diff -Nru samba-4.3.11+dfsg/debian/changelog samba-4.3.11+dfsg/debian/changelog
--- samba-4.3.11+dfsg/debian/changelog	2018-09-24 10:08:45.000000000 +0000
+++ samba-4.3.11+dfsg/debian/changelog	2018-11-16 13:45:21.000000000 +0000
@@ -1,3 +1,21 @@
+samba (2:4.3.11+dfsg-0ubuntu0.16.04.18) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: Unprivileged adding of CNAME record causing loop in AD
+    Internal DNS server
+    - debian/patches/CVE-2018-14629.patch: add CNAME loop prevention using
+      counter in  source4/dns_server/dns_query.c.
+    - CVE-2018-14629
+  * SECURITY UPDATE: Double-free in Samba AD DC KDC with PKINIT
+    - debian/patches/CVE-2018-16841.patch: fix segfault on PKINIT with
+      mis-matching principal in source4/kdc/db-glue.c.
+    - CVE-2018-16841
+  * SECURITY UPDATE: NULL pointer de-reference in Samba AD DC LDAP server
+    - debian/patches/CVE-2018-16851.patch: check ret before manipulating
+      blob in source4/ldap_server/ldap_server.c.
+    - CVE-2018-16851
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 16 Nov 2018 08:43:34 -0500
+
 samba (2:4.3.11+dfsg-0ubuntu0.16.04.17) xenial; urgency=medium
 
   * d/samba.nmbd.init, d/samba.samba-ad-dc.init, d/samba.smbd.init, d/winbind.init
diff -Nru samba-4.3.11+dfsg/debian/patches/CVE-2018-14629.patch samba-4.3.11+dfsg/debian/patches/CVE-2018-14629.patch
--- samba-4.3.11+dfsg/debian/patches/CVE-2018-14629.patch	1970-01-01 00:00:00.000000000 +0000
+++ samba-4.3.11+dfsg/debian/patches/CVE-2018-14629.patch	2018-11-16 13:45:04.000000000 +0000
@@ -0,0 +1,44 @@
+Backport of:
+
+From 805850d4b67eff263a8dab0999ab59e6243534f1 Mon Sep 17 00:00:00 2001
+From: Aaron Haslett <aaronhaslett@catalyst.net.nz>
+Date: Tue, 23 Oct 2018 17:25:51 +1300
+Subject: [PATCH 5/5] CVE-2018-14629 dns: CNAME loop prevention using counter
+
+Count number of answers generated by internal DNS query routine and stop at
+20 to match Microsoft's loop prevention mechanism.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600
+
+Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Garming Sam <garming@catalyst.net.nz>
+---
+ python/samba/tests/dns.py      | 24 ++++++++++++++++++++++++
+ selftest/knownfail.d/dns       |  6 ++++++
+ source4/dns_server/dns_query.c |  6 ++++++
+ 3 files changed, 36 insertions(+)
+
+Index: samba-4.3.11+dfsg/source4/dns_server/dns_query.c
+===================================================================
+--- samba-4.3.11+dfsg.orig/source4/dns_server/dns_query.c	2018-11-16 08:20:27.750193296 -0500
++++ samba-4.3.11+dfsg/source4/dns_server/dns_query.c	2018-11-16 08:40:18.952454663 -0500
+@@ -39,6 +39,7 @@
+ 
+ #undef DBGC_CLASS
+ #define DBGC_CLASS DBGC_DNS
++#define MAX_Q_RECURSION_DEPTH 20
+ 
+ static WERROR create_response_rr(const struct dns_name_question *question,
+ 				 const struct dnsp_DnssrvRpcRecord *rec,
+@@ -261,6 +262,10 @@ static WERROR handle_question(struct dns
+ 	uint16_t rec_count, ai = *ancount;
+ 	struct ldb_dn *dn = NULL;
+ 
++	if (talloc_array_length(*answers) >= MAX_Q_RECURSION_DEPTH) {
++		return WERR_OK;
++	}
++
+ 	werror = dns_name2dn(dns, mem_ctx, question->name, &dn);
+ 	W_ERROR_NOT_OK_RETURN(werror);
+ 
diff -Nru samba-4.3.11+dfsg/debian/patches/CVE-2018-16841.patch samba-4.3.11+dfsg/debian/patches/CVE-2018-16841.patch
--- samba-4.3.11+dfsg/debian/patches/CVE-2018-16841.patch	1970-01-01 00:00:00.000000000 +0000
+++ samba-4.3.11+dfsg/debian/patches/CVE-2018-16841.patch	2018-11-16 13:42:29.000000000 +0000
@@ -0,0 +1,38 @@
+From b38900c353ca92365f144734c99d156cc39611d4 Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Tue, 23 Oct 2018 17:33:46 +1300
+Subject: [PATCH 3/5] CVE-2018-16841 heimdal: Fix segfault on PKINIT with
+ mis-matching principal
+
+In Heimdal KRB5_KDC_ERR_CLIENT_NAME_MISMATCH is an enum, so we tried to double-free
+mem_ctx.
