new file mode 100644
@@ -0,0 +1,131 @@
+From f21f87e0f64dc4aea8c9537f182282077ae6a37b Mon Sep 17 00:00:00 2001
+From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+Date: Mon, 23 Feb 2026 11:01:57 +1300
+Subject: [PATCH] CVE-2026-3012: do not fetch certificate over http
+
+In the case where a certificate was found via HTTP, it was trusted
+without verification and put in the global CA store.
+
+There is no means to check the certificate other than by comparing it
+to certificates we may have gathered via LDAP, but in that case there
+is no advantage over just using the LDAP-derived certificates.
+
+Using the LDAP certificates was already the fallback case if HTTP
+failed, so we just make it the default.
+
+The HTTP fetch depends on the NDES service, which is a variant of
+Simple Certificate Enrolment Protocol (SCEP, RFC8894), but in fact
+Samba implements none of that protocol other than the HTTP fetch. SCEP
+is for clients that are not true domain members. Domain members can
+access to certificates over LDAP. This patch is not reducing SCEP
+client support because Samba never had it.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=16003
+
+Reported-by: Arad Inbar, DREAM Security Research Team
+Reported-by: Nir Somech, DREAM Security Research Team
+Reported-by: Ben Grinberg, DREAM Security Research Team
+
+CVE: CVE-2026-3012
+Upstream-Status: Backport [https://gitlab.com/samba-team/samba/-/commit/f21f87e0f64dc4aea8c9537f182282077ae6a37b]
+
+Backport Changes:
+- Adapted python/samba/gp/gp_cert_auto_enroll_ext.py hunks to
+ Samba 4.19.9 context.
+- Omitted selftest/knownfail.d/gpo-auto-enrol because the Yocto
+ recipe does not run upstream Samba selftest.
+
+Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
+(cherry picked from commit f21f87e0f64dc4aea8c9537f182282077ae6a37b)
+Signed-off-by: Ashishkumar Parmar <asparmar@cisco.com>
+---
+diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py
+index df3b472..31de4b1 100644
+--- a/python/samba/gp/gp_cert_auto_enroll_ext.py
++++ b/python/samba/gp/gp_cert_auto_enroll_ext.py
+@@ -16,7 +16,6 @@
+
+ import os
+ import operator
+-import requests
+ from samba.gp.gpclass import gp_pol_ext, gp_applier, GPOSTATE
+ from samba import Ldb
+ from ldb import SCOPE_SUBTREE, SCOPE_BASE
+@@ -200,56 +199,24 @@ def get_supported_templates(server):
+ return out.strip().split()
+
+
+-def getca(ca, url, trust_dir):
+- """Fetch Certificate Chain from the CA."""
++def getca(ca, trust_dir):
++ """Fetch a certificate from LDAP."""
+ root_cert = os.path.join(trust_dir, '%s.crt' % ca['name'])
+ root_certs = []
+
+- try:
+- r = requests.get(url=url, params={'operation': 'GetCACert',
+- 'message': 'CAIdentifier'})
+- except requests.exceptions.ConnectionError:
+- log.warn('Failed to establish a new connection')
+- r = None
+- if r is None or r.content == b'' or r.headers['Content-Type'] == 'text/html':
+- log.warn('Failed to fetch the root certificate chain.')
+- log.warn('The Network Device Enrollment Service is either not' +
+- ' installed or not configured.')
+- if 'cACertificate' in ca:
+- log.warn('Installing the server certificate only.')
+- der_certificate = base64.b64decode(ca['cACertificate'])
+- try:
+- cert = load_der_x509_certificate(der_certificate)
+- except TypeError:
+- cert = load_der_x509_certificate(der_certificate,
+- default_backend())
+- cert_data = cert.public_bytes(Encoding.PEM)
+- with open(root_cert, 'wb') as w:
+- w.write(cert_data)
+- root_certs.append(root_cert)
+- return root_certs
+-
+- if r.headers['Content-Type'] == 'application/x-x509-ca-cert':
++ if 'cACertificate' in ca:
++ log.warn('Installing the server certificate only.')
