Errata overview
Errata ID 39
Date 2019-04-08
Source package samba
Fixed in version 2:4.10.1-1A~
This update addresses the following issues:
* Update to Samba 4.10.1.
* Improve `samba-tool ntacl sysvolcheck` to reduce reporting false positives.
  This can be run by using new option `--mask-msad-differences`. Without
  the new option the reporting is unchanged. This is another step in the
  ongoing quest of improving the quality this tool for NTACL inheritance.
* Fix mode of dns_update_list and spn_update_list, broken after provision.
* During the creation of a new Samba AD DC, files are created in the
  /var/lib/samba/private/ directory.
  During initial setup of a UCS domain-controller with UCS 4.4 / Samba 4.10
  two files were created with mode 0666, that is world-writable, including
  the list of DNS names and servicePrincipalName values to update.
  Most UCS Samba DCs upgraded from UCS 4.3-3 or earlier however will not be
  affected by this, because the Bug was introduced with Samba 4.8 while UCS
  4.3 systems are running Samba 4.7.
  For details see <>.
* Samba contains an RPC endpoint emulating the Windows registry service
  API. One of the requests, "winreg_SaveKey", is susceptible to a
  path/symlink traversal vulnerability. Unprivileged users can use it to
  create a new registry hive file anywhere they have UNIX permissions to
  create a new file within a Samba share. If they are able to create symlinks
  on a Samba share, they can create a new registry hive file anywhere they
  have write access, even outside a Samba share definition.
  Existing share restrictions such as "read only" or share ACLs do not
  prevent new registry hive files being written to the filesystem. A file may
  be written under any share definition wherever the user has UNIX
  permissions to create a file.
  Existing files cannot be overwritten using this vulnerability, only new
  registry hive files can be created, however the presence of existing files
  with a specific name can be detected.
  Samba writes or detects the file as the authenticated user, but by UCS
  default the "Administrator" account is mapped to root, because it is
  configured as "admin user" in smb.conf.
  For details and possible mitigations see
Additional notes
CVE ID CVE-2019-3870
UCS Bug number #49034