Comment 1 for bug 2054916

In Debian, this was fixed in 7.7.0+dfsg-2+deb11u1 in bullseye(-security) - i.e., 7.7.0+dfsg-2 was still affeected.

7.7.0+dfsg-3 includes a fix for a different CVE:

heimdal (7.7.0+dfsg-3) unstable; urgency=high

  * Fix CVE-2021-3671: A null pointer de-reference was found in the way
    samba kerberos server handled missing sname in TGS-REQ. Closes: #996586.
  * Fix autoconf 2.7 issues

In focal, this was fixed in 7.7.0+dfsg-1ubuntu1.3 on Wed, 11 Jan 2023

  * SECURITY UPDATE: invalid free
    - debian/patches/CVE-2022-44640.patch: relocates a call to fprintf and
      parameters when calling it in decode_type() in lib/asn1/gen_decode.c
      and add a call to fprintf in free_type() in lib/asn1/gen_free.c.
    - CVE-2022-44640

In jammy, we have 7.7.0+dfsg-3ubuntu1. As mentioned above, 7.7.0+dfsg-3 does not include the fix for the mentioned CVE. Moreover, our delta in this release is just former delta being carried by the merge:

heimdal (7.7.0+dfsg-3ubuntu1) jammy; urgency=medium

  * Merge with Debian unstable (LP: #1946860). Remaining changes:
    - Disable lto, to regain dep on roken, otherwise dependencies on amd64
      are different to i386 resulting in different files on amd64 and
      i386. LP #1934936
    - Remove symbol rk_closefrom@HEIMDAL_ROKEN_1.0 1.4.0+git20110226
      (LP #1945787)

Therefore, this does seem to still be affected by the CVE, as reported.