diff -Nru samba-4.8.4+dfsg/debian/changelog samba-4.8.4+dfsg/debian/changelog
--- samba-4.8.4+dfsg/debian/changelog	2018-11-16 13:15:02.000000000 +0000
+++ samba-4.8.4+dfsg/debian/changelog	2019-04-04 18:05:09.000000000 +0000
@@ -1,3 +1,21 @@
+samba (2:4.8.4+dfsg-2ubuntu2.3) cosmic-security; urgency=medium
+
+  * SECURITY UPDATE: save registry file outside share as unprivileged user
+    - debian/patches/CVE-2019-3880.patch: remove implementations of
+      SaveKey/RestoreKey in source3/rpc_server/winreg/srv_winreg_nt.c.
+    - CVE-2019-3880
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 04 Apr 2019 14:05:09 -0400
+
+samba (2:4.8.4+dfsg-2ubuntu2.2) cosmic; urgency=medium
+
+  * Backport function to set protocol levels (LP: #1778322):
+    - d/p/add-smbc_setOptionProtocols.patch: add function to set protocol
+      levels
+    - d/libsmbclient.symbols: add smbc_setOptionProtocols
+
+ -- Andreas Hasenack <andreas@canonical.com>  Thu, 28 Mar 2019 21:45:02 -0300
+
 samba (2:4.8.4+dfsg-2ubuntu2.1) cosmic-security; urgency=medium
 
   * SECURITY UPDATE: Unprivileged adding of CNAME record causing loop in AD
diff -Nru samba-4.8.4+dfsg/debian/libsmbclient.symbols samba-4.8.4+dfsg/debian/libsmbclient.symbols
--- samba-4.8.4+dfsg/debian/libsmbclient.symbols	2018-10-09 17:32:16.000000000 +0000
+++ samba-4.8.4+dfsg/debian/libsmbclient.symbols	2019-03-29 00:45:02.000000000 +0000
@@ -160,6 +160,7 @@
  smbc_setOptionNoAutoAnonymousLogin@SMBCLIENT_0.1.0 2:4.0.3+dfsg1
  smbc_setOptionOneSharePerServer@SMBCLIENT_0.1.0 2:4.0.3+dfsg1
  smbc_setOptionOpenShareMode@SMBCLIENT_0.1.0 2:4.0.3+dfsg1
+ smbc_setOptionProtocols@SMBCLIENT_0.3.1 2:4.8.4+dfsg-2ubuntu2.2~
  smbc_setOptionSmbEncryptionLevel@SMBCLIENT_0.1.0 2:4.0.3+dfsg1
  smbc_setOptionUrlEncodeReaddirEntries@SMBCLIENT_0.1.0 2:4.0.3+dfsg1
  smbc_setOptionUseCCache@SMBCLIENT_0.1.0 2:4.0.3+dfsg1
diff -Nru samba-4.8.4+dfsg/debian/patches/add-smbc_setOptionProtocols.patch samba-4.8.4+dfsg/debian/patches/add-smbc_setOptionProtocols.patch
--- samba-4.8.4+dfsg/debian/patches/add-smbc_setOptionProtocols.patch	1970-01-01 00:00:00.000000000 +0000
+++ samba-4.8.4+dfsg/debian/patches/add-smbc_setOptionProtocols.patch	2019-03-29 00:45:02.000000000 +0000
@@ -0,0 +1,61 @@
+Description: s3:libsmbclient: Add function to set protocol levels
+Author: Andreas Schneider <asn@samba.org>
+Origin: https://github.com/samba-team/samba/commit/0dae4e2f5c65167fdb2405e232436921a0bb17e6
+Origin: https://github.com/samba-team/samba/commit/885435e8a4dc561749b880f8be7a32041fa954ec
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1778322
+Last-Update: 2019-03-28
+--- a/source3/include/libsmbclient.h
++++ b/source3/include/libsmbclient.h
+@@ -775,7 +775,24 @@
+ void
+ smbc_setOptionUseNTHash(SMBCCTX *c, smbc_bool b);
+ 
+-
++/**
++ * @brief Set the 'client min protocol' and the 'client max protocol'.
