
++ Check if an open file handle or pathname is a symlink.
++****************************************************************************/
++
++static NTSTATUS refuse_symlink(connection_struct *conn,
++			const files_struct *fsp,
++			const char *name)
++{
++	SMB_STRUCT_STAT sbuf;
++	const SMB_STRUCT_STAT *pst = NULL;
++
++	if (fsp) {
++		pst = &fsp->fsp_name->st;
++	} else {
++		int ret = vfs_stat_smb_fname(conn,
++				name,
++				&sbuf);
++		if (ret == -1) {
++			return map_nt_error_from_unix(errno);
++		}
++		pst = &sbuf;
++	}
++	if (S_ISLNK(pst->st_ex_mode)) {
++		return NT_STATUS_ACCESS_DENIED;
++	}
++	return NT_STATUS_OK;
++}
++
+ /********************************************************************
+  Roundup a value to the nearest allocation roundup size boundary.
+  Only do this for Windows clients.
+@@ -180,12 +208,22 @@
+ 	char **names, **tmp;
+ 	size_t num_names;
+ 	ssize_t sizeret = -1;
++	NTSTATUS status;
++
++	if (pnames) {
++		*pnames = NULL;
++	}
++	*pnum_names = 0;
+ 
+ 	if (!lp_ea_support(SNUM(conn))) {
+-		if (pnames) {
+-			*pnames = NULL;
+-		}
+-		*pnum_names = 0;
++		return NT_STATUS_OK;
++	}
++
++	status = refuse_symlink(conn, fsp, fname);
++	if (!NT_STATUS_IS_OK(status)) {
++		/*
++		 * Just return no EA's on a symlink.
++		 */
+ 		return NT_STATUS_OK;
+ 	}
+ 
+@@ -235,10 +273,6 @@
+ 
+ 	if (sizeret == 0) {
+ 		TALLOC_FREE(names);
+-		if (pnames) {
+-			*pnames = NULL;
+-		}
+-		*pnum_names = 0;
+ 		return NT_STATUS_OK;
+ 	}
+ 
+@@ -506,6 +540,7 @@
+ 		const struct smb_filename *smb_fname, struct ea_list *ea_list)
+ {
+ 	char *fname = NULL;
++	NTSTATUS status;
+ 
+ 	if (!lp_ea_support(SNUM(conn))) {
+ 		return NT_STATUS_EAS_NOT_SUPPORTED;
+@@ -515,6 +550,12 @@
+ 		return NT_STATUS_ACCESS_DENIED;
+ 	}
+ 
++	status = refuse_symlink(conn, fsp, smb_fname->base_name);
++	if (!NT_STATUS_IS_OK(status)) {
++		return status;
++	}
++
++
+ 	/* For now setting EAs on streams isn't supported. */
+ 	fname = smb_fname->base_name;
+ 
+@@ -4809,6 +4850,13 @@
+ 				uint16 num_file_acls = 0;
+ 				uint16 num_def_acls = 0;
+ 
++				status = refuse_symlink(conn,
++						fsp,
++						smb_fname->base_name);
++				if (!NT_STATUS_IS_OK(status)) {
++					return status;
++				}
++
+ 				if (fsp && fsp->fh->fd != -1) {
+ 					file_acl = SMB_VFS_SYS_ACL_GET_FD(fsp);
+ 				} else {
+@@ -6323,6 +6371,7 @@
+ 	uint16 num_def_acls;
+ 	bool valid_file_acls = True;
+ 	bool valid_def_acls = True;
++	NTSTATUS status;
+ 
+ 	if (total_data < SMB_POSIX_ACL_HEADER_SIZE) {
+ 		return NT_STATUS_INVALID_PARAMETER;
+@@ -6350,6 +6399,11 @@
+ 		return NT_STATUS_INVALID_PARAMETER;
+ 	}
+ 
++	status = refuse_symlink(conn, fsp, smb_fname->base_name);
++	if (!NT_STATUS_IS_OK(status)) {