++ der_certificate = base64.b64decode(ca['cACertificate'])
+ # Older versions of load_der_x509_certificate require a backend param
+ try:
+- cert = load_der_x509_certificate(r.content)
++ cert = load_der_x509_certificate(der_certificate)
+ except TypeError:
+- cert = load_der_x509_certificate(r.content, default_backend())
++ cert = load_der_x509_certificate(der_certificate,
++ default_backend())
+ cert_data = cert.public_bytes(Encoding.PEM)
+ with open(root_cert, 'wb') as w:
+ w.write(cert_data)
+ root_certs.append(root_cert)
+- elif r.headers['Content-Type'] == 'application/x-x509-ca-ra-cert':
+- certs = load_der_pkcs7_certificates(r.content)
+- for i in range(0, len(certs)):
+- cert = certs[i].public_bytes(Encoding.PEM)
+- filename, extension = root_cert.rsplit('.', 1)
+- dest = '%s.%d.%s' % (filename, i, extension)
+- with open(dest, 'wb') as w:
+- w.write(cert)
+- root_certs.append(dest)
+- else:
+- log.warn('getca: Wrong (or missing) MIME content type')
+
+ return root_certs
+
+@@ -273,8 +240,7 @@ def changed(new_data, old_data):
+ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'):
+ """Install the root certificate chain."""
+ data = dict({'files': [], 'templates': []}, **ca)
+- url = 'http://%s/CertSrv/mscep/mscep.dll/pkiclient.exe?' % ca['hostname']
+- root_certs = getca(ca, url, trust_dir)
++ root_certs = getca(ca, trust_dir)
+ data['files'].extend(root_certs)
+ global_trust_dir = find_global_trust_dir()
+ for src in root_certs:
+--
+2.43.0
new file mode 100644
@@ -0,0 +1,51 @@
+From 7337d99ed55c01cd5837029485cd971a48f761c2 Mon Sep 17 00:00:00 2001
+From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+Date: Thu, 26 Feb 2026 14:21:01 +1300
+Subject: [PATCH] CVE-2026-3012: gp_auto_enrol: skip CAs not found in
+ LDAP
+
+If a certificate is mentioned in a GPO but is not present as a
+cACertificate attribute on a pKIEnrollmentService object, we have no way
+of obtaining it, so we might as well forget it.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=16003
+
+CVE: CVE-2026-3012
+Upstream-Status: Backport [https://gitlab.com/samba-team/samba/-/commit/7337d99ed55c01cd5837029485cd971a48f761c2]
+
+Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
+(cherry picked from commit 7337d99ed55c01cd5837029485cd971a48f761c2)
+Signed-off-by: Ashishkumar Parmar <asparmar@cisco.com>
+---
+ python/samba/gp/gp_cert_auto_enroll_ext.py | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py
+index 815436e11e9c..de8b310afd95 100644
+--- a/python/samba/gp/gp_cert_auto_enroll_ext.py
++++ b/python/samba/gp/gp_cert_auto_enroll_ext.py
+@@ -452,11 +452,21 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier):
+ # This is a basic configuration.
+ cas = fetch_certification_authorities(ldb)
+ for _ca in cas:
++ if 'cACertificate' not in _ca:
++ log.warning(f"ignoring CA '{_ca['name']}' with no "
++ "cACertificate in LDAP.")
++ continue
++
+ self.apply(guid, _ca, cert_enroll, _ca, ldb, trust_dir,
+ private_dir)
+ ca_names.append(_ca['name'])
+ # If EndPoint.URI starts with "HTTPS//":
+ elif ca['URL'].lower().startswith('https://'):
++ if 'cACertificate' not in ca:
++ log.warning(f"ignoring CA '{ca['name']}' "
++ f"({ca['URL']}) with no "
++ "cACertificate in LDAP.")
++ continue
+ self.apply(guid, ca, cert_enroll, ca, ldb, trust_dir,
+ private_dir, auth=ca['auth'])
+ ca_names.append(ca['name'])
+--
+2.43.0
@@ -24,6 +24,8 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
file://0005-Fix-pyext_PATTERN-for-cross-compilation.patch \
file://0006-smbtorture-skip-test-case-tfork_cmd_send.patch \
file://0007-Deleted-settiong-of-python-to-fix-the-install-confli.patch \
+ file://CVE-2026-3012_p1.patch \
+ file://CVE-2026-3012_p2.patch \
"
SRC_URI:append:libc-musl = " \