++ *
++ * IMPORTANT: This overrrides the values 'client min protocol' and 'client max
++ * protocol' set in the smb.conf file!
++ *
++ * @param[in]  c  The smbc context to use.
++ *
++ * @param[in]  min_proto  The minimal protocol to use or NULL for leaving it
++ *                        untouched.
++ *
++ * @param[in]  max_proto  The maximum protocol to use or NULL for leaving it
++ *                        untouched.
++ *
++ * @returns true for success, false otherwise
++ */
++smbc_bool
++smbc_setOptionProtocols(SMBCCTX *c, const char *min_proto, const char *max_proto);
+ 
+ /*************************************
+  * Getters and setters for FUNCTIONS *
+--- a/source3/libsmb/libsmb_setget.c
++++ b/source3/libsmb/libsmb_setget.c
+@@ -503,6 +503,24 @@
+         }
+ }
+ 
++smbc_bool
++smbc_setOptionProtocols(SMBCCTX *c,
++			const char *min_proto,
++			const char *max_proto)
++{
++	bool ok = true;
++
++	if (min_proto != NULL) {
++		ok = lp_set_cmdline("client min protocol", min_proto);
++	}
++
++	if (max_proto != NULL) {
++		ok &= lp_set_cmdline("client max protocol", max_proto);
++	}
++
++	return ok;
++}
++
+ /** Get the function for obtaining authentication data */
+ smbc_get_auth_data_fn
+ smbc_getFunctionAuthData(SMBCCTX *c)
diff -Nru samba-4.8.4+dfsg/debian/patches/CVE-2019-3880.patch samba-4.8.4+dfsg/debian/patches/CVE-2019-3880.patch
--- samba-4.8.4+dfsg/debian/patches/CVE-2019-3880.patch	1970-01-01 00:00:00.000000000 +0000
+++ samba-4.8.4+dfsg/debian/patches/CVE-2019-3880.patch	2019-04-01 14:03:02.000000000 +0000
@@ -0,0 +1,151 @@
+From 0a392c982aca2150c8350582148abd7b2af782f8 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Thu, 21 Mar 2019 14:51:30 -0700
+Subject: [PATCH] CVE-2019-3880 s3: rpc: winreg: Remove implementations of
+ SaveKey/RestoreKey.
+
+The were not using VFS backend calls and could only work
+locally, and were unsafe against symlink races and other
+security issues.
+
+If the incoming handle is valid, return WERR_BAD_PATHNAME.
+
+[MS-RRP] states "The format of the file name is implementation-specific"
+so ensure we don't allow this.
+
+As reported by Michael Hanselmann.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13851
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+---
+ source3/rpc_server/winreg/srv_winreg_nt.c | 92 ++-----------------------------
+ 1 file changed, 4 insertions(+), 88 deletions(-)
+
+diff --git a/source3/rpc_server/winreg/srv_winreg_nt.c b/source3/rpc_server/winreg/srv_winreg_nt.c
+index d9ee8d0602d..816c6bb2a12 100644
+--- a/source3/rpc_server/winreg/srv_winreg_nt.c
++++ b/source3/rpc_server/winreg/srv_winreg_nt.c
+@@ -640,46 +640,6 @@ WERROR _winreg_AbortSystemShutdown(struct pipes_struct *p,
+ }
+ 
+ /*******************************************************************
+- ********************************************************************/
+-
+-static int validate_reg_filename(TALLOC_CTX *ctx, char **pp_fname )
+-{
+-	char *p = NULL;
+-	int num_services = lp_numservices();
+-	int snum = -1;
+-	const char *share_path = NULL;
+-	char *fname = *pp_fname;
+-
+-	/* convert to a unix path, stripping the C:\ along the way */
+-
+-	if (!(p = valid_share_pathname(ctx, fname))) {
+-		return -1;
+-	}
+-
+-	/* has to exist within a valid file share */