++		return status;
++	}
++
+ 	DEBUG(10,("smb_set_posix_acl: file %s num_file_acls = %u, num_def_acls = %u\n",
+ 		smb_fname ? smb_fname_str_dbg(smb_fname) : fsp_str_dbg(fsp),
+ 		(unsigned int)num_file_acls,
diff -Nru samba-3.6.3/debian/patches/security-CVE-2013-0213.patch samba-3.6.3/debian/patches/security-CVE-2013-0213.patch
--- samba-3.6.3/debian/patches/security-CVE-2013-0213.patch	1970-01-01 00:00:00.000000000 +0000
+++ samba-3.6.3/debian/patches/security-CVE-2013-0213.patch	2016-03-04 12:23:22.000000000 +0000
@@ -0,0 +1,31 @@
+From 72672f8074c0a65918756ad89a8ecc2befc72cf0 Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai@samba.org>
+Date: Fri, 18 Jan 2013 23:11:07 +0100
+Subject: [PATCH] swat: Use X-Frame-Options header to avoid clickjacking
+
+Jann Horn reported a potential clickjacking vulnerability in SWAT where
+the SWAT page could be embedded into an attacker's page using a frame or
+iframe and then used to trick the user to change Samba settings.
+
+Avoid this by telling the browser to refuse the frame embedding via the
+X-Frame-Options: DENY header.
+
+Signed-off-by: Kai Blin <kai@samba.org>
+---
+ source3/web/swat.c |    3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+Index: samba-3.6.3/source3/web/swat.c
+===================================================================
+--- samba-3.6.3.orig/source3/web/swat.c	2016-03-04 07:23:20.164516781 -0500
++++ samba-3.6.3/source3/web/swat.c	2016-03-04 07:23:20.160516744 -0500
+@@ -266,7 +266,8 @@
+ 	if (!cgi_waspost()) {
+ 		printf("Expires: 0\r\n");
+ 	}
+-	printf("Content-type: text/html\r\n\r\n");
++	printf("Content-type: text/html\r\n");
++	printf("X-Frame-Options: DENY\r\n\r\n");
+ 
+ 	if (!include_html("include/header.html")) {
+ 		printf("<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2//EN\">\n");
diff -Nru samba-3.6.3/debian/patches/security-CVE-2013-0214.patch samba-3.6.3/debian/patches/security-CVE-2013-0214.patch
--- samba-3.6.3/debian/patches/security-CVE-2013-0214.patch	1970-01-01 00:00:00.000000000 +0000
+++ samba-3.6.3/debian/patches/security-CVE-2013-0214.patch	2016-03-04 12:23:25.000000000 +0000
@@ -0,0 +1,116 @@
+From f102cb2316b9590c91a248ccd77f335d0cd99764 Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai@samba.org>
+Date: Mon, 28 Jan 2013 21:41:07 +0100
+Subject: [PATCH] swat: Use additional nonce on XSRF protection
+
+If the user had a weak password on the root account of a machine running
+SWAT, there still was a chance of being targetted by an XSRF on a
+malicious web site targetting the SWAT setup.
+
+Use a random nonce stored in secrets.tdb to close this possible attack
+window. Thanks to Jann Horn for reporting this issue.
