git.ipfire.org Git - thirdparty/samba.git/commit

author	Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
	Sun, 22 Feb 2026 22:01:57 +0000 (11:01 +1300)
committer	Stefan Metzmacher <metze@samba.org>
	Tue, 26 May 2026 12:51:32 +0000 (12:51 +0000)
commit	4c2db6489be1364a8ce2841f7eedcd976fa1463b
tree	da0530a0828ba39b39eab1553b1a07ca02606aa7	tree \| snapshot
parent	c03e7dcf5113c30c4466e5cf902f69d1c09164d0	commit \| diff

CVE-2026-3012: do not fetch certificate over http

In the case where a certificate was found via HTTP, it was trusted
without verification and put in the global CA store.

There is no means to check the certificate other than by comparing it
to certificates we may have gathered via LDAP, but in that case there
is no advantage over just using the LDAP-derived certificates.

Using the LDAP certificates was already the fallback case if HTTP
failed, so we just make it the default.

The HTTP fetch depends on the NDES service, which is a variant of
Simple Certificate Enrolment Protocol (SCEP, RFC8894), but in fact
Samba implements none of that protocol other than the HTTP fetch. SCEP
is for clients that are not true domain members. Domain members can
access to certificates over LDAP. This patch is not reducing SCEP
client support because Samba never had it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16003

Reported-by: Arad Inbar, DREAM Security Research Team
Reported-by: Nir Somech, DREAM Security Research Team
Reported-by: Ben Grinberg, DREAM Security Research Team
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

python/samba/gp/gp_cert_auto_enroll_ext.py		diff \| blob \| blame \| history
selftest/knownfail.d/gpo-auto-enrol	[new file with mode: 0644]	blob