+-
+-	for (snum=0; snum<num_services; snum++) {
+-		if (!lp_snum_ok(snum) || lp_printable(snum)) {
+-			continue;
+-		}
+-
+-		share_path = lp_path(talloc_tos(), snum);
+-
+-		/* make sure we have a path (e.g. [homes] ) */
+-		if (strlen(share_path) == 0) {
+-			continue;
+-		}
+-
+-		if (strncmp(share_path, p, strlen(share_path)) == 0) {
+-			break;
+-		}
+-	}
+-
+-	*pp_fname = p;
+-	return (snum < num_services) ? snum : -1;
+-}
+-
+-/*******************************************************************
+  _winreg_RestoreKey
+  ********************************************************************/
+ 
+@@ -687,36 +647,11 @@ WERROR _winreg_RestoreKey(struct pipes_struct *p,
+ 			  struct winreg_RestoreKey *r)
+ {
+ 	struct registry_key *regkey = find_regkey_by_hnd( p, r->in.handle );
+-	char *fname = NULL;
+-	int snum = -1;
+ 
+-	if ( !regkey )
++	if ( !regkey ) {
+ 		return WERR_INVALID_HANDLE;
+-
+-	if ( !r->in.filename || !r->in.filename->name )
+-		return WERR_INVALID_PARAMETER;
+-
+-	fname = talloc_strdup(p->mem_ctx, r->in.filename->name);
+-	if (!fname) {
+-		return WERR_NOT_ENOUGH_MEMORY;
+ 	}
+-
+-	DEBUG(8,("_winreg_RestoreKey: verifying restore of key [%s] from "
+-		 "\"%s\"\n", regkey->key->name, fname));
+-
+-	if ((snum = validate_reg_filename(p->mem_ctx, &fname)) == -1)
+-		return WERR_BAD_PATHNAME;
+-
+-	/* user must posses SeRestorePrivilege for this this proceed */
+-
+-	if ( !security_token_has_privilege(p->session_info->security_token, SEC_PRIV_RESTORE)) {
+-		return WERR_ACCESS_DENIED;
+-	}
+-
+-	DEBUG(2,("_winreg_RestoreKey: Restoring [%s] from %s in share %s\n",
+-		 regkey->key->name, fname, lp_servicename(talloc_tos(), snum) ));
+-
+-	return reg_restorekey(regkey, fname);
++	return WERR_BAD_PATHNAME;
+ }
+ 
+ /*******************************************************************
+@@ -727,30 +662,11 @@ WERROR _winreg_SaveKey(struct pipes_struct *p,
+ 		       struct winreg_SaveKey *r)
+ {
+ 	struct registry_key *regkey = find_regkey_by_hnd( p, r->in.handle );
+-	char *fname = NULL;
+-	int snum = -1;
+ 
+-	if ( !regkey )
++	if ( !regkey ) {
+ 		return WERR_INVALID_HANDLE;
+-
+-	if ( !r->in.filename || !r->in.filename->name )
+-		return WERR_INVALID_PARAMETER;
+-
+-	fname = talloc_strdup(p->mem_ctx, r->in.filename->name);
+-	if (!fname) {
+-		return WERR_NOT_ENOUGH_MEMORY;
+ 	}
+-
+-	DEBUG(8,("_winreg_SaveKey: verifying backup of key [%s] to \"%s\"\n",
+-		 regkey->key->name, fname));
+-
+-	if ((snum = validate_reg_filename(p->mem_ctx, &fname)) == -1 )
+-		return WERR_BAD_PATHNAME;
+-
+-	DEBUG(2,("_winreg_SaveKey: Saving [%s] to %s in share %s\n",
+-		 regkey->key->name, fname, lp_servicename(talloc_tos(), snum) ));
+-
+-	return reg_savekey(regkey, fname);
++	return WERR_BAD_PATHNAME;
+ }
+ 
+ /*******************************************************************
+-- 
+2.11.0
+
diff -Nru samba-4.8.4+dfsg/debian/patches/series samba-4.8.4+dfsg/debian/patches/series
--- samba-4.8.4+dfsg/debian/patches/series	2018-11-16 13:14:57.000000000 +0000
+++ samba-4.8.4+dfsg/debian/patches/series	2019-04-04 18:04:55.000000000 +0000
@@ -14,3 +14,5 @@
 CVE-2018-16841-1.patch
 CVE-2018-16841-2.patch
 CVE-2018-16851.patch
+add-smbc_setOptionProtocols.patch
+CVE-2019-3880.patch