+
+Signed-off-by: Kai Blin <kai@samba.org>
+---
+ source3/web/cgi.c        |   40 ++++++++++++++++++++++++++--------------
+ source3/web/swat.c       |    2 ++
+ source3/web/swat_proto.h |    1 +
+ 3 files changed, 29 insertions(+), 14 deletions(-)
+
+Index: wheezy/source3/web/cgi.c
+===================================================================
+--- wheezy.orig/source3/web/cgi.c
++++ wheezy/source3/web/cgi.c
+@@ -48,6 +48,7 @@
+ static char *pathinfo;
+ static char *C_user;
+ static char *C_pass;
++static char *C_nonce;
+ static bool inetd_server;
+ static bool got_request;
+ 
+@@ -329,20 +330,7 @@
+ 	C_user = SMB_STRDUP(user);
+ 
+ 	if (!setuid(0)) {
+-		C_pass = secrets_fetch_generic("root", "SWAT");
+-		if (C_pass == NULL) {
+-			char *tmp_pass = NULL;
+-			tmp_pass = generate_random_password(talloc_tos(),
+-							    16, 16);
+-			if (tmp_pass == NULL) {
+-				printf("%sFailed to create random nonce for "
+-				       "SWAT session\n<br>%s\n", head, tail);
+-				exit(0);
+-			}
+-			secrets_store_generic("root", "SWAT", tmp_pass);
+-			C_pass = SMB_STRDUP(tmp_pass);
+-			TALLOC_FREE(tmp_pass);
+-		}
++		C_pass = SMB_STRDUP(cgi_nonce());
+ 	}
+ 	setuid(pwd->pw_uid);
+ 	if (geteuid() != pwd->pw_uid || getuid() != pwd->pw_uid) {
+@@ -459,6 +447,30 @@
+ }
+ 
+ /***************************************************************************
++return a ptr to the nonce
++  ***************************************************************************/
++char *cgi_nonce(void)
++{
++	const char *head = "Content-Type: text/html\r\n\r\n<HTML><BODY><H1>SWAT installation Error</H1>\n";
++	const char *tail = "</BODY></HTML>\r\n";
++	C_nonce = secrets_fetch_generic("root", "SWAT");
++	if (C_nonce == NULL) {
++		char *tmp_pass = NULL;
++		tmp_pass = generate_random_password(talloc_tos(),
++						    16, 16);
++		if (tmp_pass == NULL) {
++			printf("%sFailed to create random nonce for "
++			       "SWAT session\n<br>%s\n", head, tail);
++			exit(0);
++		}
++		secrets_store_generic("root", "SWAT", tmp_pass);
++		C_nonce = SMB_STRDUP(tmp_pass);
++		TALLOC_FREE(tmp_pass);
++	}
++        return(C_nonce);
++}
++
++/***************************************************************************
+ handle a file download
+   ***************************************************************************/
+ static void cgi_download(char *file)
+Index: wheezy/source3/web/swat.c
+===================================================================
+--- wheezy.orig/source3/web/swat.c
++++ wheezy/source3/web/swat.c
+@@ -154,6 +154,7 @@
+ 	struct MD5Context md5_ctx;
+ 	uint8_t token[16];
+ 	int i;
++	char *nonce = cgi_nonce();
+ 
+ 	token_str[0] = '\0';
+ 	ZERO_STRUCT(md5_ctx);
+@@ -167,6 +168,7 @@
+ 	if (pass != NULL) {
+ 		MD5Update(&md5_ctx, (uint8_t *)pass, strlen(pass));
+ 	}
++	MD5Update(&md5_ctx, (uint8_t *)nonce, strlen(nonce));
+ 
+ 	MD5Final(token, &md5_ctx);
+ 
+Index: wheezy/source3/web/swat_proto.h
+===================================================================
+--- wheezy.orig/source3/web/swat_proto.h
++++ wheezy/source3/web/swat_proto.h
+@@ -32,6 +32,7 @@
+ bool am_root(void);
+ char *cgi_user_name(void);
+ char *cgi_user_pass(void);
++char *cgi_nonce(void);
+ void cgi_setup(const char *rootdir, int auth_required);
+ const char *cgi_baseurl(void);
+ const char *cgi_pathinfo(void);
diff -Nru samba-3.6.3/debian/patches/series samba-3.6.3/debian/patches/series
--- samba-3.6.3/debian/patches/series	2016-02-15 15:53:52.000000000 +0000
+++ samba-3.6.3/debian/patches/series	2016-03-07 12:10:59.000000000 +0000
@@ -37,3 +37,6 @@
 CVE-2015-5299.patch
 CVE-2015-5330.patch
 lp_1545750_fix-symlink-corner-case.patch
+security-CVE-2013-0213.patch
+security-CVE-2013-0214.patch
+CVE-2015-7560.patch