In Debian, this was fixed in 7.7.0+dfsg-2+deb11u1 in bullseye(-security) - i.e., 7.7.0+dfsg-2 was still affeected.
7.7.0+dfsg-3 includes a fix for a different CVE:
heimdal (7.7.0+dfsg-3) unstable; urgency=high
* Fix CVE-2021-3671: A null pointer de-reference was found in the way
samba kerberos server handled missing sname in TGS-REQ. Closes: #996586.
* Fix autoconf 2.7 issues
In focal, this was fixed in 7.7.0+dfsg-1ubuntu1.3 on Wed, 11 Jan 2023
* SECURITY UPDATE: invalid free
- debian/patches/CVE-2022-44640.patch: relocates a call to fprintf and
parameters when calling it in decode_type() in lib/asn1/gen_decode.c
and add a call to fprintf in free_type() in lib/asn1/gen_free.c.
- CVE-2022-44640
In jammy, we have 7.7.0+dfsg-3ubuntu1. As mentioned above, 7.7.0+dfsg-3 does not include the fix for the mentioned CVE. Moreover, our delta in this release is just former delta being carried by the merge:
* Merge with Debian unstable (LP: #1946860). Remaining changes:
- Disable lto, to regain dep on roken, otherwise dependencies on amd64
are different to i386 resulting in different files on amd64 and
i386. LP #1934936
- Remove symbol rk_closefrom@HEIMDAL_ROKEN_1.0 1.4.0+git20110226
(LP #1945787)
Therefore, this does seem to still be affected by the CVE, as reported.
In Debian, this was fixed in 7.7.0+dfsg- 2+deb11u1 in bullseye(-security) - i.e., 7.7.0+dfsg-2 was still affeected.
7.7.0+dfsg-3 includes a fix for a different CVE:
heimdal (7.7.0+dfsg-3) unstable; urgency=high
* Fix CVE-2021-3671: A null pointer de-reference was found in the way
samba kerberos server handled missing sname in TGS-REQ. Closes: #996586.
* Fix autoconf 2.7 issues
In focal, this was fixed in 7.7.0+dfsg- 1ubuntu1. 3 on Wed, 11 Jan 2023
* SECURITY UPDATE: invalid free patches/ CVE-2022- 44640.patch: relocates a call to fprintf and gen_decode. c gen_free. c.
- debian/
parameters when calling it in decode_type() in lib/asn1/
and add a call to fprintf in free_type() in lib/asn1/
- CVE-2022-44640
In jammy, we have 7.7.0+dfsg- 3ubuntu1. As mentioned above, 7.7.0+dfsg-3 does not include the fix for the mentioned CVE. Moreover, our delta in this release is just former delta being carried by the merge:
heimdal (7.7.0+ dfsg-3ubuntu1) jammy; urgency=medium
* Merge with Debian unstable (LP: #1946860). Remaining changes: HEIMDAL_ ROKEN_1. 0 1.4.0+git20110226
- Disable lto, to regain dep on roken, otherwise dependencies on amd64
are different to i386 resulting in different files on amd64 and
i386. LP #1934936
- Remove symbol rk_closefrom@
(LP #1945787)
Therefore, this does seem to still be affected by the CVE, as reported.