diff -Nru samba-4.3.11+dfsg/debian/changelog samba-4.3.11+dfsg/debian/changelog
--- samba-4.3.11+dfsg/debian/changelog	2018-11-16 14:50:56.000000000 +0000
+++ samba-4.3.11+dfsg/debian/changelog	2019-04-01 14:10:22.000000000 +0000
@@ -1,3 +1,12 @@
+samba (2:4.3.11+dfsg-0ubuntu0.14.04.20) trusty-security; urgency=medium
+
+  * SECURITY UPDATE: save registry file outside share as unprivileged user
+    - debian/patches/CVE-2019-3880.patch: remove implementations of
+      SaveKey/RestoreKey in source3/rpc_server/winreg/srv_winreg_nt.c.
+    - CVE-2019-3880
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 01 Apr 2019 10:10:22 -0400
+
 samba (2:4.3.11+dfsg-0ubuntu0.14.04.19) trusty-security; urgency=medium
 
   * SECURITY UPDATE: Unprivileged adding of CNAME record causing loop in AD
diff -Nru samba-4.3.11+dfsg/debian/patches/CVE-2019-3880.patch samba-4.3.11+dfsg/debian/patches/CVE-2019-3880.patch
--- samba-4.3.11+dfsg/debian/patches/CVE-2019-3880.patch	1970-01-01 00:00:00.000000000 +0000
+++ samba-4.3.11+dfsg/debian/patches/CVE-2019-3880.patch	2019-04-01 14:10:16.000000000 +0000
@@ -0,0 +1,150 @@
+Backport of:
+
+From 0a392c982aca2150c8350582148abd7b2af782f8 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Thu, 21 Mar 2019 14:51:30 -0700
+Subject: [PATCH] CVE-2019-3880 s3: rpc: winreg: Remove implementations of
+ SaveKey/RestoreKey.
+
+The were not using VFS backend calls and could only work
+locally, and were unsafe against symlink races and other
+security issues.
+
+If the incoming handle is valid, return WERR_BAD_PATHNAME.
+
+[MS-RRP] states "The format of the file name is implementation-specific"
+so ensure we don't allow this.
+
+As reported by Michael Hanselmann.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13851
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+---
+ source3/rpc_server/winreg/srv_winreg_nt.c | 92 ++-----------------------------
+ 1 file changed, 4 insertions(+), 88 deletions(-)
+
+Index: samba-4.3.11+dfsg/source3/rpc_server/winreg/srv_winreg_nt.c
+===================================================================
+--- samba-4.3.11+dfsg.orig/source3/rpc_server/winreg/srv_winreg_nt.c	2019-04-01 10:05:58.501027844 -0400
++++ samba-4.3.11+dfsg/source3/rpc_server/winreg/srv_winreg_nt.c	2019-04-01 10:08:08.905395997 -0400
+@@ -640,46 +640,6 @@ WERROR _winreg_AbortSystemShutdown(struc
+ }
+ 
+ /*******************************************************************
+- ********************************************************************/
+-
+-static int validate_reg_filename(TALLOC_CTX *ctx, char **pp_fname )
+-{
+-	char *p = NULL;
+-	int num_services = lp_numservices();
+-	int snum = -1;
+-	const char *share_path = NULL;
+-	char *fname = *pp_fname;
+-
+-	/* convert to a unix path, stripping the C:\ along the way */
+-
+-	if (!(p = valid_share_pathname(ctx, fname))) {
+-		return -1;
+-	}
+-
+-	/* has to exist within a valid file share */
+-
+-	for (snum=0; snum<num_services; snum++) {
+-		if (!lp_snum_ok(snum) || lp_printable(snum)) {
+-			continue;
