CVE-2015-7560.html:

===========================================================
== Subject:     Incorrect ACL get/set allowed on symlink path.
==
== CVE ID#:     CVE-2015-7560
==
== Versions:    Samba 3.2.0 to 4.4.0rc3
==
== Summary:     Authenticated client could cause Samba to
==              overwrite ACLs with incorrect owner/group.
==
===========================================================

===========
Description
===========

All versions of Samba from 3.2.0 to 4.4.0rc3 inclusive are vulnerable to
a malicious client overwriting the ownership of ACLs using symlinks.

An authenticated malicious client can use SMB1 UNIX extensions to
create a symlink to a file or directory, and then use non-UNIX SMB1
calls to overwrite the contents of the ACL on the file or directory
linked to.

==================
Patch Availability
==================

A patch addressing this defect has been posted to

  https://www.samba.org/samba/security/

Additionally, Samba 4.4.0rc4, 4.3.6, 4.2.9 and 4.1.23 have been issued as
security releases to correct the defect. Patches against older Samba
versions are available at https://www.samba.org/samba/patches/. Samba
vendors and administrators running affected versions are advised to
upgrade or apply the patch as soon as possible.

==========
Workaround
==========

Add the parameter:

unix extensions = no

to the [global] section of your smb.conf and restart smbd.

Alternatively, prohibit the use of SMB1 by setting the parameter:

server min protocol = SMB2

to the [global] section of your smb.conf and restart smbd.

=======
Credits
=======

This problem was found by Jeremy Allison of Google, Inc. and the Samba
Team, who also provided the fix.