Security Releases available: SAMBA+ 4.11.5, 4.10.12 and 4.9.18

SAMBA+ 4.11.5, 4.10.12 and 4.9.18 packages have just been released by SerNet. These are important security releases, please update affected systems as soon as possible. The packages are available for various SUSE and Red Hat platforms as well as for Debian GNU/Linux and Ubuntu.

The packages address the following issues:

  • CVE-2019-14902: Replication of ACLs set to inherit down a subtree on AD Directory not automatic.
    The implementation of ACL inheritance in the Samba AD DC was not complete, and so absent a 'full-sync' replication, ACLs could get out of sync between domain controllers.
  • CVE-2019-14907: Crash after failed character conversion at log level 3 or above.
    When processing untrusted string input Samba can read past the end of the allocated buffer when printing a "Conversion error" message to the logs.
  • CVE-2019-19344: Use after free during DNS zone scavenging in Samba AD DC.
    During DNS zone scavenging (of expired dynamic entries) there is a read of memory after it has been freed.

Also, SAMBA+ Long Term Support packages 4.8.12-25.lts.4, 4.7.12-21.lts.6 and 4.6.16-17.lts.8 including these fixes are available now.

SAMBA+ packages and all later versions are available as software subscription. They can be purchased at the SAMBA+ shop, detailed information and prices are listed at The subscriptions are managed at our platform OPOSSO ( Users can activate their subscriptions here and manage access credentials. The new SAMBA+ packages are included in existing subscriptions.


SerNet's Samba newsletter informs you about all important developments and events with its main focus on new packages.

+ subscribe to Newsletter

RSS Feed

Don't miss any more SAMBA+ news? Read the latest in your feed reader of choice.

+ subscribe to RSS feed


Buy and manage software subscriptions. SAMBA+ subscriptions are available for one, two and three years at the SAMBA+ shop.

+ visit the shop

Deutsche SpracheEnglish languageLangue fran├žaise