- The Samba Web Administration Tool (SWAT) in Samba versions 3.0.x to 4.0.1
are affected by a cross-site request forgery; CVE-2013-0214; (bnc#799641).

- The Samba Web Administration Tool (SWAT) in Samba versions 3.0.x to 4.0.1
could possibly be used in clickjacking attacks; CVE-2013-0213; (bnc#800982).

- defer_open is triggered multiple times on the same request; (bso#9196).
- Fix SEGV when using second vfs module; (bso#9471).
- Correctly detect O_DIRECT; (bso#9548).
- Mask off signals the correct way from the signal handler; (bso#9550).
- ntlm_auth.1: Fix format and make examples visible; (bso#9569).

- Remove dangling references to Heimdal from the spec file.

- Use the version macro while definition of the branch macro.

- Fix MD5 detection in the autoconf build; (bso#9037); (bso#9086); (bso#9094);
(bso#9418).
- Use work around for 'winbind use default domain' only if it is set;
(bso#9367).
- Allow smb2.acls torture test to pass against smbd with a POSIX ACLs backend;
(bso#9374).
- large read requests cause server to issue malformed reply; (bso#9422).
- s3-rpc_client: lookup nametype 0x20 in rpc_pipe_open_tcp_port(); (bso#9426).
- Fix ncacn_ip_tcp reconnection code for lsa lookups; (bso#9439).
- Allow to force DNS updates using net; (bso#9451).
- Respond correctly to FILE_STREAM_INFO requests; (bso#9460).

- On uninstall remove winbind from the pam configuration, invalidate the nscd
passwd and group cache and only recommend the install of nscd; (bnc#792340).

- BuildRequire libnscd-devel once.

- Don't clutter the spec file diff view; (bnc#783384).

- Fix fd leak causing 100% CPU in winbind on certain dc connection
failures; (bso#9436); (bnc#786677).

- Fix spoolss segfault when default devmode is disabled; (bso#9433);
(bnc#791183).

- ACL masks incorrectly applied when setting ACLs; (bso#9236).
- s3-kerberos: also try with AES keys, when decrypting tickets; (bso#9272).
- lib/replace: replace all *printf function if we replace snprintf; (bso#9390).
- lib/addns: don't depend on the order in resp->answers[]; (bso#9402).

- s4:torture/smb2: improve the smb2.create.blob tes; (bso#9209).
- lib/krb5_wrap: request enc_types in the correct order; (bso#9272).
- Fix net ads join message for the dns domain; (bso#9326).
- docs-xml: fix use of <smbconfoption> tag; (bso#9345).
- s3-aio_pthread: Optimize aio_pthread_handle_completion; (bso#9359).
- s3:winbind: Failover if netlogon pipe is not available; (bso#9386).

- Ensure adding the winbind group never can fail.

- Create ntadmin group only if it doesn't yet exist.

- quota: Don't force the block size to 512; (bso#3272).
- Fix poll replacement to become a msleep replacement; (bso#8107).
- Fix wrong test == syntax in configure; (bso#8146).
- Fix --with(out)-sendfile-support option handling in autoconf; (bso#8344).
- Fix builtin forms order to match Windows again; (bso#8632).
- Fix RAW printing for normal users; (bso#8769); (bnc#790741).
- Initialise ticket to ensure we do not invalid memory; (bso#8788).
- Fix 'net rpc share allowedusers' to work with 2008r2; (bso#8966).
- Fix crash on null pam change pw response; (bso#9013).
- Connection to outbound trusted domain goes offline; (bso#9016).
- Increase debug level for info that the db is empty; (bso#9112).
- 'smbclient' can't connect to a Windows 7 server using NTLMv2; (bso#9117).
- Winbind can't fetch user or group info from AD via LDAP; (bso#9147).
- Open printers with the right access mask; (bso#9154).
- Fix makerpms.sh on RHEL; (bso#9165).
- Remove non-existent option '-Y' from winbindd manpage; (bso#9171).
- Add quota support for gfs2; (bso#9172).
- Make SMB2 compound request create/delete_on_close/close work as Windows;
(bso#9173).
- Empty SPNEGO packet can cause smbd to crash; (bso#9174).
- pam_winbind: Match more return codes when wbcGetPwnam has failed;
(bso#9177).
- Fix crash bug in idmap_hash; (bso#9188); (bnc#788159).
- SMB2 Create doesn't return correct MAX ACCESS access mask in blob;
(bso#9189).
- Fix service control for non-internal services; (bso#9192).
- Don't take 'state->te' as indication for "was_deferred"; (bso#9196).
- Parse of invalid SMB2 create blob can cause smbd crash; (bso#9209).
- Bad ASN.1 NegTokenInit packet can cause invalid free; (bso#9213).
- Fix segfault in smbd if user specified ports out for range; (bso#9218).
- Signing cannot be disabled for SMB2 by design, so fix the documentation
instead; (bso#9222).
- Fix NT_STATUS_IO_TIMEOUT during slow import of printers into registry;
(bso#9231).
- When setting a non-default ACL, don't forget to apply masks to SMB_ACL_USER
and SMB_ACL_GROUP entries; (bso#9236).
- lib-addns: ensure that allocated buffer are pre set to 0; (bso#9259).
- Make tdb robust against shrinking tdbs and improper CLEAR_IF_FIRST restart;
(bso#9268).
- Add support for reloading systemd services; (bso#9280).

- Warn via the smbd log if AppArmor and "wide links" are in use; (bnc#783719).

- Backport FSCTL codes and fix segfault in smbstatus from master; (bso#9058).
- Fix bad call to memcpy source3/registry/regfio.c; (bso#9065).
- "Domain Users" incorrectly added as additional group on domain members;
(bso#9066).
- Use correct RID for "Domain Guests" primary group; (bso#9067).
- Fix crash bug in smbd caused by a blocking lock followed by close;
(bso#9084).
- Fix smbclient/tarmode panic when connecting to Windows 2000 clients;
(bso#9088).
- Fix refreshing of Kerberos tickets in Winbind; (bso#9098).
- Fix identification of idle clients in Winbind to avoid crashes and NDR
parsing errors; (bso#9104).
- Fix compilation with newer MIT Kerberos which hides internal symbols;
(bso#9111).
- Fix flooding the logs with records we don't find in pcap; (bso#9112).
- Initialize the print backend after we setup winreg; (bso#9122).
- Fix lprng job tracking errors; (bso#9123).
- Fix setting of "inherited" bit on inherited ACE's; (bso#9124).
- Fix Winbind panic if we couldn't find the domain; (bso#9135).
- Make 'smbclient allinfo' show the snapshot list; (bso#9137).
- Fix nfs quota support with Linux nfs4 mounts; (bso#9144).
- Valid open requests can cause smbd assert due to incorrect oplock handling
on delete requests; (bso#9150).

- NMB registration for a duplicate workstation fails with registration
refuse; (bso#9085); (bnc#770056).

- Correct documentation of "case sensitive"; (bso#8552).
- Printing fails in function cups_job_submit; (bso#8719).
- Fix kernel oplocks when uid(file) != uid(process); (bso#8974).
- Send correct responses to NT Transact Secondary when no data and no params
for the Trans2 calls are set; (bso#8989).
- Fix build without ads support; (bso#8996).
- Don't turn negative cache entries into valid idmappings; (bso#9002).
- Fix posix acl on gpfs; (bso#9003).
- Make vfs_gpfs less verbose in get/set_xattr functions; (bso#9022).
- Fix migrating printers while upgrading from 3.5.x; (bso#9026).
- Fix typo in set_re_uid() call when USE_SETRESUID selected in configure;
(bso#9034).
- Using asynchronous IO with SMB2 can return NT_STATUS_FILE_CLOSED in error
instead ofNT_STATUS_FILE_LOCK_CONFLICT; (bso#9040).
- Fix resolving our own "Domain Local" groups; (bso#9052); (bnc#779269).
- Fix build against CUPS 1.6; (bso#9055).
- Fix bugs in SMB2 credit handling code; (bso#9057).
- rpcclient: Fix bad call to data_blob_const; (bso#9062).

- BuildRequire gcc, make, and patch; (bnc#771516).

- ndr: fix push/pull DATA_BLOB with NDR_NOALIGN; (bso#9026); (bnc#770262).

- Fix shell syntax in dhcpcd hook script; (bnc#769957).

- resolve_ads() code can return zero addresses and miss valid DC IP addresses;
(bso#8910).
- Can't join XP Pro workstations to 3.6.1 DC; (bso#8373); (bnc#787983).
- winbind can hang as nbt_getdc() has no timeout; (bso#8953).
- Fix crash bug in dns_create_probe when dns_create_update fails; (bso#8627)
- s3-pid: Catch with pid filename's change when config file is not smb.conf;
(bso#8714).
- Possible memory leaks in the main Samba process; (bso#8970).
- s3: Fix uninitialized memory read in talloc_free(); (bnc#764577).
- Treat exit_server_cleanly() as a "clean" shutdown; (bso#8971).
- Avoid crash with MIT krb5 1.10.0 in gss_get_name_attribute(); (bso#8988).
- Winzip occasionally can not read files out of an open winzip dialog;
(bso#8311).
- s3-winbindd: call dump_core_setup after command line option has been parsed;
(bso#8975).
- Directory group write permission bit is set if unix extensions are enabled;
(bso#8972).
- s3: remove dependency on automake for "make everything"; (bso#8978).
- sd_has_inheritable_components segfaults on an SD that se_access_check
accepts; (bso#8811).
- smbclient's tarmode insists on listing excluded directories; (bso#8922).
- Notify code can miss a ChDir; (bso#8998).
- s3:smbd: add a fsp_persistent_id() function; (bso#8995).

- s3: Fix a segfault with debug level 3 on Solaris; (bso#8861).
- s3: wbinfo --lookup-sids "" crashes winbind; (bso#8904).
- smbd crashes when deleting directory and veto files are enabled; (bso#8837).
- winbind_krb5_locator only returns one IP address; (bso#8897).
- Wrong assertion/comparison: Compare value not pointer; (bso#8859).
- Inconsistent (with manpage) command-line switch for "help" in smbtree;
(bso#8831).
- Fix incorrect debug statement.
- Setting traverse rights fails to enable directory traversal when acl_xattr
in use; (bso#8857).
- Syslog broken owing to mistyping of debug_settings.syslog; (bso#8877).
- s3/ldap: remove outdated netscape ds 5 schema file; (bso#8869).
- s3-docs: fixes several typos; (bso#7938).
- s3-VFS: Fix building out-of-tree modules; (bso#8822).
- s3-docs: Add hint that setting "profile acls = yes" on normal shares can
cause trouble; (bso#7930).
- s3-pam_winbind: Fix the build with a newer iniparser library; (bso#8915).
- Avoid null dereference in initialize_password_db(); (bso#8920).
- s3:registry: implement values_need_update and subkeys_need_update in the
smbconf backend.
- s3:registry:reg_api: fix reg_queryvalue to not fail when values are
modified while it runs.
- s4:torture:rpc:spoolss: also initialize driverName before checking it in
test_PrinterData_DsSpooler().
- s3:registry: multiple cleanups, fixes, and optimisations.
- s3:auth/server_info: the primary rid should be in the groups rid array;
(bso#8798).
- s3-printing: Add new printers to registry; (bso#8554); (bso#8612);
(bso#8748).
- Fix the overwriting of errno before use in a DEBUG statement and use the
return value from store_acl_blob_fsp rather than ignoring it; (bso#8945).
- s3-auth: Don't lookup the system user in pdb; (bso#8944).
- s3-passdb: Fix negative SID->uid/gid cache handling; (bso#8952).
- Fix typo in pam_winbindd code; (bso#8957).
- Fix remove_duplicate_addrs2 previously it could leave zero addresses in the
list; (bso#8910).
- Slow but responsive DC can lock up winbindd; (bso#8943).
- Broken processing of %U with vfs_full_audit when force user is set;
(bso#8882).

- Attempt to use samlogon validation level 6; (bso#7945); (bnc#741623).

- Add PreReq /etc/init.d/nscd to the winbind package; (bnc#759731).

- Recover from ncacn_ip_tcp ACCESS_DENIED/SEC_PKG_ERROR lsa errors;
(bso#7944); (bnc#755663).
- Fix lsa_LookupSids3 and lsa_LookupNames4 arguments.

- s3-smbd: move print_backend_init() behind init_system_info(); (bso#8845);
(bnc#730769).
- Use simplified smb signing infrastructure; (bnc#741623).