The Samba-Bugzilla – Bug 12976
heimdal embedded copy: delete or keep up to date
Last modified: 2017-08-21 11:54:53 UTC
As noted in bug #12505, the embedded copy of heimdal in samba is outdated, at least in respect to the krb5_storage_free function and this seems to cause some crashes in samba at times. There are probably other bugs in samba's copy of heimdal that were fixed in heimdal upstream.
samba's copy of heimdal needs to either be deleted or constantly kept up to date with the latest upstream release. My personal preference would be to just delete it. Given the recent rate of heimdal upstream releases, deleting it would probably be less work in the long run. Given the recent security issue for heimdal (CVE-2017-11103), deleting it would probably result in less work for distro security teams, especially since samba builds take much longer than heimdal.
If there are modifications to samba's copy of heimdal then it will need to be kept up to date instead. If possible, any such modifications should be sent upstream to heimdal. If they are not appropriate for upstream, then the release process for samba should be adjusted to include a check for the latest heimdal upstream release version.