samba4 package didn't bundle Heimdal
https://security-tracker.debian.org/tracker/CVE-2017-11103
Back when samba4 (which has been eviscerated to a client) was a
package, it linked against the system heimdal.
You can see this because it depends on heimdal.
https://packages.debian.org/wheezy/libsamba-credentials0
Additionally, the link the heimdal code has always been dynamic, not
static, it just changed from dynamic to the system libs to dynamic to
the vendored lib embedded in our tree with the Samba 4.2 packages.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Reply to: