Errata overview
Errata ID 632
Date 2020-01-21
Source package samba
Fixed in version 2:4.10.1-1A~
This update addresses the following issues:
* The DRS replication of Samba/AD domain controllers didn't handle the
  inheritance of Active Directory Service (LDAP) ACLs properly.
  These ACLs are stored in the nTSecurityDescriptor LDAP attribute.
  In case an administrator explicitly changed Active Directory LDAP ACLs to
  delegate new rights to an account (user or group), or to restrict delegated
  rights, these changes would only automatically be inherited to all
  subobjects in the LDAP tree on the specific domain controller where the
  admin was working on. But on all other replicating domain controllers, the
  automatic inheritance did not take place correctly.
  To fix this for a particular Active Directory LDAP partition, a 'full-sync'
  DRS operation can be initiated manually.
  For more details and possible mitigations see
* If samba is run with "log level = 3" (or above) then the string
  obtained from the client, after a failed character conversion, is
  printed.  Such strings can be provided during the NTLMSSP
  authentication exchange. On the Samba/AD domain controller in particular,
  this may cause a long-lived process (such as the RPC server) to terminate.
  For more details and possible mitigations see
* Samba 4.9 introduced an off-by-default feature to tombstone
  dynamically created DNS records that had reached their expiry time.
  This feature is controlled by the smb.conf option:
         dns zone scavenging = yes
  which is not active by default in UCS. The scavenging code suffered from
  a use after free issue, a type of memory handling error that could lead
  to unexpected behavior.
  For more details and possible mitigations see
Additional notes
CVE ID CVE-2019-14902
UCS Bug number #50716