+
+This was introduced in 9a0263a7c316112caf0265237bfb2cfb3a3d370d for the
+MIT KDC effort.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13628
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
+---
+ source4/kdc/db-glue.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+Index: samba-4.3.11+dfsg/source4/kdc/db-glue.c
+===================================================================
+--- samba-4.3.11+dfsg.orig/source4/kdc/db-glue.c	2018-11-16 08:42:27.705979876 -0500
++++ samba-4.3.11+dfsg/source4/kdc/db-glue.c	2018-11-16 08:42:27.697979781 -0500
+@@ -2437,10 +2437,10 @@ samba_kdc_check_pkinit_ms_upn_match(krb5
+ 	 * comparison */
+ 	if (!(orig_sid && target_sid && dom_sid_equal(orig_sid, target_sid))) {
+ 		talloc_free(mem_ctx);
+-#ifdef KRB5_KDC_ERR_CLIENT_NAME_MISMATCH /* Heimdal */
+-		return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
+-#elif defined(KRB5KDC_ERR_CLIENT_NAME_MISMATCH) /* MIT */
++#if defined(KRB5KDC_ERR_CLIENT_NAME_MISMATCH) /* MIT */
+ 		return KRB5KDC_ERR_CLIENT_NAME_MISMATCH;
++#else /* Heimdal (where this is an enum) */
++		return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
+ #endif
+ 	}
+ 
diff -Nru samba-4.3.11+dfsg/debian/patches/CVE-2018-16851.patch samba-4.3.11+dfsg/debian/patches/CVE-2018-16851.patch
--- samba-4.3.11+dfsg/debian/patches/CVE-2018-16851.patch	1970-01-01 00:00:00.000000000 +0000
+++ samba-4.3.11+dfsg/debian/patches/CVE-2018-16851.patch	2018-11-16 13:43:31.000000000 +0000
@@ -0,0 +1,41 @@
+From d8c836ef838a62b39c255bcb49443df171334d24 Mon Sep 17 00:00:00 2001
+From: Garming Sam <garming@catalyst.net.nz>
+Date: Mon, 5 Nov 2018 16:18:18 +1300
+Subject: [PATCH 2/5] CVE-2018-16851 ldap_server: Check ret before manipulating
+ blob
+
+In the case of hitting the talloc ~256MB limit, this causes a crash in
+the server.
+
+Note that you would actually need to load >256MB of data into the LDAP.
+Although there is some generated/hidden data which would help you reach that
+limit (descriptors and RMD blobs).
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13674
+
+Signed-off-by: Garming Sam <garming@catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+---
+ source4/ldap_server/ldap_server.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Index: samba-4.3.11+dfsg/source4/ldap_server/ldap_server.c
+===================================================================
+--- samba-4.3.11+dfsg.orig/source4/ldap_server/ldap_server.c	2018-11-16 08:43:28.566710433 -0500
++++ samba-4.3.11+dfsg/source4/ldap_server/ldap_server.c	2018-11-16 08:43:28.562710385 -0500
+@@ -576,13 +576,13 @@ static void ldapsrv_call_process_done(st
+ 		ret = data_blob_append(call, &blob, b.data, b.length);
+ 		data_blob_free(&b);
+ 
+-		talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet");
+-
+ 		if (!ret) {
+ 			ldapsrv_terminate_connection(conn, "data_blob_append failed");
+ 			return;
+ 		}
+ 
++		talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet");
++
+ 		DLIST_REMOVE(call->replies, call->replies);
+ 	}
+ 
diff -Nru samba-4.3.11+dfsg/debian/patches/series samba-4.3.11+dfsg/debian/patches/series
--- samba-4.3.11+dfsg/debian/patches/series	2018-09-24 09:40:35.000000000 +0000
+++ samba-4.3.11+dfsg/debian/patches/series	2018-11-16 13:43:27.000000000 +0000
@@ -103,3 +103,6 @@
 CVE-2018-10919-9.patch
 CVE-2018-10919-10.patch
 bug_1583324_include_with_macro.patch
+CVE-2018-14629.patch
+CVE-2018-16841.patch
+CVE-2018-16851.patch