+-		}
+-
+-		share_path = lp_path(talloc_tos(), snum);
+-
+-		/* make sure we have a path (e.g. [homes] ) */
+-		if (strlen(share_path) == 0) {
+-			continue;
+-		}
+-
+-		if (strncmp(share_path, p, strlen(share_path)) == 0) {
+-			break;
+-		}
+-	}
+-
+-	*pp_fname = p;
+-	return (snum < num_services) ? snum : -1;
+-}
+-
+-/*******************************************************************
+  _winreg_RestoreKey
+  ********************************************************************/
+ 
+@@ -687,36 +647,11 @@ WERROR _winreg_RestoreKey(struct pipes_s
+ 			  struct winreg_RestoreKey *r)
+ {
+ 	struct registry_key *regkey = find_regkey_by_hnd( p, r->in.handle );
+-	char *fname = NULL;
+-	int snum = -1;
+ 
+-	if ( !regkey )
++	if ( !regkey ) {
+ 		return WERR_BADFID;
+-
+-	if ( !r->in.filename || !r->in.filename->name )
+-		return WERR_INVALID_PARAM;
+-
+-	fname = talloc_strdup(p->mem_ctx, r->in.filename->name);
+-	if (!fname) {
+-		return WERR_NOMEM;
+ 	}
+-
+-	DEBUG(8,("_winreg_RestoreKey: verifying restore of key [%s] from "
+-		 "\"%s\"\n", regkey->key->name, fname));
+-
+-	if ((snum = validate_reg_filename(p->mem_ctx, &fname)) == -1)
+-		return WERR_OBJECT_PATH_INVALID;
+-
+-	/* user must posses SeRestorePrivilege for this this proceed */
+-
+-	if ( !security_token_has_privilege(p->session_info->security_token, SEC_PRIV_RESTORE)) {
+-		return WERR_ACCESS_DENIED;
+-	}
+-
+-	DEBUG(2,("_winreg_RestoreKey: Restoring [%s] from %s in share %s\n",
+-		 regkey->key->name, fname, lp_servicename(talloc_tos(), snum) ));
+-
+-	return reg_restorekey(regkey, fname);
++	return WERR_OBJECT_PATH_INVALID;
+ }
+ 
+ /*******************************************************************
+@@ -727,30 +662,11 @@ WERROR _winreg_SaveKey(struct pipes_stru
+ 		       struct winreg_SaveKey *r)
+ {
+ 	struct registry_key *regkey = find_regkey_by_hnd( p, r->in.handle );
+-	char *fname = NULL;
+-	int snum = -1;
+ 
+-	if ( !regkey )
++	if ( !regkey ) {
+ 		return WERR_BADFID;
+-
+-	if ( !r->in.filename || !r->in.filename->name )
+-		return WERR_INVALID_PARAM;
+-
+-	fname = talloc_strdup(p->mem_ctx, r->in.filename->name);
+-	if (!fname) {
+-		return WERR_NOMEM;
+ 	}
+-
+-	DEBUG(8,("_winreg_SaveKey: verifying backup of key [%s] to \"%s\"\n",
+-		 regkey->key->name, fname));
+-
+-	if ((snum = validate_reg_filename(p->mem_ctx, &fname)) == -1 )
+-		return WERR_OBJECT_PATH_INVALID;
+-
+-	DEBUG(2,("_winreg_SaveKey: Saving [%s] to %s in share %s\n",
+-		 regkey->key->name, fname, lp_servicename(talloc_tos(), snum) ));
+-
+-	return reg_savekey(regkey, fname);
++	return WERR_OBJECT_PATH_INVALID;
+ }
+ 
+ /*******************************************************************
diff -Nru samba-4.3.11+dfsg/debian/patches/series samba-4.3.11+dfsg/debian/patches/series
--- samba-4.3.11+dfsg/debian/patches/series	2018-11-16 14:50:50.000000000 +0000
+++ samba-4.3.11+dfsg/debian/patches/series	2019-04-01 14:10:16.000000000 +0000
@@ -107,3 +107,4 @@
 CVE-2018-14629.patch
 CVE-2018-16841.patch
 CVE-2018-16851.patch
+CVE-2019-3880.patch